This is one reason why military-grade fingerprint scanners require a galvanic skin resistance check. In addition, many of the devices send a hash of the fingerprint's features -- not a key or password unlocked by it -- to the host.
-Kyle H On 9/12/06, Bernhard Froehlich <[EMAIL PROTECTED]> wrote:
Bernhard Froehlich wrote: [...] > As I understand it a fingerprint scanner does not send the fingerprint > itself to the computer but uses the fingerprint to unlock an internal > storage containing a private key (or maybe a password). So you don't > have to contact a surgeon if your machine is compromised, just storing > a new key in the device should suffice. ;) [...] I have done some more research on the topic and have come to the conclusion that maybe it indeed is not a bad idea to have a surgeon handy if heavily relying on fingerprint sensors. It looks like it is not too hard to build thin foils imitating a fingerprint if you have an image of the fingerprint. And if someone once has created such a foil of your fingerprint, changing the private key of the device will not help... Hope it helps, Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26
-- -Kyle H ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
