Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 8 May 2019 11:19:29 +0200 (CEST)
From: Roman Drahtmueller <draht@...altsekun.de>
To: oss-security@...ts.openwall.com, Seong-Joong Kim <sungjungk@...il.com>
Subject: Re: Re: fprintd: found storing user fingerprints
 without encryption

>> Dear all,
>>
>> I would like to report a vulnerability of 'fprintd'.
>>
>> 'fprintd' does not encrypt sensitive information before storage.
>> *CWE-311: Missing Encryption of Sensitive Data*

[...]

This misses the point.

* Encryption shifts the problem to protecting the symmetric key, which
   is the very same problem. => Encryption solves other problems, but not
   this one.
* If you have sufficient privileges to access the fingerprint data,
   then you no longer need the data.
* You can't "safeguard" the fingerprint data by applying additional O/S
   controls such as SELinux, AppArmor, etc, you can only add more useful
   privilege transitions and protect against attacks that exploit
   implementation errors. Google "store fingerprint data ios android",
   there are suitable solutions.

Mostly: Your fingerprint is not a secret like a password, it is a username.

Since you can't change the fingerprint (biometrics problem), it is not 
very useful as a single authentication factor. Either you live with 
this, or you combine the fingerprint with a different authentication 
factor type.

Roman.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.