Biometrics are a very bad way to do authentication for many reasons:
They're essentially just a password that you can never change. (At least not without some serious pain!) With traditional password schemes, if your password gets stolen or guessed, you can at least change it. But if someone steals your fingerprint, now what are you going to do?
Biometrics are not secret. Every time you touch something, you're leaving your password laying around. Every time your picture gets taken your facial image / retinal image gets copied. Passwords have to remain secret to be useful.
Like Borealid said, Biometrics are never scanned exactly the same twice. So when you do matching, there has to be some kind of fudge factor in allowing input. This:
Just makes it easier for attackers to copy your data and replay it, since they don't have to get an exact match. An attacker only has to get close to get accepted.
It forces the authentication server to store the your biometric info in plaintext. You can't hash biometric data like you can passwords, since then you'd have to match exactly with the hashed value.
Fingerprints never exactly match. Even if you scan your own right index finger twice in a row, the scans won't be the same. So "hashing the fingerprint" won't work - two hashes of the same finger would be indistinguishable from two hashes of two different fingers (with a good, cryptographically strong hash).
Fingerprint readers work by storing some key onboard, and letting that key out if and only if the fingerprint given is close enough to what they expect. The fingerprint itself is not used to get direct access to anything outside the reader.
Sending the fingerprint as seen by the reader over the network is not acceptable - people are nervous about giving their prints to police. You think they'll be OK giving them to you?
Also not acceptable is having the reader say "finger 2 is OK". This could be easily spoofed.
Instead, have your user use X.509 (SSL) client certificates to access your site. They may, if they wish, control access to their private key via the fingerprint reader.
EDIT: updating this answer. There is, now in the year 2014, a standard from the FIDO Alliance called "UAF" which allows sites to use fingerprint authentication in a way that works across different sites. Rumor has it Paypal is going to begin using it soon.
Biometry for remote authentication is never secure. You can't know if a real finger with that fingerprint is in a reader, or if the user only sends you an image. So a fingerprint just becomes a password the user can never change, which is the same for every service you login to, and which is left on every object the user touches.
Biometry can only work for local authentication where you trust the reader to be not hacked(i.e. you have physical control over the reader) and the reader can distinguish a real finger/eye/... from a fake one. Which most can't.
It is possible to create a one way hash of a finger print. You first have to extract a number of observables just like you might do for a fuzzy match. But since you need an exact match for a hash you need to throw error codes at the values you extracted which then can correct the minor differences on each measurement. It's not easy to code and it doesn't fix the fundamental problems listed above, but it should be possible.
So you want to use a local authentication mechanism to authenticate a remote resource? There are many issues here to suggest this would not be a smart choice. E.g., how does the web app know the hash belongs to the original user and not someone who has a duplicate?
What I would suggest instead is to go the route of banks from several years ago when they had smartcard readers sent to credit card customers. Use the fingerprint scanner to store a local copy of the user's login name, requiring a second form of authentication such as a password.
This is so bogus. Why can't you encrypt a fingerprint? Your master is stored encrypted, you send an encrypted one to the server. The server software un-encrypts both and does the comparison. Simple. Your 'expert' solutions are bogus.
发布评论
评论(6)
出于多种原因,生物识别技术是一种非常糟糕的身份验证方法:
生物识别技术并不是秘密。每次你触摸某些东西,你就会留下你的密码。每次拍摄照片时,您的面部图像/视网膜图像都会被复制。密码必须保密才能发挥作用。
正如 Borealid 所说,生物识别技术永远不会被扫描完全相同的两次。因此,当您进行匹配时,必须存在某种允许输入的模糊因素。这:
只是让攻击者更容易复制并重放您的数据,因为他们不必获得完全匹配的数据。攻击者只需靠近即可被接受。
它强制身份验证服务器以明文形式存储您的生物识别信息。您无法像对密码那样对生物特征数据进行哈希处理,因为那样您就必须与哈希值完全匹配。
所以不要这样做!
Biometrics are a very bad way to do authentication for many reasons:
Biometrics are not secret. Every time you touch something, you're leaving your password laying around. Every time your picture gets taken your facial image / retinal image gets copied. Passwords have to remain secret to be useful.
Like Borealid said, Biometrics are never scanned exactly the same twice. So when you do matching, there has to be some kind of fudge factor in allowing input. This:
Just makes it easier for attackers to copy your data and replay it, since they don't have to get an exact match. An attacker only has to get close to get accepted.
It forces the authentication server to store the your biometric info in plaintext. You can't hash biometric data like you can passwords, since then you'd have to match exactly with the hashed value.
So don't do it!
确切地说,你不能做你想做的事。
指纹永远不会完全匹配。即使您连续扫描自己的右手食指两次,扫描结果也不会相同。因此,“对指纹进行哈希处理”是行不通的——同一个手指的两个哈希值与两个不同手指的两个哈希值(具有良好的、加密性强的哈希值)无法区分。
指纹读取器的工作原理是在板上存储一些密钥,当且仅当给出的指纹足够接近他们期望的指纹时,才将该密钥释放出来。指纹本身不用于直接访问读取器之外的任何内容。
通过网络发送读取器看到的指纹是不可接受的——人们对于向警方提供指纹感到紧张。你认为他们会同意把它们给你吗?
同样不可接受的是让读者说“手指 2 没问题”。这很容易被欺骗。
相反,让您的用户使用 X.509 (SSL) 客户端证书来访问您的站点。如果他们愿意,他们可以通过指纹读取器控制对其私钥的访问。
编辑:更新这个答案。 2014 年,FIDO 联盟推出了一项名为“UAF”的标准,该标准允许站点以跨不同站点的方式使用指纹身份验证。有传言称 Paypal 很快就会开始使用它。
You can't do what you want, exactly.
Fingerprints never exactly match. Even if you scan your own right index finger twice in a row, the scans won't be the same. So "hashing the fingerprint" won't work - two hashes of the same finger would be indistinguishable from two hashes of two different fingers (with a good, cryptographically strong hash).
Fingerprint readers work by storing some key onboard, and letting that key out if and only if the fingerprint given is close enough to what they expect. The fingerprint itself is not used to get direct access to anything outside the reader.
Sending the fingerprint as seen by the reader over the network is not acceptable - people are nervous about giving their prints to police. You think they'll be OK giving them to you?
Also not acceptable is having the reader say "finger 2 is OK". This could be easily spoofed.
Instead, have your user use X.509 (SSL) client certificates to access your site. They may, if they wish, control access to their private key via the fingerprint reader.
EDIT: updating this answer. There is, now in the year 2014, a standard from the FIDO Alliance called "UAF" which allows sites to use fingerprint authentication in a way that works across different sites. Rumor has it Paypal is going to begin using it soon.
用于远程身份验证的生物测定永远都不安全。您无法知道带有该指纹的真实手指是否在读取器中,或者用户是否只向您发送图像。因此,指纹就变成了用户永远无法更改的密码,对于您登录的每个服务都是相同的,并且会留在用户触摸的每个对象上。
生物识别只能用于本地身份验证,您相信读取器不会被黑客攻击(即您对读取器具有物理控制权),并且读取器可以区分真手指/眼睛/...和假手指/眼睛/...。其中大多数不能。
可以创建指纹的单向散列。您首先必须提取许多可观察量,就像模糊匹配一样。但是,由于您需要哈希值的精确匹配,因此您需要在提取的值处抛出错误代码,然后可以纠正每次测量的细微差异。编码并不容易,也不能解决上面列出的基本问题,但它应该是可能的。
Biometry for remote authentication is never secure. You can't know if a real finger with that fingerprint is in a reader, or if the user only sends you an image. So a fingerprint just becomes a password the user can never change, which is the same for every service you login to, and which is left on every object the user touches.
Biometry can only work for local authentication where you trust the reader to be not hacked(i.e. you have physical control over the reader) and the reader can distinguish a real finger/eye/... from a fake one. Which most can't.
It is possible to create a one way hash of a finger print. You first have to extract a number of observables just like you might do for a fuzzy match. But since you need an exact match for a hash you need to throw error codes at the values you extracted which then can correct the minor differences on each measurement. It's not easy to code and it doesn't fix the fundamental problems listed above, but it should be possible.
那么您想使用本地身份验证机制来验证远程资源吗?这里有很多问题表明这不是一个明智的选择。例如,网络应用程序如何知道哈希值属于原始用户而不是拥有重复用户的人?
相反,我建议走几年前银行的路线,当时银行向信用卡客户发送智能卡读卡器。使用指纹扫描仪存储用户登录名的本地副本,需要第二种形式的身份验证,例如密码。
So you want to use a local authentication mechanism to authenticate a remote resource? There are many issues here to suggest this would not be a smart choice. E.g., how does the web app know the hash belongs to the original user and not someone who has a duplicate?
What I would suggest instead is to go the route of banks from several years ago when they had smartcard readers sent to credit card customers. Use the fingerprint scanner to store a local copy of the user's login name, requiring a second form of authentication such as a password.
这太假了。为什么不能加密指纹?您的主数据是加密存储的,您将加密的数据发送到服务器。服务器软件对两者进行解密并进行比较。简单的。你的“专家”解决方案是假的。
This is so bogus. Why can't you encrypt a fingerprint? Your master is stored encrypted, you send an encrypted one to the server. The server software un-encrypts both and does the comparison. Simple. Your 'expert' solutions are bogus.
为什么不使用人脸比对软件进行身份验证。
http://www.oculislabs.com/products/privateeye
why not use face match software for authentication.
http://www.oculislabs.com/products/privateeye