fingerprint sensor & ubuntu

My right index finger scanned and correctly identified

oo much literature, too much music lately, now some technical to line up thoughts in my head. Fingerprint reader has been out for quite a long time, but has only come to my hand recently on this HP 6910p laptop. The machine has an AuthenTec AES2501 fingerprint sensor built in, and using it is quite straight – forward under Hardy Heron:

1.   Install fprint-demo, libfprint-dev, libfprint0 and libpam-fprint from the repo.

2.   Use fprint_demo to enroll some fingers. Identification and verification is good for thumb and index fingers, but really bad for middle, ring and litte ones.

3.   Configure pam module to make use of fprint, add the two lines: auth sufficient & auth required nullok_secure to your /etc/pam.d/common-auth file. Remember to enable still password login since fprint is quite preliminary.

Now restart your machine and enjoy! At login prompt, you would need to enter username, then enroll a finger for authentication. If enrolling fails, normal password login would then be applied. In KDE, screen-locking and gksudo work seemlessly with fprint.

I observe for a while the fingers’ scanned images, to find out how they did all the identification and verification tasks. It’s quite clear that they are using some control points (called minutiae). You can see red dots in the image on the left (binarized from raw scanned image): they are either end points or branching points (point at which vein separates into more veins). They don’t need to match all veins of fingerprints, they only need to do some pattern – matching on the set of minutiae. Given two sets of minutiae, some Cartesian measures on points’ position may be enough for matching two fingerprints.

This machine, HP 6910p, is designed for medium performance, but for advanced security: the machine has TMP chip inside, with a smart card slot, and a fingerprint sensor. That would be quite sufficient to protect your privacy.

file system encryption

The pc-link reader, could be in many forms: usb, serial, pcmcia, pinpad…

An Axalto (previously Schlumberger’s, now Gemalto) smart card, this could be an access – control card, a bank debit / credit card, health – care card, social – identification card… Some smart card types are actually tiny computers – they have an Operating System, and Java virtual machine inside. Note: many of the smart card vendors are OEM – ed from SCM Microsystems, a Germany – based company. We’d better choose hardware and firmware directly from SCM when work on open – source projects.

ou have important data on your laptop, and one day the laptop is stolen. The best you can expect is that you loose all those valuable information. The worse… who know what it can be!? Since having a computer (hardware) in touch means having access to every data stored on it. How can you protect yourself from that situation?

The solution is encrypting your storage and keep your key safe from others’ access. You can encrypt your home directory or a whole data partition. (Some even encrypts /boot, /swap and /(root) – full disk encryption – so that their activities leave no traces). With Linux, every tools is at your hand, so let start making your life easier. Below is some guide lines on how to do it on Debian.

1.   Install eCryptfs: a Linux native and POSIX – compliant enterprise – class stacked cryptographic file system.

$ aptget install ecryptfsutils
$ modprobe ecryptfs
# you may have to patch your kernel in order for
# ecryptfsd (the key management daemon of eCryptfs)
# to work. in that case, you’d better grab and
# build eCryptfs from the latest source.

2.   Setup eCryptfs:

# simple setup, passphrase entered from stdin,
# eCryptfs allows overlay mounting: mount point
# and the actual storage can be the same.

$ mountt ecryptfs /encrypted/storage /mount/point
# you can now see your new fs using the command df,
# test it, go to your mount point and input some
# data, watch the output at the encrypted storage.
$ cd /mount/point
$ echo “Hello World” > hi.txt
$ cd /encrypted/storage
$ less hi.txt
# umount /mount/point and the file system
# is not accessible anymore


Every security solution comes to a very dead-end that there’s must be a MASTER KEY as the main entrance for the whole system. And we have several ways to protect the master key:

+   the tricky way: store the key somewhere on the disk, e.g: at the first sector of the volume image (offset some bytes to a position only you know) so that the key is hard to find and can not be accidentally deleted. More information about the trick is here.

+   the explicit way: store on an external storage such as usb, the system could only be functional once the usb is plugged in.

+   the “smart” way: smart card is the best way to store key. Since you can write public / private key to a smart card but can only read public key back, no – one can read the private key, including you. Smart card is designed to do encryption / decryption jobs: just request the card to encrypt / decrypt some data using a specified key, and the card sends back the required output.

In an organization, the private key is stored on smart card and given to the “person in charge” without the fear of loosing the key. For personal use, I think the second solution (using usb) is quite enough.

1.   Setup smart card:

# install pcscd, the daemon to talk with
# card reader install OpenSC, the open
# source smart card project

$ aptget install pcscd
$ aptget install opensc
# in my case, I have an Axalto reader which is not
# supported by pcscd. knowing that Axalto’s
# hardwares are OEM-ed from SCM, I just download
# the firmware from SCM, flash the reader and it’s
# then recognized as a SCM SCR 331 device. You can
# play around the smart card using opensc-tool,
# you can erase, init the card’s file system,
# create some PIN, generate some keys using
# pkcs#15-init, encrypt/decrypt can be
# done using pkcs#15-crypt

2.   Working with keys:

Public and private keys are fundamental concepts of Digital Signature. In short, multiply two big prime numbers – two private keys – you have a semi-prime number – the public key. Certificate is wrapper of the public key to work with a CA (Certificate Authority), for the public to check if a public key really belongs to an organization.

# generate public and private keys in RSA 1024
# bit pem format extract the public key from this
# keys pair, encrypt/decrypt with the keys

$ openssl genrsaout private.pem 1024
$ openssl rsain private.pemout public.pemoutform PEMpubout
$ openssl rsautlencryptinkey public.pempubinin file.txtout file.ssl
$ openssl rsautldecryptinkey private.pemin file.sslout decrypted.txt
# create the smart card’s file system,
# then create a PIN

$ pkcs15initcreatepkcs15
$ pkcs15initstorepinauthid 01label “mycom”
# copy private key to smart card, to decrypt,
# we need to specify key’s usage

$ pkcs15initstoreprivatekey private.pemauthid 01id 45format pemkeyusage sign,decipher

3.   Setup the whole thing:

With your smart card properly setup (a public/private key pair has been stored), we can use the following script to: 1. create a temporary volatile file system 2. use smart card to decrypt the password and store to that file system (these files would simply disappear when the machine power down) 3. using the decrypted password to mount with eCryptfs.

# 1. create a volatile fs to temporarily store the
# decrypted passfile

$ mountt tmpfso size=10M,nr_inodes=10k,mode=0700 /tmp_fs
# 2. decrypt the password file from
# /root/passwd to /tmp_fs/passwd

$ pkcs15cryptpkcs1decipherk 45i /root/passwdo /tmp_fs/passwd
# 3. now mount our encrypted
# directories with eCryptfs

$ mountt ecryptfs /encrypted/storage /mount/pointo key=passphrase:passfile= /tmp_fs/passwd, cipher=aes, ecryptfs_key_bytes=16, passthrough=1, verbosity=0

Done! Choose a strong encryption algorithm (e.g AES 256 – bit), and in most cases, you and your data would be safe until they have quantum computer running. Be sure to keep your key secret or your efforts would be of no help. For maximum security, choose a good smart card model, increase your keys’ size, revise all procedures of your software system…

(You’re pretty safe right now, so why there’s an “in most cases” in my last paragraph? The truth of being secured is actually more complex than that, as a quite-simple technique like this could be applied to steal password of a disk-encryption system. This bases on the fact that data in DRAM is not faded right away after loosing power, it still can last for some seconds (or even minutes), and by cooling the DRAM using an air duster (to slow down the fading speed), the DRAM module could than be copied and scanned for password (assuming that password has been entered and kept in memory). Nothing is really safe, however, hardware problem like this should have a hardware solution (like this AES 256-bit encryption Fujitsu hard drives).


fter decorating my Linux box with all newest GUI components, next things are for work. I found out that all Vietnamese keyboard softwares is broken on Hardy Heron: xvnkb stops kde_init and x-unikey crashes other applications all the time. Then come the wonderful thing scim. scim is a global input software designed for almost every languages. Mathematically speaking, the job is just mapping between one key-combination to a character-code. In this view, mostly any languages could be supported without any difficulties.

On every day works, I mostly use English, and Vietnamese, Chinese is just for entertainment. Please note that Chinese input is done via vi-nomtelex method, which bases on Hán-Việt (the Vietnamese phonetical transcribe of Chinese) to retrieve the correct Unicode character, thus we have a double mapping here: from raw keystrokes to Vietnamese and from Vietnamese (Hán-Việt) to the final characters. Actually, this method is designed primarily not for Chinese, but for Nôm, the ancient Vietnamese writing system.