Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] iPhone5S Fingerprint and 5th amendment

Peat Bakke peat at
Wed Sep 11 09:51:11 PDT 2013

Awesome. That's plenty for me to chew on. I'm satisfied for now. :)

Thanks, Eugen!

On Wed, Sep 11, 2013 at 9:35 AM, Eugen Leitl <eugen at> wrote:

> On Wed, Sep 11, 2013 at 09:20:56AM -0700, Peat Bakke wrote:
> > > This is likely subject to a precompiled hash lookup table attack,
> > > as the number of all possible fingerprints, quantized via a
> classification
> > > vector is not that large.
> >
> > Can you give us a better idea of how large "not that large" is?
> I thought there was insufficient variability so there could
> be dupes within the world population of mere 7 gigamonkeys,
> but that might be wrong,
> given
> See FBI Appendix F specifications in
> 500 pixels per inch or 1000 ppi at 8 bits per pixel. Capture size 1.6" x
> 1.5" (600 Kpixels)
> for roll finger or 1" x 2" for thumb (500 Kpixels).
> But once you threshold the images, you effectively get rather less than 1
> bit per pixel, as
> there's a lot of correlation between pixels. Also rotations all count the
> same. My fingers
> have more like 50 ridges per inch. But that's still a *lot* of possible
> values.
> After extracting the minutiae, there's rather less information held. One
> finger reader I have
> states the software extracts between 10 and 70 minutiae points, held as
> (x,y) vectors, in a
> transform claimed to be non-reversible. If coordinates are accurate to 6
> bits, that means 10 x
> (6+6) bits = 120 bits minimum. Still allows for significantly more
> possible prints than the
> world population.
> See also Sir James Crosby's report,
>, suggesting
> that only
> non-unique digital representations should be stored. This would allow the
> master copy in the
> database to be replaced with another version, so would provide some
> limited options to
> "change" a compromised fingerprint.
> Uniqueness of fingerprints?
> Posted Apr 6, 2008 11:32 UTC (Sun) by man_ls (guest, #15091) [Link]
> Hmmm... doesn't the principle behind the Birthday paradox apply here? Even
> if there are 366 days in a year, the probability of two people having the
> same birthday reach 0.5 with a group of only 23 people. Therefore you would
> only need roughly the square root of the number of possibilities to find a
> collision.
> With 120 bits you are still safe, since the world population is about
> 2^32. But the security factor is not as high as it would seem. Surely we
> don't expect all values to be as likely, as with birthdays; if they tend to
> cluster around certain values (some kinds of fingerprint configurations are
> more probable than others) then collisions become increasingly likely.
> > Rainbow tables are always a problem, but I suspect that there's more
> > diversity in those vectors than in user generated passwords.
> --
> Liberationtech is a public list whose archives are searchable on Google.
> Violations of list guidelines will get you moderated:
> Unsubscribe, change to digest, or change password by emailing moderator at
> companys at

Peat Bakke
(503) 701-4135
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the liberationtech mailing list