[120725] in cryptography@c2.net mail archive
Re: Levels of security according to the easiness to steel biometric data
daemon@ATHENA.MIT.EDU (Philipp =?iso-8859-1?q?G=FChring?=)
Wed Apr 16 11:01:18 2008
From: Philipp =?iso-8859-1?q?G=FChring?= <pg@futureware.at>
To: danilo@pmf.ukim.edu.mk
In-Reply-To: <555200.58888.qm@web50203.mail.re2.yahoo.com>
Cc: cryptography@metzdowd.com
Date: Wed, 2 Apr 2008 18:46:44 +0200
X-MDaemon-Deliver-To: cryptography@metzdowd.com
Hi,
> QUESTION: Does anybody knows about the existence of a
> security research in area of grading the easiness to
> steel biometric data.
There are several relevant threats:
* Accidental leaking the biometric data (colour-photos for face, fingerprin=
ts=20
on glasses for fingers, public documents for human signature)
* Intentional stealing of biometric data (cellphone cameras, hidden=20
cameras, ...)
> For example, I guess that stealing information of
> someone's "face" is easier than stealing information
> about someone's "fingerprints",
Depends.
Stealing fingerprints is easy if you hand the target person a glass of wate=
r.
With "face" you have to differentiate between the different kinds of faces.
Taking colour photos of faces is easy. Taking infrared photos of faces, or=
=20
taking 3D scans of faces, ... is much harder.
> but stealing information about someone's "retina"
> would be much harder.
Yes, stealing retina is harder. (It's even harder in the normal usage ...)
> Such a scale can be useful in the design of secure
> protocols and secured information systems.
Yes. Choosing the right biometrics for the right application, implementing =
it=20
correctly and educating/training the users properly can be challenging.
But in the end, you can steal any biometric data if you really want to.
(Take a look at the film Gattaca to see how this can be done in practice.=20
I didn't noticed any technically really unrealistic things in the film=20
Gattaca.)
Another important question is whether you can apply a faked/copied biometri=
c=20
at a certain place. It could be difficult to mount an attack with a full fa=
ce=20
mask at a guarded entrypoint. But applying fake fingerprints is far less=20
noticable for guards.
(It might be easy to steal the face, but you can't apply it due to all entr=
ies=20
being guarded)
Tamper evidence, Tamper protection, Tamper proof, Tamper resistance ...
As usual, it depends on your threat-models, on your environment, on your=20
resources, on your enemies, ...
Best regards,
Philipp G=FChring
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
