I have to control access to a system based on fingerprint recognition in PHP.
But I do not know what would be the best approach to do this...
I was searching for a device and software, and maybe this will the one I'll use:
U.are.U 4500 Fingerprint Reader digital persona
This software use somekind of SDK, so java must be used, Is there a way to make a bridge between php and java?.
I am not expert in java web services, but if this is the only way, How to control fingerprint?
Does the device returns an image, or a md5 string, or How does it work, how to read this in php?
What is your experience in this kind of thing...
There's another dimension to this, too.
When you say "PHP", I imagine you're probably talking HTTP web server/client web browser interaction (with PHP on the server).
The Digital Persona (DP) device, however, is usually over on the client.
I've actually used Digital Persona (probably a different device and a different SDK than yours), but the principle is probably similar. You plug the device into the PC's USB port, and the DP SDK controls the device, scans the thumbprint, compares it to other fingerprint images you've "registered" (in a database, a set of image files, whatever), and reports back whether or not there's a match. This all occurs on the CLIENT side.
SUGGESTION:
Your best bet might be:
1) Code your server side stuff in PHP, as you're doing now
2) Code your DP interaction as a JAVA APPLET
3) You DON'T necessarily need to "call Java from PHP" (or vice versa). Instead, all you need to do is:
invoke the applet from the PHP pages you serve, and
Have the applet communicate with the web server
Here's one example of how you might approach this:
http://www.devdaily.com/java/edu/pj/pj010023
What I believe as procedure to be done is:
Create a folder for storing fingerprints of authorised users;
When a fingerprint is inserted to login,
Retrieve the stored fingerprint of the user using php code $a;
Change the fingerprint of the current user into a php code $b;
Compare the two codes $a and $b
If $a != $b then
Give error msg,
If $a == $b then allow entry into system.
You may work on with me to achieve this in php as java is Greek to me.
Thank you.
Related
I want to retrieve the following things from the user's desktop when the user uses logs into my website:
1) Mother Board Serial Number
2) Hard Disk Serial Number
3) CPU Serial Number
Now I am confused and not sure which way to go.
I cannot use Javascript because it will not provide these details because of security reasons.
I cannot use php because php runs on server side and not client side.
So last option is using Java Applets. As soon as the user logs in, the applet will be downloaded. When the user runs the applets, it will retrieve the necessary information. But I dont want to be using this because applets are obsolete these days and nobody uses them.
So is there any method in which I find find the user's hardware details without using Java Applets.
Using Java to get os level system Information will get you started in right direction.
Finding Operating System Information
How to get System Information using Java
I have a web interface, in which users will fill in some data, will digitally sign it (using a USB token) and will print it with an old matrix printer.
To handle this I intend to write a Java applet, which loads a DLL from the server (to avoid installation on client's machine). This DLL will then access the USB token, do the signing and handle the printing (there are some particularities).
Since I do not have much experience with Java technologies and if I can do this at all, I would be grateful if someone can point me in the right direction. Should I use JNI or JavaWebServer or maybe some other technology?
I am currently developing an api for a website i run. The api will be used in a number of places, and one of those places is an Android app.
It's purpose is to allow users to login, and and download files. I have the api build, and it will be using HTTPS so all of the data is fine when being transferred.
The issue i am having is that the API calls require an API key. With this key you will be able to have access to certain functions of the API that may cause issues.
What i was wondering, is there a way to secure this API key? I am not an Android developer at all, but people will be using the API that are on Android so i need to work out a solution.
Below is an example of the flow that the API uses:
// Log the user in with their username and password (HTTPS, so not really an issue)
romhut.request('/api/users/login?apikey=KEY', {username : 'scott', password : 'password'}, function(r) {
console.log(r);
// Once you have the token, request the API key that allows actions such as downloading
romhut.request('/api/files/download?apikey=KEY', {token : r.token, file : file}, function(d){
console.log(d);
// Download the file
}, 'POST');
}, 'POST');
No. You cannot protect the API Key once you embed it into an Android application. The app needs access to the API Key, so someone with access to the app will be able to recover that key from within the app and use it for their own purposes. The best you can do is to obfuscate your app so that reverse engineering it is more difficult (the goal is to make it more difficult for the attacker to reverse your app than is worth his time). You need to decide how much effort in this regard is called for, based on the risk of an exposed API Key, but you can never make it impossible to recover, just more difficult. In reality, your best bet is most likely to turn on Proguard during your build process (so things are obfuscated to a decent degree in the APK with no work on your end) and hope for the best.
You should create a specific API key for each user. There is no really good way to secure data that is actually in the user's hands (Ask makers of copy protection about this) Then you can use HMAC to hash together the API key and the requested API and verify that the same thing happens on both ends. See: http://en.wikipedia.org/wiki/Hash-based_message_authentication_code (PHP has a function for this.)
In fact it would be more accurate to say that there should be a many-to-one relationship between keys and users since you may have different and/or revoked keys for a user.
For an excellent overview, see: https://security.stackexchange.com/questions/18572/is-it-okay-for-api-secret-to-be-stored-in-plain-text-or-decrypt-able
Is Android keystore a direction to look at? Then, perhaps an encrypted string is posted to the API based on the key that is stored in android key store by the app at the time of installation. That way if there is a succesful decryption, it can serve the requests.
So I am creating a JApplet Game, and I am saving the users info to a .txt file in the APPDATA. Is there a safer way to save their info, that won't allow them to edit it to cheat?
Basically, the only way to prevent cheating is to have a server under your control calculate the score and otherwise enforce game rules. If you were writing a peer-to-peer game, there might be some protocol to allow users to determine if another player was cheating without involving you. ACM sigecom regularly publishes research about such protocols. However, because of the restrictions of the applet security model, users would need to grant your applet special permission for it to talk directly to other users anyway.
Speaking of that, I would advise against "saving the user's info to a .txt file". %APPDATA% is Windows-only, thus breaking "write once run anywhere"; and the default applet sandbox does not allow reading or writing local files, so you'd have to sign the applet and convince your users that it was special enough to merit such elevated privileges.
However, you do have a few options for applet/server communication:
REST calls using java.net.URL
SOAP calls (there are several libraries for this)
RMI (only if the server is written in Java)
Your own custom protocol over TCP
Applets can't read and write cookies directly, but JavaScript can, and JavaScript can call methods on applets. One last way to pass information from the server to the applet (but not back out) is through PARAM tags. You could even pass initial game-state data signed by the server's private key and base64 encoded in a PARAM tag; which would prevent anyone from "editing" it, although I can't think of any way to completely prevent cheating if something about the game-state is supposed to be hidden from the player but known within the applet code.
I am a final year student, i am trying to provide higher level of security at web login time for clients. So, i am looking for fingerprint authentication. Which means, wherever client wants to login he/she has to login using his/her fingerprint. (Assuming client is using digital persona personal fingerprint reader for finger scan). So, is it possible...? if it is, then how..?? Because, i googled my problem , but didn't get helpful material to implement on my project.
Unless your fingerprint reader specifically has support for this functionality, chances are that it's not possible. As a general rule, web pages are intentionally prevented from having direct access to hardware.
Also, see the comments on Online fingerprint authentication for some reasons why fingerprint authentication may not be quite so awesome as it sounds.
If you can access the fingerprint scanner from Java in the browser security context, then you could use Digital Persona's drivers. A problem may arise in that you will likely not be able to access the scanner from the browsers security context without the blessing of the user. Additionally, the Digital Persona drivers may require that you install extra software on the client's machine.
You would need:
A fingerprint capturing device (something like 30 USD to a few hundred USD depending on the spec)
A fingerprint matching SDK (download one that is in the public domain here)
Then you write:
Client code that captures and submits fingerprint images.
Server code that receives a person's fingerprint image at registration, converts that into minutiae data, checks that quality of the image/minutiae to make sure the fingerprint minutiae is usable, then stores it in the DB.
Receives a person's fingerprint image at login, converts that into minutiae data and matches that with the fingerprint in the DB by calling the matching library. Usually you will get a matching score back, with which you can decide whether you consider it the same identity by using a threshold (if score > threshold then authenticate, etc.)
That's the basic idea. The link I provided should have all the libraries you need. Note also that you might need to process the image captured by the capturing device so that you can use it with the libraries.
Biometrics isn't easy. Even if you have the libraries, you can't just use them without careful planning/tuning etc. So it's not like you are good to go to build a production app. just because you have these libraries. It's quite different from say, using Hibernate as a library. So if you are just interested in quickly adding this functionality on your app., you should reconsider because it will take a lot of work to make this work. If you are prepared to understand how these libraries work, play around with image processing, learn about biometrics etc., then it might be fun :)
There are probably libraries out there that you can buy (probably together with the capturing hardware) which will make this process much easier, but they are very expensive.