[OT] Re: data encryption + Biometric security

Pius A. Uzamere II pius at alum.mit.edu
Mon Feb 5 22:20:23 CET 2007

On 2/5/07, Steven Milburn <steven.milburn at gmail.com> wrote:
> Newer fingerprint reader technologies actually account for this pretty
> well.  A detached finger is seen as a spoof attempt, if it even images
> properly at all.  Your information on these sensors, like most people, is
> outdated.  And I don't think that's really an accident.

Yes, there are newer sensors that are more effective at detecting such
spoofs, but that doesn't make the problem worth trivializing.  It wasn't
that long ago (think less than five years) that many COTS fingerprint
sensors were shown to be vulnerable to "fake finger" attacks.  These systems
used "live finger detection" schemes such as capacitance sensors and
temperature sensors and were handily defeated by imprinted gummy bears
moistened by a bit of saliva and held in the attackers hand for a few
seconds.  Yes, I said gummy bears.  The point is that it would be
irresponsible to assume that some random COTS sensor is using the most
current technology in their products.  The fingerprint skeptics' information
is probably less outdated than the sensors some of these companies are

But, let me humor you for a moment.  If I'm willing to cut off your finger
> to get into your mobile device, why wouldn't I be willing to put a gun to
> your head and/or torture you until you give me your password?

You are absolutely right.  That being said, I'd be more worried about a guy
with access to my latents, a PCB printer, and some Sour Patch Kids.  ;) (See

1) full hardware docs (may be under NDA, but allowing GPL software
> >   development)
> > 2) small enough for a mobile device
> > 3) cheap enough
> > 4) not easy to fool
> >
> The sensor Mark's talking about definitely fulfills the last three.

Which sensor was he talking about?  I didn't catch it.

At any rate, a good resource for comparing fingerprint sensors and
algorithms is the NIST Image Group's fingerprint lab.


Sure, the algorithms are guarded, but looking at some of these tests is a
pretty decent way of separating the wheat from the chaff.  To put this in
perspective, the United States government (including the Department of
Homeland Security and all other civilian departments and agencies) use these
tests to make their equipment requisitions.

Disclaimer:  I used to consult to NIST and I contributed to a FIPS and a
Special Publication on material related to this domain.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openmoko.org/pipermail/community/attachments/20070205/4c138a69/attachment.htm 

More information about the community mailing list