(keitai-l) Re: Jelly finger fools biometric sensor

From: Dirk Rösler <d.rosler_at_jens.co.jp>
Date: 12/11/02
Message-Id: <9C9C1814-0CBE-11D7-8CCC-0030654492C6@jens.co.jp>
On Friday, Dec 6, 2002, at 09:05 Asia/Tokyo, Curt Sampson wrote:

> In theory, it's supposed to be something you have that you can't
> give away to someone else. In practice, that's generally far from
> the case.  Thus, the one area where it really would have an advantage
> over "something you have," the fact that you can resist attacks by
> the person who has the thing, doesn't really turn out to be an
> advantage after all.

To be precise, biometrics is "something you are" as opposed to 
something you have (e.g. plastic credit card) or something you know 
(e.g. PIN), but your argumentation still stands.

On Thu, 5 Dec 2002, Ken Chang wrote:

> biometric is a very long password you don't have to remember,
> but it's difficult to change when disclosed.

In addition to what has already been said: Yes, there are issues 
pertaining to replacement of biometric data (the "get a new finger" 
problem), however disclosure isn't really the issue here. There is not 
always a reason to keep the data secret, just like a hand-written 
signature is publicly available. What must not be possible is using 
the, say publicly available information by itself to impersonate an 
individual. The problem occurs when someone else is able to generate 
the biometric data to obtain access like the authorised user is, i.e. 
by copying a person's physical properties and just normally using the 
reader. This has nothing to do with disclosure.

Actually I mostly agree with Curt overall, and you will find numerous 
security folks out there with the same or similar opinion.

Dirk
Received on Wed Dec 11 06:22:34 2002