Re: Driver for Microsoft USB Fingerprint Reader

From: Daniel Drake
Date: Thu Jul 06 2006 - 08:20:28 EST


linux@xxxxxxxxxxx wrote:
I utterly fail to see why multiple, generally knowledgeable people are
claiming that encryption in a fingerprint scanner is desirable.

As far as I can tell, the only thing you want is AUTHENTICATION - you
want proof that you are getting a "live" scan taken from a user
who's present, and not a replay of what was sent last week.

This is called "freshness" and is usually provided by including a
random "nonce" (known in other contexts as "magic cookie") in the
authenticated data.

The Digital Persona readers apparently use a challenge-response authentication scheme for the encryption. I think I know the challenge-sending and response-reading command structure but have not yet examined their effect on the encrypted fingerprint data.

Not that I expect "A-1 Computer Corporation" in Shenzhen to have a clue
about these things, but you'd think that Microsoft would have one or
two competent employees left on the payroll.

Now theres an interesting story in this area. The Microsoft fingerprint readers are based on Digital Persona devices, and actually they seem to be completely identical. But when comparing bus traffic for the DP devices vs the MS devices, the DP devices send encrypted fingerprint data and the MS devices send it as unencrypted 8-bit greyscale.

Anyway, further investigation shows a 1 bit difference in the firmware uploaded to each device, and I have confirmed that this bit turns encryption on and off.

IOW, MS's device are capable of encryption but they explicitly turned it off at the firmware level.

Daniel
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/