[prev in list] [next in list] [prev in thread] [next in thread] 

List:       cryptography
Subject:    Re: personal encryption? (fwd)
From:       Bill Stewart <bill.stewart () pobox ! com>
Date:       1999-06-23 8:56:59
[Download RAW message or body]

At 04:39 PM 6/22/99 -0400, Dan Geer wrote:
>1. quoting Schneier verbatim, "BIOMETRICS ARE NOT SECRETS"
>2. for the ordinary Joe, never understimate the lure of convenience

Yup.  Once your biometric gets into any database, it becomes possible
for people to fake the data stream out of the biometric-measurer.

Fingerprints can sometimes be faked using plastic finger covers,
but it's often easier to swap a fingerprint reader with
a device that sends the computer the same message the fingerprint-reader
would -
especially if someone uses one of those $200 serial-port-connected readers
whose manufacturer wants them to be ubiquitous.
It's somewhat more secure if the reader is an active communication device
that's doing some kind of challenge-handshake on the processed biometric,
or at least doing a public-key signature on the processed biometric.
I remember reading once that fingerprints have about 32 bits of entropy;
not sure if that's for one finger or each one.  Eyeballs probably have more.
But even swapping that eyeball-reading laser may just be sleight of hand...
				Thanks! 
					Bill
Bill Stewart, bill.stewart@pobox.com
PGP Fingerprint D454 E202 CBC8 40BF  3C85 B884 0ABE 4639

[prev in list] [next in list] [prev in thread] [next in thread]