By request: Simple questions and answers about Touch ID. This appeared in an earlier post but was surrounded by other rants. It is reposted here for easy reference.
Does Touch ID store an image or picture of your fingerprint in the phone?
No. If you have any experience in topology analysis, you will know that comparing photos of fingerprints (or any sort of map) is an insanely long and processor-intensive process. Comparing the scan of your fingerprint on the sensor to a stored image of that print could take days. What actually happens with Touch ID is that the segments of your print that are on the sensor are compared to segments of a digital “profile” that was created from the patterns in the fingerprint. This can happen in an instant, and eliminates the need to properly orient your digit every time you wanted to open up your phone.
So there is a digital “profile” created. Big deal, someone could still use that, right?
Not unless they were able to pull together virtually all the computing power in the world. And even then they would have to get extremely lucky.
The profile – which is an insanely long stream of digits – is stored in a secure part of the processor as a “hash”. Unlike encryption, where the data is turned into unreadable gobble with the idea that you need to “un-gobble” it later on, a hash is strictly a one-way thing. You take a data item (lets use the word “Alice”) and then run it through a one-way hashing algorithm and come up with a string of nonsense (let say “glxXympittl23ez”). Every time you input “Alice” you get “glxXympittl23ez”. What the system does is scan your print (ie, gets “Alice”) and then asks the secure enclave of the processor if print is valid. The processor runs the scan through the hash routine, and if it gets a match (ie: comes up with “glxXympittl23ez”) then it tells the phone to unlock.
So the security here works on two levels. One, the processor never feeds back the value of the hash – it never tells the computer what “glxXympittl23ez” actually is. It only answers yes or no as to whether there is a match. Two, even if by some arcane and as-yet-unknown means they do get the value of the stored hash, there is no way to start with “glxXympittl23ez” and work back to “Alice”. Because the hash is a one-way equation and uses internal values that are embedded in that phone and that phone only, it’s nearly unbreakable. And by nearly, I mean virtually.
You said “virtually”, not “literally”.
Yes, you could break it eventually, given enough computing horsepower and time. But guess what? Time is not on your side. The stored hash expires after 48 hours of not being used and authorized. Once it’s gone, it’s gone. That particular hash will never be valid again. The baddies would have to find a way to extract the hash and then break it in under 48 hours. The chances of hitting the right values in that time frame are in the hundredths of millions of a percent.
So you’re saying that there’s a chance.
Yes, there is a chance. A completely and utterly miniscule one, but I have to admit, it exists. But guess what – even if they do manage to extract and break the hash, they still aren’t going to get a picture of your fingerprint. The iPhone 5S uses a capacitive scanner, not an optical one. Instead of a picture, the phone is recording and then hashing a digital series that is based on the placement of hundreds of thousands of different electrical values that make up your fingerprint. The values are then stored as items in relation to each other, not as am absolute map.
Meaning that even if the NSA / CIA / FBI / insert-your-own-shadowy-U.S.-government-big-brother-agency-here gets lucky and breaks the hash, they will get nice long data string that in no way shows what your fingerprint actually looks like. All they have is a pattern of values that they know are created from a fingerprint, but don’t actually show them anything about the fingerprint proper. Imagine a football stadium full of people. Now take one of those thermal imaging pictures that shows the crowd as a pattern or warm and dark spots. Can you tell it’s a crowd? Sure. Can you tell which teams are playing? No. Same thing here. You can deduce that there is a game on, but not what the hell is actually happening on the field.
As an unrelated but interesting aside, it also means that your phone can’t be unlocked with a photo of your print. Or by sneaking in and chopping off your finger in the night. It’s got to be a live digit.
But still! You don’t know what the future holds … maybe someday they will figure out how to break these hashes and then what? I don’t care, I don’t want that information stored on Apple’s servers!
Dude. Get a grip. Better yet, take a moment to think this thing through. Do you really think that Apple is going to give you a device that you can’t unlock unless you are actually connected to the net? Or that you have to wait gawd-knows how many seconds to unlock while the transaction works its way through the interpipes? Duh. The hashed value of the capacitance of your print is stored in a secured and segregated area of the phone’s main processor, and that’s it. Period. It would be moronic to do it – or even think to do it – any other way.
So what, the system is perfect?
No, of course not. There are always trade-offs and compromises. That’s what design is all about. But this is about as secure as you are going to get right now – it’s local and it’s secure. And if it (a) gets more people actually (b) locking their phones, and (b) makes capacitance-based fingerprint recognition a mainstream and comfortable technology, then that’s about as close to win-win-win as there is.