So there were actually a couple of *really* cool papers at SIGGRAPH this year: Normally, computers graphics is all about, given a material, determine the way light interacts with it. Lately, the field has been moving the other direction -- given an understanding of the way light interacts with a material, synthesize something with those properties:
Physical Reproduction of Materials with Specified Subsurface Scattering http://www.cs.princeton.edu/gfx/pubs/Hasan_2010_PRO/index.php * *Fabricating Spatially-Varying Subsurface Scattering http://www.dongallen.com/project/fabscat/fabscat.htm (heh.) The general problem with biometrics is that they leak. We've already seen spoofing hit fingerprint scanners -- with gummi bears, no less. It's pretty clear that 3D printers are effectively becoming material replication engines. Ginning up a sufficienct ocular biometric is going to be an affordable proposition in an uncomfortably small period of time. We have much lower standards for biometrics than crypto ciphers. People _really_ want to be able to self-authenticate. That being said, security might be quantized, but it's not absolute. Once you start throwing in things like threats to family, not even duress phrases are a catch all ("anything happens to us, your family is dead in a year"). And there has never, in the history of man, been a security technology that has achieved complete success against repudiation. Just not how the world works. Last note -- my understanding is that iris entropy is pretty high -- not as high as blood vessels on the retina, but higher than fingerprints, and way higher than hand geometry. It also leaks "less", in that fingerprints are just deposited everywhere. On Sat, Aug 21, 2010 at 11:51 PM, Tomas L. Byrnes <t...@byrneit.net> wrote: > To rephrase in language of security; > > > > The requirement is a non-repudiable, non-forgeable, single identity token. > > > > The mooted solution is iris scanning, because it is unique, and supposedly > hard to copy. > > > > The premise is that this can be used solely on the basis of “something you > have or are” as opposed to the time-honored double verification of > “something you have and something you know”. > > > > Applying basic logic, this means that the mooted solution is only valid if > the token (the iris) is indeed cryptographically validly (meaning more > complex than the equivalently acceptable crypto algorithm is to crack or > spoof) non clonable/stealable for the required level of access. > > > > Since you can always kidnap someone or their family, and hold a gun to > their head to make them scan their own real eye, and if there is no > secondary authentication that could allow for a “I’ve been compromised” > response, the whole concept of iris scanning as a single token is busted. > > > > The invalidity of just scanning an iris as a means of access control and > authentication has nothing to do with the uniqueness of the iris, and > everything to do with the ease of acquiring a particular iris with the > access you require. > > > > Absent the ability to further authenticate the legitimacy of the access > request, to include appropriate response to duress (don’t lock out, allow > access and then interdict), any access control method fails the basic logic > of defense against probable attack scenarios. > > > > > > > > *From:* funsec-boun...@linuxbox.org [mailto:funsec-boun...@linuxbox.org] *On > Behalf Of *Dan Kaminsky > *Sent:* Friday, August 06, 2010 4:27 PM > *To:* rmsl...@shaw.ca > *Cc:* funsec@linuxbox.org > *Subject:* Re: [funsec] To see why iris scanning can be a biometric ... > > > > Anything can be a biometric. The problem is we leak the damn things all > over the place. > > On Fri, Aug 6, 2010 at 8:18 PM, Rob, grandpa of Ryan, Trevor, Devon & > Hannah <rmsl...@shaw.ca> wrote: > > http://www.photographyserved.com/Gallery/Your-beautiful-eyes/428809 > > ====================== (quote inserted randomly by Pegasus Mailer) > rsl...@vcn.bc.ca sl...@victoria.tc.ca rsl...@computercrime.org > After the rush is over, I'm going to have a nervous breakdown. > I've worked for it, I owe it to myself, and nobody is going to > deprive me of it. > victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html > http://blogs.securiteam.com/index.php/archives/author/p1/ > http://www.infosecbc.org/links http://twitter.com/rslade > _______________________________________________ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list. > > >
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.