[4942] in cryptography@c2.net mail archive
Re: personal encryption? (fwd)
daemon@ATHENA.MIT.EDU (Bill Stewart)
Wed Jun 23 12:25:33 1999
Date: Wed, 23 Jun 1999 01:56:59 -0700
To: cryptography@c2.net
From: Bill Stewart <bill.stewart@pobox.com>
In-Reply-To: <199906222039.AA14823@world.std.com>
At 04:39 PM 6/22/99 -0400, Dan Geer wrote:
>1. quoting Schneier verbatim, "BIOMETRICS ARE NOT SECRETS"
>2. for the ordinary Joe, never understimate the lure of convenience
Yup. Once your biometric gets into any database, it becomes possible
for people to fake the data stream out of the biometric-measurer.
Fingerprints can sometimes be faked using plastic finger covers,
but it's often easier to swap a fingerprint reader with
a device that sends the computer the same message the fingerprint-reader
would -
especially if someone uses one of those $200 serial-port-connected readers
whose manufacturer wants them to be ubiquitous.
It's somewhat more secure if the reader is an active communication device
that's doing some kind of challenge-handshake on the processed biometric,
or at least doing a public-key signature on the processed biometric.
I remember reading once that fingerprints have about 32 bits of entropy;
not sure if that's for one finger or each one. Eyeballs probably have more.
But even swapping that eyeball-reading laser may just be sleight of hand...
Thanks!
Bill
Bill Stewart, bill.stewart@pobox.com
PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
