Slashdot Mirror
Hashing Out the Next Step in Biometric Security
ergo98 writes "CNN is running a story about biometric hashing. Using this technique, biometric inputs (such as facial characteristics) are altered based upon individual characteristics in a hopefully one-way process. The goal is to continue to reduce the risk of a back-end data exposure."
Hmm, this appears to be a kind of salt applied to the picture so they can change it if the hash gets stolen. But then, why not just apply the salt to the hash (like normal md5 salts), and just change the salt when it's stolen? The salts (like the minutia points) would be stored somewhere and the attacker couldn't use the same salt if you changed yours.
Send email from the afterlife! Write your e-will at Dead Man's Switch.
It seems like DNA already is a fairly unique method of hashing.
This actually seems easy to do. Combining various biological inputs to derive a unique identitfier.
It doesn't seem like a GOOD idea quite yet, but it certainly seems like something that companies will pursue since I'm sure there are people willing to pay money for it.
Ignore Alien Orders
It would be better if a biometric identification could combine several characteristics together in such a way that only a (complete) living person could provide them, for example:
- iris ID combined with testing of the accommodation reflex, to make sure a real, functioning eye is looking at the camera.
- fingerprinting combined with infrared scanning, to verify that an unaltered living finger is used.
- voiceprinting of unique and varying phrases to eliminate recordings.
and so on.
The Hacker's Guide To The Kernel: Don't panic()!
This system is quite a bit harder to fake than a simple finger print. It couldn't be lifted off a doorknob or the like. As an added plus it can tell the difference between attached living hand from one that's been separated from its owner.
Try this one on for size. It's my little gift to the biometric community.
In many protocols, when a session is initiated, the beginning of the transaction includes a handshake. One side says hello are you there, the other replies yes I'm here and the session continues.
Why not make an actual, physical handshake verifier? I'm sure most people are consistent with their real handshakes, and there are a wide variety of measurable parameters a handshake can provide. For example, when shaking someone's hand, you apply very specific pressure, grip a particular way that spreads pressure to consistent points on your buddy's hand, hand temperature (which can vary depending on a number of factors but we're talking average), hand placement, duration and motion of the shake, etc. You could take it one step further and teach your employees and the system some jive handshakes that involve many steps. The admin could have the most intricate handshake of all.
The beauty to all this is that handshakes tend to be very personal and never given out. How could someone hack or even learn a secret handshake? It'd be pretty damn hard to do and even harder to replicate once you figured out the sequence due to pressure and duration, etc.
Schneier should give this one some thought. All you really need is a rubber jointed hand sticking out of the wall (or hidden inside it, retractable) that feels appropriately like a real human hand. Ask the RealDoll people for advice on this. Load it up with sensors and start training it.
Dude.. MD5 (or any hash) maps an INFINITE space to a FINITE space!
:P
Think about it: it's basically a check-sum.
Example: I'm thinking of 10 numbers from 0 to 255 inclusive. The sum of those numbers modulo 256 is 123. Now tell me what those numbers are, in the same order that I was thinking of.
"some possible duplications" indeed
In my school's library, they have a fingerprint scanner instead of library cards (which I still think is bizarre overkill and no better than cards for stopping theft).
They gave me a sheet of paper to sign, with small print that most people probably ignore. As I was interested, I looked through to find out how they protect my information. It turns out that they store a "hash" of the fingerprint which cannot be used to recover the print except by a method which only certain people at the company which sold the system know.
So rather than a real secure hash, my fingerprint is protected by security through obscurity. I suspect it's much more like weak encryption than a hash, and that anyone who was really interested could get my fingerprint out, if they had the library's software available to reverse engineer.
There's very little motive in a school, but if this type of system spreads to offices or even banks, there are going to be real problems.
# cat
Damn, my RAM is full of llamas.
...if everyone everywhere was totally honest and always told the truth at all times? Now I fully realise that nobody is about to make this happen any time soon, and from that perspective I think it is interesting to note that with human institutions the more pervasive the influence and control they have over us the more they seem to be disposed toward lying. There is just *so* much stuff around us today that is necessary because so many are dishonest to a greater or lesser degree. If we all woke up one morning and this wasn't the case then I think it would take quite some getting used to.