Calgarypuck Forums - The Unofficial Calgary Flames Fan Community - View Single Post

photon · 08-06-2017, 09:22 PM

Hah!

Ostensibly, the phone doesn't actually store your finger print, like how websites don't store your password (or aren't supposed to). What they do is when you train the phone, it reads the data from the sensor (your fingerprint) and then passes that through a one way algorithm called a hash. Hashes are cryptographic in nature, so they have all the benefits of cryptography, but they're also one way, so you can't work backwards from a hash to derive the original data (which is different than encryption, which the information encrypted can be unencrypted and read).

Then when you want to unlock the phone, it reads the data from the sensor again, passes this new info through the same hash, and if the values match, you're authenticated.

So in principle they shouldn't have your fingerprints.

But there are some risks.

First, you're basically trusting Apple that they've implemented the system in the way they claim. They could say they use a one way hash, but could put some code in to send a copy of your fingerprint to Apple anyway. And since Apple's systems are closed, it's not like security experts could go through Apple's code to verify. If Apple did do such a thing people probably would still clue into it, and Apple would be ruined if it ever came out, so the risk of this is probably low.

Second, there's been lots of talk about Apple and other big tech companies and their involvement with the NSA. If Apple is aware of and disclosed or was even forced to introduce security vulnerabilities which then allowed the NSA to compromise the system the NSA might have your fingerprint and any other info passing through your phone. And I don't know if there's a good way to evaluate that risk.

EDIT: And vulnerabilities that can be exploited by governments can also be exploited by bad actors, criminals, etc

08-06-2017, 09:22 PM	#1699
photon The new goggles also do nothing. Join Date: Oct 2001 Location: Calgary Exp:	Hah! Ostensibly, the phone doesn't actually store your finger print, like how websites don't store your password (or aren't supposed to). What they do is when you train the phone, it reads the data from the sensor (your fingerprint) and then passes that through a one way algorithm called a hash. Hashes are cryptographic in nature, so they have all the benefits of cryptography, but they're also one way, so you can't work backwards from a hash to derive the original data (which is different than encryption, which the information encrypted can be unencrypted and read). Then when you want to unlock the phone, it reads the data from the sensor again, passes this new info through the same hash, and if the values match, you're authenticated. So in principle they shouldn't have your fingerprints. But there are some risks. First, you're basically trusting Apple that they've implemented the system in the way they claim. They could say they use a one way hash, but could put some code in to send a copy of your fingerprint to Apple anyway. And since Apple's systems are closed, it's not like security experts could go through Apple's code to verify. If Apple did do such a thing people probably would still clue into it, and Apple would be ruined if it ever came out, so the risk of this is probably low. Second, there's been lots of talk about Apple and other big tech companies and their involvement with the NSA. If Apple is aware of and disclosed or was even forced to introduce security vulnerabilities which then allowed the NSA to compromise the system the NSA might have your fingerprint and any other info passing through your phone. And I don't know if there's a good way to evaluate that risk. EDIT: And vulnerabilities that can be exploited by governments can also be exploited by bad actors, criminals, etc __________________ Uncertainty is an uncomfortable position. But certainty is an absurd one.