Andrew Plato wrote: > I should note that I was very much an anti-biometric guy like you and > Crispin > until I started playing with this mouse. I won't claim its perfect, > but its certainly > one of the best I've ever seen. I believe that playing with the product would convince Andrew of the device's usability, but I don't see how this would convince anyone of its security. You cannot test for security, you can only test for *insecurity*. What was it about your experience that convinced you that the threat presented by Tsutomu Matsumoto <http://www.counterpane.com/crypto-gram-0205.html#5> is somehow not applicable? > 4 separate keys are stored, each key uses a randomly chosen 500 byte > chunk of the > hash as the "private key" The print currently in memory (just scanned > in) must "fill in the gaps" > of the key to provide authentication. > > So coding a driver for it would not be enough. You would have to have > some > software that could DO something with the data coming off the mouse to > make it useful. Another hypothetical attack. Go craft a boot floppy or CD that does the following: * boot from removable media * mount the HD * trojan the drivers for the bio-mouse so that they either o simple: just always say "yes" o complex: say "yes" for the legitimate user, or for the attacker's pattern At lunch time, I stick the disk in your machine, reboot it, come back five minutes later and remove the disk and reboot again. At any later date, I can log in to the machine. This attack works against any authentication scheme where the credentials are stored locally. In other mail, Andrew mentioned that the bio-mouse people can either store the credentials locally or on a remote authentication server. My boot media attack clearly works against the local case, but may or may not work with the remote case. It critically depends on whether the strong crypto that Andrew alleges is embedded in the bio-mouse goes end-to-end to the authentication server, or if it only goes the the PC for authentication, and then a yes/no is sent to the authentication server. The latter can be successfully trojaned without compromising the authentication server. Andrew may object that this is a very sophisticated attack, and most people are not capable of building it. True. However, it is also a scriptable attack, and it can be packaged as a simple download ISO image that any goober can run. Consider it a real threat against this kind of technology, even if your threat model only assumes unsophisticated attackers. Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX http://wirex.com/~crispin/ Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html
This archive was generated by hypermail 2b30 : Wed Sep 04 2002 - 13:26:54 PDT