Fingerprint Recognition with Linux & IBM's T42 156
Michael R. Crusoe writes "UPEK, provider of popular fingerprint sensors to IBM's T42 notebooks and others, has announced that they will be providing a BioAPI compliant library to perform biometric authentication under GNU/Linux. Will Linux be the first operating system to have integrated biometric user authentication 'out of the box'?"
Ahem, PAM (Score:5, Interesting)
They're talking about writing this whole framework for Linux called BioAPI, and then once that's done they're going to work on a BioAPI-to-PAM gateway, but that seems like way too much work.
Why can't an authentication module simply maintain its own database to register the biometric data associated with each user?
The way it is now, pam_unix.so does a one-way hash of the password you create and compares it with a one-way hash of whatever password you enter to log on, right? The password once stored is never stored in the clear.
I get the fact that you can't do that with biometric data because the data never is exactly the same, i.e., the one-way hash of the fingerprint you use to create the account won't be the same as the one-way hash created as you log on. And to do the comparison otherwise you'd need to load the data into memory, which is like loading a password, which is bad.
This is a really tricky problem.
I just don't see why we need a new framework. Seems to me, we need a new kind of hash function.
Why can't that go into pam_finger.so?
Re:Ahem, PAM (Score:3, Informative)
Re:Ahem, PAM (Score:4, Insightful)
The whole point I thought was to create a framework through which it would be impossible to recreate the user's authentication info.
We do what you're saying and the next thing you know, I have your fingerprint, or even better, I've replaced your fingerprint with mine.
Re:Ahem, PAM (Score:3, Funny)
Re:Ahem, PAM (Score:2)
Re:Ahem, PAM (Score:1)
Re:Ahem, PAM (Score:2)
Re:Ahem, PAM (Score:5, Informative)
Re:Ahem, PAM (Score:2, Informative)
AFAIK not - fingerprint is just "convert black&white image to curves, find markers (like end of "line", join of 2 lines etc.) and save relative position of these markers. In fact fingerprint "image" is usually a few 10s of bytes!
Yes this true. It depends on the system used but the one i know works like this. Once aquired as a real image, a complex algorithm is invoked to convert the image into a set of coordinates, that represent different interesting points in the fingerprint.
A match is a % of sa
What? (Score:2)
Can you explain further.
Re:What? (Score:2)
Re:Ahem, PAM (Score:2)
Re:Ahem, PAM (Score:5, Insightful)
If the above reasons are enough to warrant the extra layer of indirection, I do not know. But saying that there are _no_ advantages to making a general purpose API is plainly false. It's a simple tradeoff.
Re:Ahem, PAM (Score:2, Interesting)
That's stupid. There is nothing like "PAM killer" on the horizont in next 1-2 years! And there is no need for it - AFAIK PAM architecture is very clever and there are none "system design limitations" (but I'm NOT PAM expert - if I'm wrong, please correct me!)
Better portability to systems that don't use PAM. QNx, ReactOS, Windows, MacOS the world is a big place...
AFAIK MacOS is using PAM (or not?). An
Re:Ahem, PAM (Score:2)
Sometimes rolling your own API just adds to bloat.
Re:Ahem, PAM (Score:2)
Re:Ahem, PAM (Score:2)
No, it's NOT stupid. The grandparent poster is right. I'm a network admin for a research center of about 300 people. We have servers running software that is 10 years old. We have servers that came online Friday. I'm trying to move the oldest software to retirement, but the user accounts and access rights are murder to migrate to anything new because those systems were never built to be modular.
Remember Y2K? Two d
Re:Ahem, PAM (Score:2)
Maybe for someone your age, 1-2 years is a long time. However, in a large part of the real world, applications take 2-3 years to develop, and then have a life of 10-20 years, during which tiome, ALL the technology used during development becomes obsolete, and much of it is replaced, as part of "routine maintenance".
Some of it isn't replaced, because the new hardware is worse than the old - hence the amount of 10 year old kit still in dai
Re:Ahem, PAM (Score:2)
Re:Ahem, PAM (Score:2)
PAM has been in use in multiple *nix environments for a long time. PAM will quite likely outlive the fingerprint-auth-fad. You write a simple interface library/module to get at the fingerprint reader, and from there you write on top of that a PAM module, Firefox plugin, etc. There's no need for whatever this overdone BioAPI thing is.
Re:Ahem, PAM (Score:2)
The problem is that there are a whole lot of vendors making these devices. Then there are a whole lot of operating systems, and a whole lot of applications which want to use these devices.
So what you need in the middle is a cross-platform interface which the vendors can conform to, and the application developers can use.
PAM is pretty far from cross-platform, and BioAPI's entire point is to be that "simple interface" to get at the readers.
Re:Ahem, PAM (Score:5, Informative)
No. For example, the OpenSSH server needs explicit support for GSSAPI to support Kerberos Single Sign On. That could not be done within PAM.
Re:Ahem, PAM (Score:2)
Why wouldn't it be able to?
Re:Ahem, PAM (Score:2)
The design of Kerberos is that you have a client, a server, and a trusted third party called the KDC. The third party has a copy of your password. On the client you use your password to obtain a ticket from the KDC, without actually transmitting your password to the KDC. The ticket is then used to authenticate
Re:Ahem, PAM (Score:2)
Thanks.
Re:Ahem, PAM (Score:3, Interesting)
No, you just don't understand what is being discussed here.
That is not Kerberos Single Sign On. Read the man page for sshd_config, in particular the section on GSSAPI authentication.
Re:Ahem, PAM (Score:1)
I get the fact that you can't do that with biometric data because the data never is exactly the same, i.e., the one-way hash of the fingerprint you use to create the account won't be the same as the one-way hash created as you log on. And to do the comparison otherwise you'd need to load the data into memory, which is like loading a password, which is bad
It appears as though you're unfamilliar with the technology.
At least with the fingerprint sensors I used (Authentec) the goal was to genearate a biom
Re:Ahem, PAM (Score:1)
Well, you can have various modules handling 'password' management groups. For example, pam_pwcheck.so lets you have MD5 hashes and checks the passwords for uniqueness, against a dictionary, meets minimum security requirements, etc.
Generally, though, things like pam_pwcheck.so can plug into things like the Linux CyrptoAPI; they don't have to handle MD5 hashes internally. In fact, I think that pam_pwcheck.so does use CryptoAPI if it's available.
So that's where BioA
Ahem, rubber surgical gloves. Biometrics are crap. (Score:2)
But there's no point using fingerprints for authentication. They've been widely discredited. Most commercial fingerprint readers can be fooled with a surgical glove filled with warm water. If you really wanted to you could print a replica of the print (which people tend to expose readily) but in most caes, the print from the last user is left on the device and you don't even need to.
The only biometric I can see being remotely useful is data on fingernails (see boingboing recent
Re:Ahem, rubber surgical gloves. Biometrics are cr (Score:2)
This is great news because... (Score:3, Funny)
Re:This is great news because... (Score:1)
By the way, biometrics & DRM ? (Score:2, Insightful)
Re:By the way, biometrics & DRM ? (Score:2, Insightful)
Mod parent insightful! DRMing content according to the buyer's fingerprint pattern is an excellent way to make sure they are the only person using the content. Oh and as a side effect, M$ and [insert other evil DRM proponents here] would get to see your fingerprint ...
Spooky indeed.
Re:By the way, biometrics & DRM ? (Score:1)
Re:By the way, biometrics & DRM ? (Score:2, Informative)
To answer the question: No. (Score:4, Informative)
Re:To answer the question: No. (Score:2, Informative)
Re:To answer the question: No. (Score:1, Funny)
All biometric solutions I've seen use the OmniPass software from Softex that needs to be installed first. Just plugging one of those fingerprint scanners in your computer (e.g. APC Biopod) does nothing without installing the software.
Re:To answer the question: No. (Score:1)
I mean, who buys computers with preloaded operating systems, drivers and productivity suites these days?
Re:To answer the question: No. (Score:1)
Re:To answer the question: No. (Score:2, Funny)
The combination of open sores and a finger scanner doesn't sound too hygenic to me.
I guess if I had a fingerprint scanner I'd want to clean it regularly if people are going to start trying to use it randomly...
Re:To answer the question: No. (Score:2)
But of course, this is slashdot, lot of things can't be taken seriously here
Peace
Finally... (Score:1, Insightful)
Finally... (Score:3, Insightful)
Re:Finally... (Score:2, Insightful)
Except you couldn't switch to using only biometric authentication (not until they get a little DNA blood pinprick scanner thingy, anyway), so the best place for biometric authentication is as an added layer of protection on top of the 20 regularly-rotated random passwords stored in your brain.
Yes, my tin foil hat fits very nicely thankyouverymuch.
Re:Finally... (Score:1)
That wouldn't be a first (Score:3, Interesting)
Re:That wouldn't be a first (Score:2)
So what's the difference for a user between Windows' installable drivers and Linux' kernel-compiled drivers?
Every time a driver gets updated or a new driver is released for EITHER OS, it will require some sort of installation.
So Linux may come supplied with the driver inside a precompiled kernel, what's the difference with a Windows installation disk
Re:That wouldn't be a first (Score:2, Informative)
To the end user, all they have to do is install their linux distribution and it just works.
I've been using Linux for a while now (Red Hat 6.2 was my first). When I first started, you kinda had to plan your hardware for linux or hope it would work. Today, I don't think twice a
Re:That wouldn't be a first (Score:3, Informative)
Generally, what will happen is that a distribution will ship with a somewhat minimal kernel and a bunch of kernel modules that take care of different things, e.g. USB devices, iptables modules (adds functionality to the firewall), drivers, and so on. So no, if you don't want to do things the hard-ish way, there's no need to ever compile a kernel.
Anyone on breaking the biometric authentication? (Score:3, Interesting)
Re:Anyone on breaking the biometric authentication (Score:1)
Check out the work on biometrics at the CCC Berlin [berlin.ccc.de]. Lots of links too, but mostly German. They have a guy who managed to build fake fingerprints with a thin layer of ordinary wood glue. I know it sounds silly, but I have seen it work. Here [www.ccc.de] is a summary in English.
Re:Anyone on breaking the biometric authentication (Score:2)
All you need is some fingerptinting dust and some clear tape. Dust the laptop (paying particular attenstion to the central keys on the keyboard where the index finger is most likely to be used, but try the back too, as that might have been brushed off recently, then picked up firmly using several identifiable fingers), pick up a selection of fingerprints with the tape, et voila.
Unless, of course, you always wear gloves
Re:Anyone on breaking the biometric authentication (Score:2)
So big brother will run on Linux... (Score:3, Interesting)
I am reminded that when I was reading Stallman's The Right To Read [gnu.org] (linked from the recent Slashdot story Old-Fashioned DRM Protects Harry Potter Book [slashdot.org]), I wondered why it didn't include biometrics. That would have prevented the happy ending.
Having biometrics on my computer with a free / open source OS wouldn't be scary like having biometrics on my computer with a closed OS and hardware DRM, of course.
For public / institutional networks though, I can't help but wonder where it's going. But on the plus side, at least if big brother runs on Linux I won't worry so much about script kiddies stealing my identity.
Re:So big brother will run on Linux... (Score:2)
Re:So big brother will run on Linux... (Score:1, Informative)
http://www.kronos.com/uk/profiles/mfi_uk.htm [kronos.com]
Re:So big brother will run on Linux... (Score:2)
Re:So big brother will run on Linux... (Score:2)
if you don't like Big Brother, don't compile him..
Likely SuSE, RH et al will play the PlaySafe card in order to meet hw vendor obligations, and so will likely ship with the kind of DRM that prevents use of restrictively copyrighted media. Similarly, they will be fighting to be the first distro to support biometrics for laptops. If you don't like this sort of carry on, grab the kernel sources, RTFM and ensure the offending 'Y' is not in your
Wake up Timothy (Score:1)
Re:Wake up Timothy (Score:1, Flamebait)
And not to mention the disaster recovery feature - the notebook automatically sends user's fingerprint scan to an IP address in China.
Re:Wake up Timothy (Score:1)
All essential hardware (wlan, lan, graphics, sata, etc.) is working out of the box (Ubuntu Hoary) with this one. Way to go IBM/Lenovo!
*Bah*, fingerprint scanning is yesterdays news... (Score:5, Insightful)
I'd imagine the patterns in our eyes are more difficult to duplicate for nefarious purposes than our fingerprints, which (besides the cool factor) would mean increased security... On the other hand, I'd rather have the arch-villain chop off my finger than carve out my eyeball.
Re:*Bah*, fingerprint scanning is yesterdays news. (Score:2)
DUPE!!!! (Score:1)
Here's a guy that won't be using it! (Score:3, Informative)
OK, so the Merc was worth USD 75,000 to the thieves, a little more than a laptop. But if a dead finger works, a plastic replica would work as well. Before using a system like this, it may be worth considering the value that the data on a laptop might have to unscrupulous rivals ...
Is it worth this kind of horror to protect the laptop itself? There are easier and better ways to protect *data*.
Re:Here's a guy that won't be using it! (Score:1, Insightful)
Re:Here's a guy that won't be using it! (Score:2)
methods can be circumvented fairly easily without even
chopping a finger off.
Password renewal (Score:3, Interesting)
Re:Password renewal (Score:2)
Wouldn't a password be better? (Score:3, Insightful)
http://www.theregister.co.uk/2002/05/16/gummi_bea
Actually, Mac OS 9 shipped with biometric ID (Score:1)
Ipaqs (Score:1)
Re:Ipaqs (Score:3, Informative)
Basically, the ability to detect a fake fingerprint with a casual t
Re:Ipaqs (Score:3, Informative)
The FingerChip(tm) has been doing exactly this since about 1998 or earlier (that's 7+ years). The FingerChip is about 1mm x 8mm in size (about 1/2" long, about the width of a wooden matchstick). I think the company sold its technology to someone
Re:Ipaqs (Score:2)
I have difficulty believing your claim: I can believe the manufacturer makes the claim and does a demo, but I want to see it with the Gummy Fingers described elsewhere.
What about AuthenTec? (Score:2)
When will hardware companies realize that providing documentation and software increases sales?
Use of finger-prints !=security (Score:2)
If the server where the passwords are stored is insecure, then the passwords are insecure!
The only benefit that fingerprint scanners offer is the instant ability to have 10 different passwords "at your fingertips"!
Downside: I have to label each of my fingers so I know which password belongs to which site. Well, there's one finger that i don't need to label, that special middle finger is reserve
Re:Use of finger-prints !=security (Score:4, Informative)
Unfortunately, fingerprint authentication does NOT satisfy government requirements (not to mention the inherent insecurity should you ever be prosecuted).
CFR 21 part 11 (Code of Federal Regulations governing electronic signatures) mandates that you have to have at least 2 out of 3 things to be said to have securely authenticated:
If any system is compromised, and 2 out of the 3 above are used, then there is a conspiracy (like you gave your keycard and password to someone else).
The issue about security when prosecuted, is that your physical body (fingerprints as well) are subject to "search and seizure" if you are ever arrested (even if 100% innocent). There was a case that went to the Supreme Court (which I can't recall the name of) where a man argued that his fingerprints were "property", and until he waived his rights to his property, he could not be fingerprinted. I'm not sure how that turned out though.
Basically if you're arrested and they fingerprint you, they could just as easily scan in your fingerprints electronically and "replay" those back later to gain access to your biometric laptop or other devices.
Best to use 2 out of the 3 (or 3 out of the 3) above, so they can't gain access to your protected data without your approval or consent.
Re:Use of finger-prints !=security (Score:2)
Can you be more specific about where this is in the final rule? All I can find is references to requiring 2 components for identification unless the signature is based on biometric
Re:Use of finger-prints !=security (Score:2)
Chip H.
man finger (Score:2)
strider44@strider44:~$ finger strider44
Login: strider44 Name: strider44
Directory:
How it works on Windows XP (Score:2, Insightful)
When configuring the system, you provide original prints from any number of your fingers. It suggests you provide 2 of them. Then, you just have to slowly pass any of the fingers on the sensor for it to authenticate you. So for instance, you could make sure you have an electronic print of your right index finger and of your left ring finger. I suppose the redundanc
Re:How it works on Windows XP (Score:2)
Just received a T42 last week. Just installed the software now. Took a total of about 5 minutes to install the IBM software, which replaces the Windows Login Screen (so it does require one reboot).
Next thing you select your account (and input your password), tell it which fingers you wish to enroll to link to that account, and presto. It seems to shave a second or two off whenever I need to unlock my workstation after the screen saver comes on. Nice!
re: "the day you nicked you finger doing DIY" (Score:2, Funny)
Digital Persona Support (Score:2, Interesting)
Fingerprint, schmingerprint (Score:2)
n
Are fingerprints unique? (Score:2)
Madrid bombing suspect (Score:2)
Good Point - Re:Madrid bombing suspect (Score:2)
use the foot luke (Score:2, Insightful)
ewe sorry, this is going in the wrong direction.
Private Eye (Score:2)
Biometrics are not as secure as most think! (Score:2, Insightful)
Those who think biometrics are better than password systems, ought to think twice. While passwords can be changed when compromised, biometrics cannot.
There is a scene in a James Bond movie where JB uses a glass eyeball that has someone's retina pattern in it to gain access to a secure building. Also, all biometrics must be converted to some digital pattern. How long will it be before some malicious person gets these digital patterns and figures out how to plug them into the software that authenticates th
The sky is falling! (Score:2)
The fingerprint scanner is a convenience, and is actually pretty finicky (e.g it won't work until your fingertips unwrinkly after a shower). I have one, and seldom use it, because it's faster/more reliable for me to type the pa
Good Machine (Score:2)
Ummm... (Score:2)
Will Linux be the first operating system to have integrated biometric user authentication 'out of the box'?"
So sorry, just not going to be the case.
Re:Obviously not (Score:1)
Re:Obviously not (Score:1)
Re:Obviously not (Score:1)