Fingerprint Readers - Data Storage

D

Dmitry Petrov2012-04-22 19:03:12

Iron

Dmitry Petrov, 2012-04-22 19:03:12

There was a question for knowledgeable people about the scheme of operation of fingerprint readers.
Suppose there is a computer, there is a connected reader.
The user performs the enroll operation (primary registration of fingerprints): puts a finger, the software analyzes the drawing, some features, saves this data ... where? as? Suppose in some file.
The user then configures Windows for fingerprint authentication. How does this happen? the user enters his password, this password is associated with his account.
Further, the user tries to log in after some time - he puts his finger, compares the received data with the original stored on the computerversion of the fingerprint (or the result of its analysis), if successful, the account is logged in.
The question arises - where is the security in this mechanism? For example, an attacker could steal the original fingerprint data along with this file. What will prevent him from further reading this data and slipping it to the Windows service that checks (Verify) fingerprints? After all, nowhere is it said about the encryption of this data, while, in my opinion, it does not make sense - how to compare encrypted data? they need to be decrypted, which means that again, some kind of key must be stored.

After all, it is very simple with a password - the password is stored in the user's mind, and in an encrypted / hashed form on the computer (it is possible in a form that cannot be reverse decrypted). The user entered a password, the system hashed it (well, we take the same NTLM authorization mechanism in Windows), compared it with the previously saved copy.
It is more difficult with fingerprints - the fingerprint is stored on the user's finger, in its pure form on the computer, and after entering the fingerprint, the input is checked against the copy on the computer. This checks not 100% match, but only partial.

Actually the question is - what is the point of fingerprint authorization, if it can be bypassed not even by replacing fingerprints, but simply by reading the data of the initial fingerprints and slipping them into the system. And how to get rid of this problem? Only not by storing the initial fingerprints on the server, it's only about the local machine.

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

D

Dmitry Petrov, 2012-04-22
@Sellec

the scanner also processes the received image and compares the resulting sequence with the control

This is the question: I can get a control template recorded by the scanner and slip the template to the scanner, bypassing the finger scanning process. The scanner recognizes this slipped sequence as a 100% match to the control pattern. That's all authorization.

M

Mikhail Lyalin, 2012-04-23
@mr_jok

read habrahabr.ru/post/126144/

W

wannasome, 2012-04-22
@wannasome

The biometric system does not work with an image, but with a template derived from it. When a new sample (control template) is created, the scanner receives the image, processes it, i.e. according to some algorithm, it reveals characteristic features in the image, and the result of processing is recorded in the form of a numerical sequence. The original image cannot be restored from the control pattern data. When authorization occurs, the scanner also processes the received image and compares the resulting sequence with the control one, and if the samples match at least a few percent, then the authorization is considered passed.