The following document addresses security concerns regarding the enrollment and use of fingerprints with the SUPREMA bio-metric terminals for generating, sending and storing information relating to fingerprint details and scan times.

At the point when the user enrolls a finger onto the scanner the unit will analyse the patterns, ridges and grooves from the fingerprint and use this information to generate a 256-bit AES encrypted ‘hashed’ value. This value is an alpha-numeric representation of the finger print and uses a one-way encrypted ‘hashed’ value.


The following is an example of how an employee fingerprint looks as it stored in the employee table in the database.

822C006D60FF8080B66FC269C56FBE73D0609190D877B26D5E654D3D745564396F376F43773D7930A356BE56C966C388B38BCE719A9AD583A777547A5E8A4171967D6371AA72676056478C6163425E346A4D7C4A713B7243832C9959B066B5374F99DE6BD8FEEE924B6A554C7DFE243832C9959B066B5374F99DE6BD8FEEE924B6A554C7DFE243832C9959B066B5374F99DE6BD8FEEE924B6A554C7DFE243832C9959B066B5374F99DE6BD8FEEE924B6A554C7DFE243832C9959B066B5374F99DE6BD8FEEE924B6A554C7DFE243832C9959B066B5374F99DE6BD8FEEE924B6A554C7DFE243832C9959B066B5374F99DE6BD8FEEE924B6A554C7DFE243832C9959B066B5374F99DE6BD8FEEE924B6A554C7DFE243832C9959B066B5374F99DE6BD8FEEE924B6A554C7DFE

This ‘hashed’ value cannot be directly loaded into an image viewer (such as Photoshop) as it is not a graphical format.


A hash by definition uses any known source of data (i.e. fingerprint data) and converts it into a seemingly meaningless string of characters. By definition, a ‘hash’ cannot be decrypted back into the data original data that comprised the source. ‘Hashes’ are designed to convert a source into a specific encrypted code used for identification. They cannot be decrypted and later converted into an image.

Enrollment is the only time the ‘hashed’ fingerprint is actually sent across the internet to the ClockOn database. The system uses SSL communications to do this (the same internet security layer that banks use).


There are only 3 possible points of exposure when a hacker could obtain information about an employee’s fingerprint as discussed below.


1. Employee Enrollment


The first point of exposure is when an employee is enrolled. At this point a hacker must be able to;

  • Gain access to the customer’s incoming network traffic (bypassing all Windows security and router security configured by the customer’s network admin).
  • Have a specially written program that can ‘listen’ and then ‘understand’ the SSL-secured messages sent by the terminal at enrollment.
  • Be able to decrypt the ‘hashed’ finger print as shown above (which isn’t possible as a ‘hash’ cannot be decrypted).

This ‘hashed’ string cannot be converted back into an image that can be used by other systems to identify the employee.


If a computer hacker were to somehow ‘listen’ to the enrollment process they would only be able capture the string shown above. If they were able to obtain this string it is impossible to convert it back into an image for employee identification.


Only the ‘hashed’ string for a fingerprint is ever stored.


If a hacker were to physically obtain one of the terminals and attempt to retrieve fingerprint information from it:

Even if they know the master passwords to access the terminal they cannot retrieve any visible or distinguishable finger prints. The terminal itself will only allow enrollment and removal of ‘hashed’ finger print data.


The finger prints are stored as ‘hashed’ values and cannot be decrypted into a usable image of numeric code.


2. Employee Swipe Events

When an employee swipes their finger on a terminal (to start a shift), the captured finger print is analysed ‘on-the-fly’ by the red scanner and the resulting numeric identification is ‘hashed’ (on-the-fly) into the meaningless string (as above) using the hashing algorithm. The ‘hashed’ string is matched against the list of other ‘hashed’ finger prints stored in the terminal for identification.


The second possible point of exposure is when swipe times are polled by the ClockOn to be sent to head office.


  • If a match is found the terminal records a swipe ‘event’ in its log.
  • It never records the ‘hashed’ string in the log.
  • The swipe log is the only data to be transferred to ClockOn on a regular basis (i.e. when a terminal is polled).


This is what a terminal log looks like (as it is stored in a terminal)


Employee Id

Date

Time

Log Type

1

01/01/2010

10:23:32

Start of shift

1

01/01/2010

13:47:00

Start of break

1

01/01/2010

14:15:23

End of break

1

01/01/2010

18:30:15

End of shift

2

01/01/2010

08:32:23

Start of shift

2

01/01/2010

11:17:00

Start of break

2

01/01/2010

12:16:10

End of break

2

01/01/2010

17:32:10

End of shift


As you can see, there is no ‘hashed’ data regarding finger prints, only data relating to shift attendance.

Again, if a hacker were to somehow ‘listen’ to the polling process no finger print or identification information can be obtained, just log times registered against an employee id.


3. Security and privacy protection of the underlying database files

The third possible point of exposure in all implementations is in the security and protection of the underlying database. This is the responsibility of the customer and we advise on all implementations that this process needs to be carried out.


Windows offers file permission and security settings which need to be adequately configured by the customer to ensure the database cannot be breached.

Should a hacker somehow obtain a copy of the entire database they would only be able to ascertain the ‘hashed’ strings representing employee finger prints but would not be able to re-use that information to further identify employees outside ClockOn.

A portion of our customers use secured VPN’s for all external communications (which covers the polling of log data and enrollment of new employees) which is considered very secure from outside hackers.