data encryption + Biometric security

Robert Michel openmoko at robertmichel.de
Fri Feb 2 00:18:32 CET 2007


Salve Mark!

On Thu, 01 Feb 2007, Heilpern, Mark wrote:

> Watching things like tv's MythBusters defeat fingerprint sensors is
> interesting and entertaining, but when you know they're using several
> year old, out-dated technology for the sensors they evaluate, you might
> suspect that there's more to the story that they're telling you.

The German Chaos Computer Club ccc.de is not a TV program,
that are quite good hackers - and also Bruce Schneier is.

Rodolphe gave allready a good feedback that lake of information
does not creats trust. E.G. the team of the GPG-crypto-card had
to sign a NDA - so I do not trust this cards that
- the algorithm didn't get extention
- that the random generator is good enough
- that this cards didn't have a backdoor
- that the encryption result doesn't have hidden the 
  private key inside.

I wrote I'm no crypto expert - but that does not mean that
I have my knowledge from the TV.

BTW I trust several years old CPU and network chips more
than "modern" chips.

> Disclaimer: I work for a fingerprint sensor manufacturer.

I doe very welcome that people of fingerprint sensor manufactures
are active here on this list. I'm just a normal member on this
list (btw a civil engineering student with some ICT interest)
I'm not speaking for more than for myself.

I will not negate that finger sensors could be interesting,
but security is not just a quetion of products and money you
spent into - the slogan you always get what you paid for is
definitve wrong for security.

For secure systems it is relevant good when everybody understand
how it is working - e.g. voting box and paper votings are IMHO
more secure then voting PC could be...

So the question is for what is the fingerprint sensor used on
the phone
1.) avoiding calls on your bill
2.) secure your adressbook
3.) secure your private keys 

For 1. and 2. a fingerprint sensor brings more comfort and would
be IMHO OK.
But about 3 IMHO we are talking about a field 
- where simple and open solutions would be better
- and security is more important then comfort.

Let us assume I would become maintainer of some OpenMoko packets
and my private key to sign would be on my Neo1973 - I hope it
will be so trustworthy that this would not be seen as negligent/careless
how could a fingerprinter enhanced the security for this private key?


Don't get me wrong, there are many fields where not as much security
as possible would be neccessary and a Neo1973 with build in
fingerscanner could become a very interesting product, e.g. when
somebody has employees which he could/will trust less then
your company authentec.com
So I do see a perspective for next generation Neos or Third party
modificated Neos with buildin fingerscanners - so playing with
external scanners to have some prototypes would help starting
this market field - and I personal would like to see individuell
modification of OpenMoko and the Neo1973
- train ticket device with printer
- barcodescanner for logistic task
- fingerscanner for...

So yes this topic is interesting for some markets.

I don't think that for normal skilled linux user a fingerprint sensor
could be a full replacement of his password protection - I only would
use it __only__ as additional feature, __not__ as password replacement
(for real secure task like protecting private keys).



Ok let us speak Tachels - the calculation of the iphone has become
publish and the AGPS chip producer GlobalLocate had published in his
presentation that when buying more than 10k chips the AGPS costs less
then 5 US-$. Can you tell us more about your products and which level
of security would be possible with costs of 5 US-$ or less.

Again, I'm just a student interested in this project and I would like
to compare the cost and benefit of additional components for further
Neo modells. ;)

But beside my direct question, I would like see this discussion 
going on, not only the next days - experiances with OpenMoko
and more information about fingerprint sensors could build a basis
that it will continous in weeks or month - so please stay active here ;)

Ah, and what you are thinking about the potential of multitouch 
screen sensors, could they be used for a fingersensor? This would
have the advantage that no additional sensor field must be in/on the
device.....


Greetings,
rob






More information about the community mailing list