[cryptography] replacing passwords with keys is not so hard (Re: PBKDF2 + current GPU or ASIC farms = game over for passwords)

Adam Back adam at cypherspace.org
Tue Oct 1 15:01:53 EDT 2013

On Tue, Oct 01, 2013 at 10:25:10AM -0700, coderman wrote:
>On Tue, Oct 1, 2013 at 2:12 AM, Adam Back <adam at cypherspace.org> wrote:
>> ... And Lucky has some gruesome
>> alternatively low tech version also which doesnt bear thinking about.
>i'm curious about defeating the liveness detection of fingerprint
>readers using a severed digit.  or is non-trivial liveness detection
>only a feature in the most expensive readers?

Hey that was the unmentionable part!  But surely that must be true because
if moistened gumi-bear can do the trick surely a finger without blood flow
can.  (Eww thanks for that).  Most of these biometrics seem pretty stupid. 
There was one where they printed out a colour photo of the person and waved
it in front of the camera to give an impression of motion for facial
recognition.  Its probably a basic factor of the noise rate in the data, the
limits of recognition, and the tolerable false negative rate = biometrics
are either insecure or unreliable at least for the mid term.  

But also you mention expensive biometric readers - some of the rubber
facemasks are damn convincing to the human eye (eg if you watched Bryan
Cranston breaking bad thing on Jimmy Fallon skip to 5:25
http://www.youtube.com/watch?v=XEQk1_F7sL0) - surely that can fool better
facial readers than waving an inkjet printed photo.  Probably similar for
fingers - ie readers can up, but your adversary can also make better than
prank gummy bear fake fingers to if thats your threat model.

Biometrics - stupid idea IMO.


More information about the cryptography mailing list