Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hashing Out the Next Step in Biometric Security

Posted by ScuttleMonkey on from the facial-hashing-sounds-painful dept.

ergo98 writes "CNN is running a story about biometric hashing. Using this technique, biometric inputs (such as facial characteristics) are altered based upon individual characteristics in a hopefully one-way process. The goal is to continue to reduce the risk of a back-end data exposure."

9 of 117 comments (clear)

  1. Compromises? by Poromenos1 · · Score: 5, Insightful

    I don't like this. Say that someone discovers the "password" (the hash), then you're done. You can't change it (unless you grow a moustache). Same goes with fingerprints, etc. I think a password (passphrase) is much more practical.

    --
    Send email from the afterlife! Write your e-will at Dead Man's Switch.
    1. Re:Compromises? by Doug+Coulter · · Score: 5, Insightful

      Bruce Schneier (counterpane.com) has published on and linked to a lot of other publications on the implications of biometrics, and how easy they are in general to steal. Can't just change your password, you've only got 10 fingers (I hope!) and so on. The whole thing is a very bad idea, and most extant schemes are trivially cracked no matter how "secure" the backend. Pictures of retinas/faces have worked, lifted fingerprints translated to gummy silicone have worked, and so forth. No fancy skillz needed to get past any existing system.

    2. Re:Compromises? by Afrosheen · · Score: 4, Interesting

      Try this one on for size. It's my little gift to the biometric community.

        In many protocols, when a session is initiated, the beginning of the transaction includes a handshake. One side says hello are you there, the other replies yes I'm here and the session continues.

        Why not make an actual, physical handshake verifier? I'm sure most people are consistent with their real handshakes, and there are a wide variety of measurable parameters a handshake can provide. For example, when shaking someone's hand, you apply very specific pressure, grip a particular way that spreads pressure to consistent points on your buddy's hand, hand temperature (which can vary depending on a number of factors but we're talking average), hand placement, duration and motion of the shake, etc. You could take it one step further and teach your employees and the system some jive handshakes that involve many steps. The admin could have the most intricate handshake of all.

        The beauty to all this is that handshakes tend to be very personal and never given out. How could someone hack or even learn a secret handshake? It'd be pretty damn hard to do and even harder to replicate once you figured out the sequence due to pressure and duration, etc.

        Schneier should give this one some thought. All you really need is a rubber jointed hand sticking out of the wall (or hidden inside it, retractable) that feels appropriately like a real human hand. Ask the RealDoll people for advice on this. Load it up with sensors and start training it.

  2. Please sit here to confirm your identity. by mikeophile · · Score: 4, Funny

    The goal is to continue to reduce the risk of a back-end data exposure. Surely you didn't think that photocopying your ass wouldn't get patented, did you.

  3. The executives of my firm by Anonymous Coward · · Score: 5, Funny

    are reluctant to adopt biometrics because they're afraid a crook will rip out their eyes.
    Seriously.
    They cited Demolition Man.
    For real.

  4. One Way Process by buckhead_buddy · · Score: 4, Funny
    Using this technique, biometric inputs (such as facial characteristics) are altered based upon individual characteristics in a hopefully one-way process.
    Let's hope it's a one-way process. I don't trust any computer to alter my facial characteristics.
  5. Process schmocess by GillBates0 · · Score: 4, Funny
    ...facial characteristics are altered based upon individual characteristics in a hopefully one-way process.

    Heck, they need billion dollar research grants to figure out these "techniques"? Bubba, Sparky and his pals downtown would irreversibly alter an individual's facial characteristics given $100.00, 10 minutes and enough motivation.

    --
    An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
  6. Biometric Encryption by bitkid · · Score: 4, Informative
    That sounds pretty old. Ever heard of Biometric encryption? The idea is to use a one-way hash on the biometrics, but also accounting for the fuzzy-ness in the reading. If the readings match, then the same hash comes out. Otherwise something random. See here...
  7. More Misdirection from the Biometric Community by tiny69 · · Score: 4, Informative
    Biometrics is one mechanism for authentication. The three mechanisms for authentication are generally grouped into, something you know (password), something you have (swipe card), and something you are (biometrics). If either of the first two become compromised, they can be changed. Biometric features on your body cannot be changed. This is the major flaw behind biometrics. So the biometric community periodically playes games with the data on the backend hoping to misdirect the users away from the major flaw. "See, we hash your data, so it's secure...."

    A story that is still relavent whenever biometrics is brought up:

    http://www.hindustantimes.com/news/7242_1301216,00 180008.htm

    --
    Go not unto/. for advice, for you will be told both yea and nay (but have nothing to do with the question)