[ISN] Are Biometrics Hashable?

From: mea culpa (jerichoat_private)
Date: Mon May 04 1998 - 22:19:00 PDT

  • Next message: mea culpa: "[ISN] Security Dynamics Introduces Security Audit Toolbox"

    [Moderator: I can't answer his question.. anyone else?]
    
    
    Forwarded From: Andrew McNaughton <andrewat_private>
    
    I threw a couple of odds and ends of your stuff on biometrics at one of our
    journalists, and he thought it was worth an article and asked me for some
    primary material, which I've been hunting out.
    
    A question I've been trying to answer is whether anyone's come up with a
    biometric which is sufficiently discrete to be put through a cryptographic
    hash.
    
    If a biometric was available which could be converted to some more or less
    invariable character sequence then it would be possible to combine it with
    a database specific string and produce a hash which was unique, and
    verifiable as belonging to the individual, but which would not require
    storing of the biometric itself or of anything which could be compared
    against the key in another database, or be stolen and applied to another
    database.
    
    I suspect this is problematic, since I imagine that the biometric
    fingerprint is a sequence of measurements which are compared against
    another sequence of measurements and a metric of their similarity computed.
    If so, the biometric can vary within a range, and standard hashing
    functions will not work.
    
    If you know of any system such that either the biometric fingerprint can be
    made discrete or a cryptographic hash can be constructed that tolerates a
    range of input I'd very much like to hear about it.
    
    Andrew McNaughton
    
    
    Some links I found which might prove interesting to you or your readers:
    
    
    
    http://www.biometrics.org/examples.html lists dozens of biometrics systems
    with links.  The rest of the site also has some interesting stuff (This is
    the Biometrics Consortium, which Wired pick as probably becoming a
    regulatory body in the area at some stage).
    
    
    http://www.privacyrights.org/ar/id_theft_legis.html .  This one includes a
    brief summary of Senator Murray's bill before the Californian Assembly
    about 3/4 of the way down, and is generally about identity theft.  The Bill
    is online at:
    (http://www.leginfo.ca.gov/cgi-bin/postquery?bill_number=ab_50&sess=CUR&hous
    e=B)
    
    http://www.leginfo.ca.gov/pub/bill/sen/sb_1601-1650/sb_1622_bill_980422_amen
    ded_sen.html  is a californian bill limiting collection and communication
    of biometric data with a $25,000 fine if data is passed to a third part
    other than law enforcement.  Not sure what the connection is with the bill
    mentioned above.
    
    
    
    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    Andrew McNaughton                                          =
    ++64 4 389 6891                 Any sufficiently advanced  =
    andrewat_private               bug is indistinguishable  =
    http://www.squiz.co.nz             from a feature.         =
    http://www.newsroom.co.nz                -- Rich Kulawiec  =
    
    
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:52:30 PDT