The company I work with requires me to login by entering my biometric fingerprint with a fingerprint scanner.
It is good but I have to borrow a device from my coworkers every time. And can't afford a new one right now.
I don't always have a scanner with me at home all the time.
Is there a way that I can virtually save my fingerprint in computer and emulate a fingerprint input at any time without having the physical device with me?
Related
I am using Bluez 5.50 stack on a Linux device which does not have a display. I want to pair my device with a Mobile device (Android or IOS) with secure pairing which requires a passkey to connect.
Every time I am trying to pair, an auto generated passkey is being generated. I want to set a default passkey which should be used during the pairing instead of auto-generated passkey.
How to resolve this issue?
The Bluetooth standard says that the passkey should be randomly generated and that a static key should not be used. There is a good reason for that: the ad-hoc protocol used in Bluetooth is insecure if the passkey is reused. If you don't have any input or output mechanism, you shall use "Just Works" pairing, which unfortunately does not give you any MITM protection. The security of this is technically more or less the same as when using a static passkey but without giving a false sense of security.
See https://stackoverflow.com/a/70479911/556495 for an answer to a similar question.
We are developing sensors which will be distributed in large quantities and broadcast BLE every 5s in order to have access to DFU and Data Sending. The DFU is encrypted from the manufacturer's end however the Data Sending (NUS/UART) is left open and so we are looking for ways to encrypt the data or limit access to this service from unwanted users. A static PIN key could be used however since it is only 4 digits long (usually), there are only 10,000 combinations. It would be appreciated if you could shed some light on this.
The Bluetooth standard won't help you solve this in a good way. Its pairing / bonding features are designed to prevent remote attacks while a user is pairing with the device, not to prevent any person from pairing at all. You should see the question as a general question and not a Bluetooth-specific one in my opinion.
Unless you want to pre-bond all the sensors to some legit device and then prevent new pairings (which would of course solve your problem, but might be cumbersome in practice), you should use something else than what the Bluetooth standards offers.
For example, if you are happy with having a password to access the sensors, you can implement a PAKE scheme (https://en.m.wikipedia.org/wiki/Password-authenticated_key_agreement) and then encrypt and sign all data using the derived key. You can also simply use TLS, or some other certificate-based solution.
If you are lazy and think it's too hard to implement proper cryptography you can otherwise just have a characteristic that the user writes a password to, and if it's accepted, the data sending service opens up. This of course is unsecure because an attacker can sniff the connection and find the password. The same applies when you have a static PIN and use standard Bluetooth pairing.
I am not sure if this is correct but I did see an advert in the newspaper about secure remote access using two usb. One USB is plugged into remote PC and the other USB plugged into the machine through which I am connecting from. It creates the secured remote access without any need of third party software like logmein or gotomyPC or any other commercial remote software.
Can anyone suggest if this is possible and if anyone currently doing this ?
There are 3 basic ways:
secure everything on your pc, by encrypting all files on it with USB
dongle, for example GuardKey or any similar. Btw in China this
method is very popular to keep files safe and no files leaking
outside companies as file actions are logged (can't say what exact dongle they use);
make secure connection between computers by using VPN tunnel
(very popular these days for users), no extra hardware needed;
For server is HSM (hardware security module) what can be as a
box and is considered as military grade or cheaper solution USB
dongle and on other end USB dongle or embedded chip capable to
decrypt and crypt all in/out going data stream usually combined with
KMS (key management software) what can be embedded in hardware or
separate install-able.
i have developed a windows desktop application and it is ready for distribution. Target buyers are in the order of few hundreds only. Yet wishing to protect it from unauthorized use.
First idea was to use something like HASP key etc. Found costly for my case. Then googled about machine fingerprint etc to write my own code. Found mixed opinion about it. Especially the fact that it might not be that end-user-friendly when they upgrade hardware.
Why should the fingerprinting be from machine.. it could be from something else which is unique and yet connected to the machine (hoping sim card is unique), right.? Put a sim card on a usb reader and plug it into the system. The application shall read the sim card id for authentication. Assuming i supply the sim card and pre-code their ids in the application. Is this idea sane and possible?
Thanks, Chandra.
I am using a SPP Bluetooth module to send data between my Android phone app and the module. I stumbled upon an interesting thing today.
I pair to my module by entering a passkey
I can normally send data back and forth between my app and the module
From within my app I disconnect from the module and close my app.
On the module I change its passkey to a new value.
I reopen my app and can still exchange data. I do not need to go through pairing again. All security information exchanged by my phone and module when I first paired them (using the old passkey) seem to still be valid even after changing the PIN on the module.
I then close my app and unpair the device from Bluetooth settings.
After that I pair the two devices to make sure Passkey change was in fact accepted and surely enough it was. I can now only pair with the new PIN.
My surprise is that in point 5 above everything still worked even without updating the PIN also on my mobile phone. I plan on getting around this by calling removeBond() using reflection after I send the module a command to change PIN since this is enough for my particular use case. But if the PIN change could be triggered by something else then my phone this would not work.
My question is if this is normal. Bluetooth specs are quite long so I was hoping someone else knows this. I would imagine that after changing the passkey for a Bluetooth device all devices already paired with it will have to go through the pairing process again, this time with the new passkey. But steps above indicate this is not the case. Is this a bug on my Bluetooth module (Bluegiga WT12) or is this expected behaviour? Has Anyone encountered this before?
Thank you.
Cheers!
So, Bluetooth specs are more friendly than I thought. I found my answer in this paragraph:
The Bluetooth PIN is used to authenticate two Bluetooth devices (that have not
previously exchanged link keys) to each other and create a trusted relationship
between them. The PIN is used in the pairing procedure (see Section 11.2 on
page 241) to generate the initial link key that is used for further authentication.
So passkey is not like a password in a router. It is just a sequence which both devices need to know when connecting so that one authenticates the other. Once they are sure they can trust each other they exchange link keys and those are used for future communication. Passkeys/PINs are then irrelevant.
I hope I understand this right.
Terribly sorry for posting too soon.
Cheers!