A while ago, Microsoft released a new revision to their fingerprint reader product. The new revision includes some extra security and the open source software that I’ve previously written for the earlier models does not work with the new revision as a result.
The newly added security is a challenge-response algorithm, where the device challenges the authenticity of the driver soon after the device is plugged into the computer:
- The device sends a 16 byte challenge
- The driver sends a 16 byte response
The challenge produced by the device changes on every plugin and is probably just a random number. The driver then receives the challenge, applies a known secret algorithm to it, and sends the resultant data as a response. The device also knows the secret algorithm, and hence knows the correct response that the driver should send back. If the driver does not send back the correct response, the driver is not able to operate the useful functions of the device.
Naturally this poses a challenge for an open source driver implementation – unless we know the secret challenge-response algorithm, we are unable to operate the device. Previously, all reverse engineering of these devices has been done through bus traffic analysis alone (looking at the USB packets sent and received by the official Windows drivers, and making educated guesses as to what each packet means). It would not be practical to attempt to apply the same reverse engineering techniques to determine the secret challenge-response algorithm – we’re effectively talking about breaking 128 bit encryption by analysing a data set…
So, I got in contact with a 3rd party and we performed chinese wall reverse engineering on this particular part of the Microsoft driver. The 3rd party looked at disassembled instruction code of the Windows driver and documented the algorithms without reproducing any of their code. I received the documentation, and produced a clean-room reimplementation of the authentication scheme in my driver.
The secret challenge-response algorithm in use is simply AES with a specific decryption key.
I have released libfprint v0.0.5 which now supports these devices out of the box. Enjoy!