|Biometric authentication with PHP|
| 4:25 pm on May 28, 2003 (gmt 0)|
Here's a juicy one for you guys. I am writing a kiosk based PHP web application for a client (using Mozilla Firebird), and want to provide fingerprint authentication to my PHP script.
Effectively what I think needs to happen, is the device takes the finger print, and then needs to call via the browser the PHP authentication page, passing the biometric construct in the post request. The PHP page will then authenticate against an LDAP directory, generating a session (I think) against the authenticated construct.
I have never tried this kind of stuff before - anyone got any experience of knowledge of working solutions of this?
| 4:29 pm on May 28, 2003 (gmt 0)|
the logic sounds right, the technology is where I cant help. The challenge I think is getting the Biometrics to talk to the browser in an exchange that the browser can handle, similiar to barcode scanners.
| 4:47 pm on May 28, 2003 (gmt 0)|
Very cool project!
What does a biometric construct look like? A md5 hash?
(edit - spelling fix)
| 5:13 pm on May 28, 2003 (gmt 0)|
Since the fingerprint stuff is client side, I would speculate that the best way would be to have a platform native app, poss. with embedded browser(?)
Biometric systems can be circumvented, using for example gelatin (finger moulds) or intercepting the digital fingerprint (somewhere in the system). And of course if one is intercepted, you cannot get someone to change their fingerprint...
Since the biggest threat to biometric security stuff is replay, you may need a password as well. Biometrics may provide a unique identifier but they are not secrets. And if you have to have a password you may as well have a username (or just use the password) ;)
I haven't implemented any biometric systems, but the consensus appears to be that you must tune a system towards a false positive bias or a false negative bias. If the "kiosk" is remote, you may be forced to bias towards false positives.
| 6:25 pm on May 28, 2003 (gmt 0)|
grifter - this bit is probably about 5% of the 'coolness' of the whole thing, from our research I think this maybe a world first, so if the client goes with it I post all the details here ;)
mattur, yeah I am aware of the gelatin trick, but the researchers at Cambridge Uni where they tested the exploit went to quite a bit of trouble to get it working and it wasn't simple, so I'm not unduly concerned regarding this.
The suggestion of a password is fine except a user can't be asked to enter a password when they just want to authenticate to unlock a door!
Intercepting the biometric construct itself really is a non issue, as it would be passed as part of at least a 128bit SSL session, and if you can get past that then the rest of the system is wide open anyway ;)
My current line of thinking is:
The browser has its home page set to the HTTPS login page - with hidden form fields. Using a Firebird extension, we take the biometric construct, pass directly it into the browser to the hidden fields and use the internal browsers 'Post' command to submit the form. Then the PHP script handles the rest. The 'Logout' command destroys the session and calls the internal browser home page. There'll be no URL bar or nav buttons so that will prevent any client side manipulation of URLs.
I'd better go and read the extension dev notes for Firebird now ;)
| 6:53 pm on May 29, 2003 (gmt 0)|
asp you seem to know a lot more about this than me - apologies if my comments were things you've already extensively researched! The gelatin stuff I was thinking off was Tsutomu Matsumoto's experiments at Yokohama University, as mentioned in www.counterpane.com/crypto-gram-0205.html#5 last year. Were these the attacks that Cambridge tried, or other attacks?
[edited by: jatar_k at 6:58 pm (utc) on May 29, 2003]
[edit reason] delinked [/edit]
| 7:25 pm on May 29, 2003 (gmt 0)|
mattur on the contary this kind of prompt is always helpful especially when I start confusing security research papers.
You are quite right about the gelatin attack, for some reason I was thinking it was the same team that did the cashpoint/ATM PIN number attacks at Cambridge...
I need a holiday ;)