Welcome to WebmasterWorld Guest from 126.96.36.199
Effectively what I think needs to happen, is the device takes the finger print, and then needs to call via the browser the PHP authentication page, passing the biometric construct in the post request. The PHP page will then authenticate against an LDAP directory, generating a session (I think) against the authenticated construct.
I have never tried this kind of stuff before - anyone got any experience of knowledge of working solutions of this?
Biometric systems can be circumvented, using for example gelatin (finger moulds) or intercepting the digital fingerprint (somewhere in the system). And of course if one is intercepted, you cannot get someone to change their fingerprint...
Since the biggest threat to biometric security stuff is replay, you may need a password as well. Biometrics may provide a unique identifier but they are not secrets. And if you have to have a password you may as well have a username (or just use the password) ;)
I haven't implemented any biometric systems, but the consensus appears to be that you must tune a system towards a false positive bias or a false negative bias. If the "kiosk" is remote, you may be forced to bias towards false positives.
mattur, yeah I am aware of the gelatin trick, but the researchers at Cambridge Uni where they tested the exploit went to quite a bit of trouble to get it working and it wasn't simple, so I'm not unduly concerned regarding this.
The suggestion of a password is fine except a user can't be asked to enter a password when they just want to authenticate to unlock a door!
Intercepting the biometric construct itself really is a non issue, as it would be passed as part of at least a 128bit SSL session, and if you can get past that then the rest of the system is wide open anyway ;)
My current line of thinking is:
The browser has its home page set to the HTTPS login page - with hidden form fields. Using a Firebird extension, we take the biometric construct, pass directly it into the browser to the hidden fields and use the internal browsers 'Post' command to submit the form. Then the PHP script handles the rest. The 'Logout' command destroys the session and calls the internal browser home page. There'll be no URL bar or nav buttons so that will prevent any client side manipulation of URLs.
I'd better go and read the extension dev notes for Firebird now ;)
[edited by: jatar_k at 6:58 pm (utc) on May 29, 2003]
[edit reason] delinked [/edit]
You are quite right about the gelatin attack, for some reason I was thinking it was the same team that did the cashpoint/ATM PIN number attacks at Cambridge...
I need a holiday ;)