[Fwd: Re: Biometric passphrase]

Ian Scott ian@pairowoodies.com
Sat Oct 12 23:09:02 2002 

>=20
> On Sat, 2002-10-12 at 08:31, David Pic=C3=B3n =C3=81lvarez wrote:
> > Hi,
> >=20
> >=20
> > > Do you have any experience with implementing biometric into gpg as
> > passphrase. I mean to give user's biometric data from (for example
> > fingerprint) scanner as passphrase during key generation and use it whe=
n she
> > want to sign or decrypt something???
> > >
> > > Advantages:
> > > -Maybe the passphrase would be more random(???)
> > > -Even she won't know the passphrase
> > >
> > > Disadvanteges:
> > > -Maybe the passphrases would be in a predetermined format (according =
to
> > the biometric algorithm)
> > > -she will allways need a scanner to sign or decrypt
> > > -she can loose her finger or iris ;--))
> > >
> > > what do you think??
> >=20
> >=20
> >=20
> > Biometry is apt for certain things, but it's not good as a passphrase. =
The
> > ideal passphrase is both unique and secret. Biometric data are unique, =
but
> > not secret. Moreover, if you're going to encrypt a pgp key with biometr=
ic
> > data, make sure the data does not change at all, because exactness is
> > required, which points at biometry not being the right solution. If you=
're
> > just thinking of consulting the biometric device each time user wants t=
o
> > sign or decrypt and have the key unencrypted or not encrypt the key wit=
h the
> > biometric data, then it's a completely different issue. If you  don't
> > encrypt the key, then it's vulnerable. If you do, then the biometry is =
just
> > a further annoying bump on the way, like a UNIX login prompt.
> >=20
> > --David.
>=20
> Another thing I was thinking about -  it's perhaps an extreme example,
> but if the content of your encrypted text is so secret that you'd be
> willing to suffer to not compromise it, a passphrase in your head is
> much more difficult to compel you to provide, whereas biometric data
> would be much easier to compel you to provide, with physical force.
>=20
> I believe there is a legal case that is or was before the courts in the
> U.S., where someone has been asked to provide their passphrase in
> court.  The most that can be done to the person who refuses is to
> possibly be found in contempt of court and perhaps sent to jail.
>=20
> If biometric data was used, such as a thumb print, then the courts could
> conceivably order that force be used upon you in order to obtain the
> information they want.  The courts do this all the time with other
> matters.
>=20