|
Posted by Richard on February 19, 2007, 10:57 pm
If you were Registered and logged in, you could reply and use other advanced thread options
At the risk of being laughed/flamed into oblivion...
I KNOW the documentation with MS Digital Persona fingerprint reader sez
"Don't use for security purposes", BUT if I am using TrueCrypt, and an
adequate strong password, then utilize the fingerprint reader in place
of the typed password, how secure is my TrueCrypt file?
(I can use EITHER the typed in password or use my finger on the reader.)
Thanks for your time...
|
|
Posted by Ertugrul Soeylemez on February 20, 2007, 1:48 am
If you were Registered and logged in, you could reply and use other advanced thread options
> At the risk of being laughed/flamed into oblivion...
>
> I KNOW the documentation with MS Digital Persona fingerprint reader
> sez "Don't use for security purposes", BUT if I am using TrueCrypt,
> and an adequate strong password, then utilize the fingerprint reader
> in place of the typed password, how secure is my TrueCrypt file?
>
> (I can use EITHER the typed in password or use my finger on the
> reader.)
Less secure than a protection with a password only. The reason is
fairly simple: Now there is not only a single gate to the file, but
two. And how would you implement that? The file is encrypted only
once, so both the password _and_ the fingerprint reveal the key to it.
Where is it and how is it secured in such a case?
BTW, fingerprints aren't hard to reproduce.
Regards,
E.S.
|
|
Posted by Juergen Nieveler on February 20, 2007, 4:42 am
If you were Registered and logged in, you could reply and use other advanced thread options
> I KNOW the documentation with MS Digital Persona fingerprint reader sez
> "Don't use for security purposes", BUT if I am using TrueCrypt, and an
> adequate strong password, then utilize the fingerprint reader in place
> of the typed password, how secure is my TrueCrypt file?
Far less secure than with just the password. The fingerprint reader is
just a convenience tool that removes the need to type...
Remember, all the fingerprint reader checks is wether something that
looks like your fingerprint is visible to the little camera inside. And
something that looks like your fingerprint can easily be created by
using the sample fingerprints you leave on everything you touch :-)
Juergen Nieveler
--
MCSE: Minesweeper Consultant and Solitaire Expert.
|
|
Posted by Richard on February 22, 2007, 2:48 am
If you were Registered and logged in, you could reply and use other advanced thread options
>
>> I KNOW the documentation with MS Digital Persona fingerprint reader sez
>> "Don't use for security purposes", BUT if I am using TrueCrypt, and an
>> adequate strong password, then utilize the fingerprint reader in place
>> of the typed password, how secure is my TrueCrypt file?
>
> Far less secure than with just the password. The fingerprint reader is
> just a convenience tool that removes the need to type...
>
> Remember, all the fingerprint reader checks is wether something that
> looks like your fingerprint is visible to the little camera inside. And
> something that looks like your fingerprint can easily be created by
> using the sample fingerprints you leave on everything you touch :-)
>
> Juergen Nieveler
OK, thanks all, but-
I guess my real question is how does whatever the fingerprint reader
generates compare to, say, a "properly constructed" 25 character typed
password? I'm not DOD or hi-tech research, just a working shmuck that
needs to keep an opportunistic, and generally lazy, thief from accessing
key personal or transaction information of mine or my clients.
The potential value of the information to a thief would be either A)
absolutely unknown, or B) reasonably expected to be limited to the value
of personal ID info for unknown number of individuals, or possibly one
or more specific individuals, therefore it would seem attack resources
would be fairly limited.
My thinking is that if a specific file, or (scenario #2) possibly the
entire hard drive is encrypted, AND you need to either utilize internet
accessible cracking software to brute force the 25 character password OR
the string generated by the reader, OR be smart enough and have the
proper equipment and time to find the single fingerprint needed to
match, I have a more than reasonable expectation that the info is,
realistically, not at risk.
What say you?
|
|
Posted by Ertugrul Soeylemez on February 22, 2007, 3:14 am
If you were Registered and logged in, you could reply and use other advanced thread options
> I guess my real question is how does whatever the fingerprint reader
> generates compare to, say, a "properly constructed" 25 character typed
> password?
Fingerprints don't even provide near the same level of security. Just
as a foretaste: Imagine you put your finger in, and it doesn't open.
Better: Imagine a thief does the same, and it does open. Biometric
systems are just too unpredictable currently.
> My thinking is that if a specific file, or (scenario #2) possibly the
> entire hard drive is encrypted, AND you need to either utilize
> internet accessible cracking software to brute force the 25 character
> password ...
If the password contains enough entropy (i.e. it's randomly chosen and
doesn't have any relation to its owner), a brute-force attack against a
25 character password is totally impractical, even if it contains only
digits, in which case you would in average need about
158440439070.14 = 10^25 / (60^2 * 24 * 365.25 * 10^6) / 2
years to break it, if you can check 1000000 passwords per second.
> OR the string generated by the reader, OR be smart enough and have the
> proper equipment and time to find the single fingerprint needed to
> match, I have a more than reasonable expectation that the info is,
> realistically, not at risk.
You're talking about a string, which is generated from the fingerprint,
and sent to the authenticator to check against a saved value. I thought
about a neural network based scanner, but if it's really that simple,
this scheme cannot be secure.
Consider the following: It has to generate exactly the same value for
the same finger all the time. If it doesn't, authentication fails. So
the granularity of the scanner must be _very_ low. In other words:
There aren't many possible strings. I would expect such a system to
have an entropy equivalent to that of a password with four or five
characters (for real fingers).
Regards,
E.S.
|
|
XML site map