A while ago, Microsoft released a new revision to their fingerprint reader product. The new revision includes some extra security and the open source software that I’ve previously written for the earlier models does not work with the new revision as a result.

The newly added security is a challenge-response algorithm, where the device challenges the authenticity of the driver soon after the device is plugged into the computer:

1. The device sends a 16 byte challenge
2. The driver sends a 16 byte response

The challenge produced by the device changes on every plugin and is probably just a random number. The driver then receives the challenge, applies a known secret algorithm to it, and sends the resultant data as a response. The device also knows the secret algorithm, and hence knows the correct response that the driver should send back. If the driver does not send back the correct response, the driver is not able to operate the useful functions of the device.

Naturally this poses a challenge for an open source driver implementation – unless we know the secret challenge-response algorithm, we are unable to operate the device. Previously, all reverse engineering of these devices has been done through bus traffic analysis alone (looking at the USB packets sent and received by the official Windows drivers, and making educated guesses as to what each packet means). It would not be practical to attempt to apply the same reverse engineering techniques to determine the secret challenge-response algorithm – we’re effectively talking about breaking 128 bit encryption by analysing a data set…

So, I got in contact with a 3rd party and we performed chinese wall reverse engineering on this particular part of the Microsoft driver. The 3rd party looked at disassembled instruction code of the Windows driver and documented the algorithms without reproducing any of their code. I received the documentation, and produced a clean-room reimplementation of the authentication scheme in my driver.

The secret challenge-response algorithm in use is simply AES with a specific decryption key.

I have released libfprint v0.0.5 which now supports these devices out of the box. Enjoy!

fprint is featured in the November 21 edition of LWN, which should be helpful in spreading the word further!

The article mentions that libfprint does not support identification (one-to-many fingerprint matching) yet. I just released libfprint v0.0.4 which adds identification support, and fprint_demo v0.4 which includes a GUI to demonstrate it. Talk about yesterday’s news ;-)

Torkild Retvedt contributed a logo, which you can see above. I’m happy to consider further logo submissions, but I do like Torkild’s and it will do very nicely for an initial project logo. Thanks Torkild!

Patrick Guignot spotted the LWN article, did some further research, and then published an article about fprint on linuxfr.org. I have only seen the google translation, but I must say, translation artifacts aside, that is an extremely well written article which has hit on exactly what I’m trying to achieve. I’ve written to Patrick to see if he’ll translate it into English or give me permission to find someone else to do so – I will publish any results here.

Update: Patrick doesn’t know English well enough to write his own translation. Any French-speaking volunteers who wouldn’t mind spending some time translating this into English?

Things are still busy with my new project. Here are a few more fprint releases which add some crucial features:

1. libfprint v0.0.3 adds support for the Authentec AES1610 found in various common laptops/tablets, contributed by Anthony Bretaudeau. These fingerprint readers only see a small area of the finger so imaging performance isn’t great, but it is usable!
2. pam_fprint v0.2 adds an enrollment application contributed by Vasily Khoruzhick, and has been fixed not to activate itself for logins over SSH.
3. fprint_demo v0.2 and v0.3 add various bits of functionality: enrollment GUI, image saving functionality, plus the ability to count and plot detected minutiae points.

fprint_demo v0.3 showing minutiae plotted on scan image

The fprint project has kicked off to a good start. Thanks to everyone who provided feedback so far. Any extra help spreading the word is much appreciated!

Immediately after the initial release, Vasily Khoruzhick contributed a fix for my aes2501 driver, as his is mounted in his laptop 180 degrees rotated, it’s upside down (actually I’m not sure which way round mine is supposed to go, but thanks to Vasily it now works either way). I also modified the aes2501 driver to perform fewer USB transactions, resulting in much improved image quality and overall scanning experience.

Jan-Michael Brummer contributed a driver for the UPEK TouchChip fingerprint sensor (USB ID 0483:2015) found in the Samsung P35 laptop. Jan-Michael indicates that the image processing performance is good but not brilliant.

libfprint v0.0.2 has been released with the above changes and a few others.

I also have been working on a simple demonstration GUI which may also help development in future. It’s called fprint_demo. Here’s a screenshot:

fprint_demo v0.1

Gentoo ebuilds for all released fprint components can be found here.

If you’ve been following my previous work with DigitalPersona fingerprint readers on Linux, you’ll be aware that what was an active and exciting project was reduced to almost nothing when it became apparent that open source fingerprinting code was possibly in conflict with U.S. export control laws.

Well, after studying the export control documents in detail, I discovered that these restrictions simply do not apply. I decided to propose my 3rd year university project as an open source software project to really sort out the state of fingerprinting on Linux. This project is now underway. For an overview, look at this poster.

The core project component, libfprint, aims to make it easy for application developers to add fingerprinting support to their applications – be it imaging or verification (or in future, identification). libfprint strives to provide you a single API for manipulating fingerprint readers in the most generic of fashions. Internally, a variety of different devices are supported through a driver-like abstraction. These devices do differ tremendously, but libfprint works to wrap that up so that as an application developer, you don’t care what type of device the user has plugged in.

As this is an academic project, it was necessary to keep development closed while I implement the fundamentals myself. I’m now at a point where I’m able to release this as open source and accept contributions in the normal way. I plan to keep this project going beyond the academic project schedule and I’d love to see a community forming. In the long term I’m aiming for inclusion with major distros, integration into desktop environments, etc.

Quick summary of where things are at:

• libfprint is relatively stable and works well with most devices
• a PAM module named pam_fprint has been created, which allows you to use your fingerprint to login to your system
• The code is all in git repositories, there are initial releases but there are no guarantees of stability or forwards-compatibility
• API documentation is mostly complete, but is subject to change without notice
• I’ve been working hard to get a decent amount of content on the project website

Hardware currently supported:

1. UPEK TouchStrip (found in many ThinkPads) – works great, we already knew this as ThinkFinger is quite successful
2. DigitalPersona/Microsoft devices – these work fantastically well
3. Authentec AES2501 – an imaging device, swipe sensor, works well (requires a little extra care while scanning).
4. Authentec AES4000 – an imaging device I haven’t really played with before. Image quality isn’t that brilliant, but it’s good enough for fingerprint login if you’re careful.

I’m very happy with the project so far. I’m pretty sure I’m the first person to fully implement open source fingerprint login for the DigitalPersona devices, the AES2501, and the AES4000, plus I’ve done it in a generic way which interchangeably works with all supported devices.

• fprint project homepage
• Download info
• Mailing list

Please direct all questions/bug reports to the mailing list, please don’t use the comment form on this post for anything other than comments.