neurotechnology.com

[cohnjarmack]

Hi,

I wanted to understand the security implications of storing the extracted binarized template in a DB. Is it possible to reconstruct a fingerprint image if someone gets access to this template? Would it be possible to reconstruct if they had access to the Neurotechnology SDK? Would encrypting this template be a good idea?

Thanks,
Cohn

[MartynasV]

Hi,

I wanted to understand the security implications of storing the extracted binarized template in a DB. Is it possible to reconstruct a fingerprint image if someone gets access to this template? Would it be possible to reconstruct if they had access to the Neurotechnology SDK? Would encrypting this template be a good idea?

Thanks,
Cohn

Hello Cohn,

Is it possible to reconstruct a fingerprint image if someone gets access to this template?

No.

Would encrypting this template be a good idea?

We have couple clients who done that(all others store as it is), but you won't be able to use MegaMatcher Accelerator nor NServer with encrypted templates.

[cohnjarmack]

Thanks for the reply.

What exactly is stored in the template (If the answer is does not divulge proprietary information )?. And what all security precautions would you recommend for storing these templates?

Also, is there any way someone can do a replay attack if they get access to the template, against another client who also uses the VeriFinger SDK?

We are planning to start using the VeriFinger SDK for our application (Without MegaMatcher Accelerator or NServer), and are doing a security validation as a last check to ensure that we do not leak customer biometric information somehow.

Thanks,
Cohn.

[MartynasV]

Thanks for the reply.

What exactly is stored in the template (If the answer is does not divulge proprietary information )?. And what all security precautions would you recommend for storing these templates?

Also, is there any way someone can do a replay attack if they get access to the template, against another client who also uses the VeriFinger SDK?

We are planning to start using the VeriFinger SDK for our application (Without MegaMatcher Accelerator or NServer), and are doing a security validation as a last check to ensure that we do not leak customer biometric information somehow.

Thanks,
Cohn.

Template contains extracted biometric features like minutiaes, cores, etc. You can access that data using our SDK.
If you are sending template over network, then you should encrypt that data or use some secure method, but we never bothered about encryption, as database or MMA server(has database inside) should be stored in secure location.

[cohnjarmack]

Understood.

The question I was trying to ask was what sort of damage can be done if someone gets access to the template?

Thanks,
Cohn

[MartynasV]

Understood.

The question I was trying to ask was what sort of damage can be done if someone gets access to the template?

Thanks,
Cohn

Hello Cohn,

First, as I already mentioned, template doesn't contain image(it can't be printed and silicon finger made from it). Template contains minutiaes, in theory you could take them and create fingerprint image(not the same as original), which could be later extracted with the same result(template). If you store those templates in secure database, then there is nothing to worry about. Even if somebody got their hands on templates, there is pretty much nothing they can do.