Mouse That Scans Your Fingerprints

Pac writes: "The U-Match mouse has an embedded fingerprint scanning device. It is currently available only for Windows 9x/NT, but Biolink says it will have a Unix\Linux version by the end of the year and a Mac version in the beginning of 2001." I've been eyeballing finger scanners since I saw a nifty one that worked through PAM at a tradeshow one time: I still think it'd be very convenient if it worked, but I'm very skeptical that something like this could gain widespread acceptance.

Not so clever

[XNormal]

AFAIK, all fingerprint verifiers use a reduced set of extracted features for comparison. This is the first one I see that tries to claim it's a privacy feature - it's simply how it works. Give a marketroid a bunch of technical details and he's always find a way to present them as features.

Biometric systems should always assume that the fingerprint, iris scan, etc is not a secret and is known to the attacker. Your password can only be considered secret because you can change it.

To have any meaningful security a biometric system must have a trusted reader and a secure path from the reader to the verifier.

Two examples:

1. The verifier is inside the reader. Your private key is embedded into a tamper-resistant device and a fingerprint is required to perform a private key operation (signing, decryption).

2. The verifier is in a secure remote server, but communication between the reader and the verifier is cryptographically protected. The reader should sign the scan and also use a timestamp or challenge/response system to prevent replay attacks. Each reader would have a separate signing key so they can be revoked, if necessary. Even the best tamper resistance cannot be trusted with a global reader signing key that results in catastrophic failure if it is compromised.

Suggested protocol:

Before being used for the first time the readers are connected to the verification server for initialization. The server generates random keys and sends them to the readers. These keys cannot be read back from the reader, only overwritten.

For authentication, the client first asks the verification server for a challenge. It sends the challenge into the reader which calculates a hash of the biometric scan, reader signing key and the challenge. This hash is sent to the server along with the biometric scan for verification.

The reader key should be kept in battery backed static RAM rather than EEPROM. This makes it easier to self-destruct in case a tampering attempt is detected. To prevent the value from permanently affecting the memory cells via ion migration or similar phenomena it could be cycled continously.

The key database on the server is a single point of failure - but the server is probably the same resource you are trying to protect anyway. It would still be nice to make the key database less vulnerable by using asymmetric cryptography - a key pair is generated during initialization and only the public key is stored on the server.

The Sony fingerprint scanner (also featured on slashdot recently) appears to implement #1. Does anyone know of a system similar to #2?

----

This is a first...

[MostlyHarmless]

and I don't mean first post.

Look closely at the text. It says that there will be a Unix/Linux version at the end of the year, but the mac version will not come into 2001.

This is rare right now, but I suspect that we will see a lot more of this happening. As Linux (and to a lesser extent, BSD[*]) grows, we will see much greater acceptance of Linux as an alternative platform at equal or greater standing relative to the Mac.

[*] Nothing against the technical merits of BSD; they just have a smaller marketshare at the moment, thus having a lesser affect as an alternative OS.