Discussion:
[Thinkfinger-devel] Using thinkfinger as a replacement for disk encryption passphrase
Joseph Mulloy
2007-03-07 06:04:11 UTC
Permalink
Hello,
I use dm-crypt with Luks for system encryption on my laptop which has
a thinkfinger compatible fingerprint reader. I use a initramfs at
startup to setup the disk decryption so I can boot and use the system.
I'm just learning C++ in school so I'm having difficulty understanding
the source to tf-tool. Is it possible for the tool to produce the
/tmp/test.bir on one swipe instead of two so that I could just swipe
my finger instead of typing a password. This software is excelent and
works perfectly with my hardware. I think that if this is possible it
would be a killer application for this software and the hardware it
uses. A fully encrypted system that can be decrypted with a swipe of a
finger, seems like a spy movie.
--
Joseph Mulloy

***@gmail.com
Timo Hoenig
2007-03-10 18:19:54 UTC
Permalink
Hi Joseph,

Sorry for the lag.
Post by Joseph Mulloy
I use dm-crypt with Luks for system encryption on my laptop which has
a thinkfinger compatible fingerprint reader. I use a initramfs at
startup to setup the disk decryption so I can boot and use the system.
I'm just learning C++ in school so I'm having difficulty understanding
the source to tf-tool. Is it possible for the tool to produce the
/tmp/test.bir on one swipe instead of two so that I could just swipe
my finger instead of typing a password. This software is excelent and
works perfectly with my hardware. I think that if this is possible it
would be a killer application for this software and the hardware it
uses. A fully encrypted system that can be decrypted with a swipe of a
finger, seems like a spy movie.
I already went through exactly the same idea -- and also for using the
fingerprint to unlock SSH keys. Unfortunately this is not (yet)
possible. We can do currently two tasks with the fingerprint reader:

* acquire a fingerprint
* verify a fingerprint

At first sight this looks sufficient, but it is not.

When acquiring a fingerprint, you need to swipe your finger three times
(for your idea we want to swipe only once to get a 'key'). And, even
worse, the returned fingerprint ('key') usually differs. E.g. if you
acquire your thumb twice, you get two different biometric identification
records.

Please monitor my progress on ThinkFinger, there is a slight chance that
we can offer that functionality at some point.

Thanks,

Timo
Joseph Mulloy
2007-03-10 20:45:01 UTC
Permalink
I found the same thing myself. I tried comparing the output of
separate acquires using diff and it was different each time so it's
not a straight forward as just making it ask once. I'm having trouble
understanding how it all works, I'm not very familiar with C
programming. If the *.bir is different every time how does it verify
that the fingerprints match? Thanks for the reply.
Post by Timo Hoenig
Hi Joseph,
Sorry for the lag.
Post by Joseph Mulloy
I use dm-crypt with Luks for system encryption on my laptop which has
a thinkfinger compatible fingerprint reader. I use a initramfs at
startup to setup the disk decryption so I can boot and use the system.
I'm just learning C++ in school so I'm having difficulty understanding
the source to tf-tool. Is it possible for the tool to produce the
/tmp/test.bir on one swipe instead of two so that I could just swipe
my finger instead of typing a password. This software is excelent and
works perfectly with my hardware. I think that if this is possible it
would be a killer application for this software and the hardware it
uses. A fully encrypted system that can be decrypted with a swipe of a
finger, seems like a spy movie.
I already went through exactly the same idea -- and also for using the
fingerprint to unlock SSH keys. Unfortunately this is not (yet)
* acquire a fingerprint
* verify a fingerprint
At first sight this looks sufficient, but it is not.
When acquiring a fingerprint, you need to swipe your finger three times
(for your idea we want to swipe only once to get a 'key'). And, even
worse, the returned fingerprint ('key') usually differs. E.g. if you
acquire your thumb twice, you get two different biometric identification
records.
Please monitor my progress on ThinkFinger, there is a slight chance that
we can offer that functionality at some point.
Thanks,
Timo
--
Joseph Mulloy

***@gmail.com
Timo Hoenig
2007-03-12 19:13:06 UTC
Permalink
Hi Joseph,
Post by Joseph Mulloy
I found the same thing myself. I tried comparing the output of
separate acquires using diff and it was different each time so it's
not a straight forward as just making it ask once. I'm having trouble
understanding how it all works, I'm not very familiar with C
programming. If the *.bir is different every time how does it verify
that the fingerprints match? Thanks for the reply.
It's all done in hardware. We're sending down the biometric
identification record to the device and the device compares the entropy
of that with the finger which is being swiped. We have a relation of
1:n (1 finger : n biometric identification records). You might compare
it to shooting photos of a person. When looking at different photos you
can recognize one and the same person even with if the perspective of
the photo differs.

Timo
Marcus Better
2007-03-12 14:57:45 UTC
Permalink
Using biometric data to derive disk encryption keys seems like a bad idea to
me. The "correct" way to implement this would probably be to use the TPM
chip to store encryption keys. The keys would be unlocked by means of a
fingerprint scan. Does anyone know if this is possible?
Timo Hoenig
2007-03-12 19:16:28 UTC
Permalink
Hi Marcus,
Post by Marcus Better
Using biometric data to derive disk encryption keys seems like a bad idea to
me. The "correct" way to implement this would probably be to use the TPM
chip to store encryption keys. The keys would be unlocked by means of a
fingerprint scan. Does anyone know if this is possible?
I completely agree with your point of view.

I also thought about storing public keys on the TPM and then unlock the
chip using the fingerprint. Unfortunately, I didn't have time yet to
investigate the current support for the TPM chip using Linux. If
someone knows more, please share that information.

Thanks,

Timo
Joshua Rubin
2007-03-12 19:33:16 UTC
Permalink
Hi Timo,
Post by Timo Hoenig
I also thought about storing public keys on the TPM and then unlock the
chip using the fingerprint. Unfortunately, I didn't have time yet to
investigate the current support for the TPM chip using Linux. If
someone knows more, please share that information.
I am working with the trousers/opencryptoki developers at IBM to get
these packages included in Debian. I am fairly familiar with the tpm. I
can at least act as a liaison.

I am not exactly sure what the proper way to use the tpm is with respect
to fingerprints though. Right now, I can use my tpm, but it is pretty
limited in its usefulness. I can use the tpm like a smart card, but even
that is not a great use. A real smart card that is removable serves this
purpose better IMO. The tpm is great for attestination though. It is not
an encryption accelerator or anything like that. We could wrap .bir
files with the tpm, such that they could only work on the same physical
machine. The same with encryption keys. Not sure where I am going with
this, just throwing out some possibilities. We could also store the .bir
file in the tpm, but that cause logging in to be a very slow process. I
have no idea how the default IBM software makes use of the tpm in the
fingerprint process with their "slots".

Sorry for the rambling.

Let me know if I can help,
Joshua
Timo Hoenig
2007-03-12 20:15:36 UTC
Permalink
Hi Joshua,
Post by Joshua Rubin
I am working with the trousers/opencryptoki developers at IBM to get
these packages included in Debian. I am fairly familiar with the tpm. I
can at least act as a liaison.
Perfect :-)
Post by Joshua Rubin
I am not exactly sure what the proper way to use the tpm is with respect
to fingerprints though. Right now, I can use my tpm, but it is pretty
limited in its usefulness. I can use the tpm like a smart card, but even
that is not a great use. A real smart card that is removable serves this
purpose better IMO. The tpm is great for attestination though. It is not
an encryption accelerator or anything like that. We could wrap .bir
files with the tpm, such that they could only work on the same physical
machine. The same with encryption keys. Not sure where I am going with
this, just throwing out some possibilities.
I don't think that we want to store bir files specifically on one
system. It would be really nice to have fingerprint authentication for
distributed systems, too (LDAP and such). It would be even better if
bir files could be cross hardware compatible. But with the current
distribution of AuthenTec and UPEK devices this idea is probably
condemned to failure already.
Post by Joshua Rubin
We could also store the .bir file in the tpm, but that cause logging in
to be a very slow process.
As far as I know the UPEK fingerprint reader is already able to store
fingerprints. It is not supported by the Linux driver, though. The
Windows driver would probably be a better start for investigation.
Post by Joshua Rubin
I have no idea how the default IBM software makes use of the tpm in
the fingerprint process with their "slots".
Compared to the UPEK fingerprint reader there should be at least
documentation and specs for the TPM which will make our efforts more
straight forward.
Post by Joshua Rubin
Sorry for the rambling.
I appreciate your broad input on the topic. Hopefully I'll find some
time for this topic to work on.
Post by Joshua Rubin
Let me know if I can help,
Thanks, I'll certainly get back to you.

Timo
W***@gmx.de
2007-03-12 19:35:11 UTC
Permalink
The atm,el chip in the Z61m is supported with Linux.
only problem: window and Linux tpm have different password encoding.
But there is a tool.

Sometimes it works.

But i dont found any hint, how the fingerprint and the tpm are coupled.





Am Mon, 12 Mar 2007 20:16:28 +0100 schrieb Timo Hoenig
Post by Timo Hoenig
Hi Marcus,
Post by Marcus Better
Using biometric data to derive disk encryption keys seems like a bad idea to
me. The "correct" way to implement this would probably be to use the TPM
chip to store encryption keys. The keys would be unlocked by means of a
fingerprint scan. Does anyone know if this is possible?
I completely agree with your point of view.
I also thought about storing public keys on the TPM and then unlock the
chip using the fingerprint. Unfortunately, I didn't have time yet to
investigate the current support for the TPM chip using Linux. If
someone knows more, please share that information.
Thanks,
Timo
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Thinkfinger-devel mailing list
https://lists.sourceforge.net/lists/listinfo/thinkfinger-devel
Timo Hoenig
2007-03-12 20:18:50 UTC
Permalink
Hi Gabor,
Post by W***@gmx.de
The atm,el chip in the Z61m is supported with Linux.
only problem: window and Linux tpm have different password encoding.
But there is a tool.
I think that IBM/Lenovo are always using the Atmel chip for their
systems. Can someone confirm that?

Do you mind sharing the name of the tool? Just curious.
Post by W***@gmx.de
Sometimes it works.
At least sometime :-)
Post by W***@gmx.de
But i dont found any hint, how the fingerprint and the tpm are coupled.
Is there any real life application for Windows using that combination
(TPM + fingerprint reader) to unlock sensitive data stored on the TPM?

Timo
Anton Bolshakov
2007-03-12 22:56:50 UTC
Permalink
Post by Timo Hoenig
Do you mind sharing the name of the tool? Just curious.
Timo
I think you guys talking about these packages:

http://domino.research.ibm.com/comm/research_projects.nsf/pages/gsal.TCG.html
http://sourceforge.net/projects/tpmdd
http://sourceforge.net/projects/trousers
http://packages.gentoo.org/search/?sstring=tpm

they also have published some specs.

I completely agree and don't feel comfortable to have my uniqуе
fingerprint key in a separate file. You just don't want somebody to
have it one day :]
Post by Timo Hoenig
Is there any real life application for Windows using that combination
(TPM + fingerprint reader) to unlock sensitive data stored on the TPM?
I'm not sure about Windows, but build-in BIOS fingerprint checker
might keep it in
Timo Hoenig
2007-03-12 23:29:05 UTC
Permalink
Hi Anton,
Post by Anton Bolshakov
http://domino.research.ibm.com/comm/research_projects.nsf/pages/gsal.TCG.html
http://sourceforge.net/projects/tpmdd
http://sourceforge.net/projects/trousers
http://packages.gentoo.org/search/?sstring=tpm
they also have published some specs.
Thanks for the pointers.
Post by Anton Bolshakov
I completely agree and don't feel comfortable to have my uniqуе
fingerprint key in a separate file. You just don't want somebody to
have it one day :]
Well, you should not trust that TPM thing either. Whom can you trust
that there is not a generic backdoor which opens the TPM no matter how
you chose to protect its content?
Post by Anton Bolshakov
Post by Timo Hoenig
Is there any real life application for Windows using that combination
(TPM + fingerprint reader) to unlock sensitive data stored on the TPM?
I'm not sure about Windows, but build-in BIOS fingerprint checker
might keep it in TPM.
I *think* this is exactly a spot where the fingerprint is being stored
on the fingerprint scanner. A friend of mine did a complete BIOS
update, reset of the TPM, formatting its hard drive and fresh
installation of the 'other' operating system and he was still able to
authenticate using his finger at the BIOS prompt.

But that is just something I heard. I've never tried it myself.

Thanks,

Timo

Loading...