Thursday, September 19, 2013

The NSA Thanks You



  1. Apple's own description:
    Touch ID does not store any images of your fingerprint. It stores only a mathematical representation of your fingerprint. It isn't possible for your actual fingerprint image to be reverse-engineered from this mathematical representation. iPhone 5s also includes a new advanced security architecture called the Secure Enclave within the A7 chip, which was developed to protect passcode and fingerprint data. Fingerprint data is encrypted and protected with a key available only to the Secure Enclave. Fingerprint data is used only by the Secure Enclave to verify that your fingerprint matches the enrolled fingerprint data. The Secure Enclave is walled off from the rest of A7 and as well as the rest of iOS. Therefore, your fingerprint data is never accessed by iOS or other apps, never stored on Apple servers, and never backed up to iCloud or anywhere else. Only Touch ID uses it and it can't be used to match against other fingerprint databases.

    John Gruber's description:
    Your fingerprint data is not just “not stored in iCloud yet”, it is not stored in iCloud by design, and according to my sources, never will be. iOS, even the system itself, cannot read from or write to the secure storage location where fingerprint data is stored — only the Touch ID hardware sensor itself can. And what is stored in that secure location are not fingerprint images, but cryptographically hashed values, unique both to your finger’s biometric data and the device itself on which you scanned it. Even if someone does figure out how to obtain the fingerprint data from the secure storage on your iPhone, that fingerprint data should prove useless anywhere but on the unique Touch ID sensor on that iPhone itself — which device would have to be in the possession of your attacker/adversary in the first place for them to read the data.

    A very interesting, longer essay on it from Brian Roemmele on Quora:

  2. it's a rather simplified depiction, agreed


Note: Only a member of this blog may post a comment.