[liberationtech] iPhone5S Fingerprint and 5th amendment

Peat Bakke peat at peat.org
Wed Sep 11 09:51:11 PDT 2013 

Awesome. That's plenty for me to chew on. I'm satisfied for now. :)

Thanks, Eugen!


On Wed, Sep 11, 2013 at 9:35 AM, Eugen Leitl <eugen at leitl.org> wrote:

> On Wed, Sep 11, 2013 at 09:20:56AM -0700, Peat Bakke wrote:
> > > This is likely subject to a precompiled hash lookup table attack,
> > > as the number of all possible fingerprints, quantized via a
> classification
> > > vector is not that large.
> >
> > Can you give us a better idea of how large "not that large" is?
>
> I thought there was insufficient variability so there could
> be dupes within the world population of mere 7 gigamonkeys,
> but that might be wrong,
> given http://lwn.net/Articles/276318/
>
> See FBI Appendix F specifications in
> http://www.fbibiospecs.org/fbibiometric/docs/EBTS%20V8.00...
> 500 pixels per inch or 1000 ppi at 8 bits per pixel. Capture size 1.6" x
> 1.5" (600 Kpixels)
> for roll finger or 1" x 2" for thumb (500 Kpixels).
>
> But once you threshold the images, you effectively get rather less than 1
> bit per pixel, as
> there's a lot of correlation between pixels. Also rotations all count the
> same. My fingers
> have more like 50 ridges per inch. But that's still a *lot* of possible
> values.
>
> After extracting the minutiae, there's rather less information held. One
> finger reader I have
> states the software extracts between 10 and 70 minutiae points, held as
> (x,y) vectors, in a
> transform claimed to be non-reversible. If coordinates are accurate to 6
> bits, that means 10 x
> (6+6) bits = 120 bits minimum. Still allows for significantly more
> possible prints than the
> world population.
>
> See also Sir James Crosby's report,
> http://www.hm-treasury.gov.uk/media/6/7/identity_assuranc..., suggesting
> that only
> non-unique digital representations should be stored. This would allow the
> master copy in the
> database to be replaced with another version, so would provide some
> limited options to
> "change" a compromised fingerprint.
>
> Uniqueness of fingerprints?
> Posted Apr 6, 2008 11:32 UTC (Sun) by man_ls (guest, #15091) [Link]
>
> Hmmm... doesn't the principle behind the Birthday paradox apply here? Even
> if there are 366 days in a year, the probability of two people having the
> same birthday reach 0.5 with a group of only 23 people. Therefore you would
> only need roughly the square root of the number of possibilities to find a
> collision.
> With 120 bits you are still safe, since the world population is about
> 2^32. But the security factor is not as high as it would seem. Surely we
> don't expect all values to be as likely, as with birthdays; if they tend to
> cluster around certain values (some kinds of fingerprint configurations are
> more probable than others) then collisions become increasingly likely.
>
> > Rainbow tables are always a problem, but I suspect that there's more
> > diversity in those vectors than in user generated passwords.
>
> --
> Liberationtech is a public list whose archives are searchable on Google.
> Violations of list guidelines will get you moderated:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> Unsubscribe, change to digest, or change password by emailing moderator at
> companys at stanford.edu.
>



-- 
Peat Bakke
http://peat.org/
(503) 701-4135
@peat
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130911/0eabcf6e/attachment.html>

More information about the liberationtech mailing list