12

Storing password is a no brainer : use a password hasher. But..

How do you proceed to store fingerprints securely on your server? Meaning that even if your server and all it's data is stolen, someone cannot retrieve the fingerprints.

From what I understand, the picture of your fingerprint that the scanner get is always different from one time to another and to verify that you are the owner, they simply verify that the fingerprint match with a good enough percentage. So, it's not possible to do a direct password hash of the image the scanner give you and compare it with the one in the database.

Is there some kind of pre-processing to extract some data that "never" change even if the whole scan change a little bit each time you scan your finger?

Related link : http://www.extremetech.com/mobile/211985-htc-caught-storing-fingerprint-data-in-unencrypted-plain-text

Gudradain
  • 6,921
  • 2
  • 26
  • 43
  • I'm not sure why you would need to store the fingerprint on the server. Wouldn't it be better to securely store the fingerprint on the client-side, and decrypt it whenever the image analysis needed to take place? – RoraΖ Aug 11 '15 at 14:06
  • One thing that comes to mind is homomorphic encryption which fully encrypts data but allows for calculation to be carried out in the cypher text. Although too slow for use today it could very well be possible. https://en.m.wikipedia.org/wiki/Homomorphic_encryption – Alex Aug 11 '15 at 21:00
  • as mentioned by @raz, such information should never be sent anywhere. It should be stored locally on the client side. Apple for example uses encryption on a "mathematical representation of the fingerprint" (hash?) on the device stored on a separate memory not directly reachable by either the main memory or iOS itself. https://support.apple.com/en-us/HT204587 – Alex Aug 11 '15 at 21:06

2 Answers2

6

In fact, there is some research addressing the problem. We should acknowledge the fact storing fingerprint info at the client side (as suggested by others) might not be a viable solution in specific cases. It might be ok for a cell phone, but insufficient for an enterprise or distributed service.

There are (non cryptographic) hash functions which can create the same hash for similar input. It is called Locality-Sensitive Hash (LSH) and extensively used in search algorithms. This functions can "reduce the differences occurring between similar data with high probability, whereas distant data should remain significantly remote." Then you may try to crypto-hash the LSH for a more error tolerant result. You may combine this with Bloom filter as described in this 2009's article which I warmly suggest to read if you are interested in the topic. Unfortunately I'm not aware of any existing implementation of the method described there.

In summary, the answer is that you can do this with fault-tolerant encryption methods (like above), but if you are in short of time you might be better off with a separated, dedicated secure provider for fingerprint-UID conversion (with a machine gunner sitting on it).

goteguru
  • 643
  • 3
  • 11
6

You cannot securely store a fingerprint template on a server. The templates are subject to attack. The attempts to address those attacks have not found a balance similar to those for passwords. The leading research lab trying to change that is at Michigan State, http://biometrics.cse.msu.edu/pubs/secure_biometrics.html

Also, if you're reading fingerprints remotely, you're subject to attacks on the hardware, gummy bear attacks, etc. So you don't get the security you want, and the person being authenticated can't use a different authenticator per system.

Adam Shostack
  • 2,659
  • 1
  • 10
  • 12