Voiceprints make crypto keys

By Kimberly Patch, Technology Research News

As we rely on computers for tasks like handling money and keeping secrets safe, it has become increasingly important to give our desktops, laptops and PDAs the means to know for sure who they are dealing with. The classic solution is to lock up the data, and give the user a cryptographic key.

The main challenge to improving this type of security is to make it more difficult to steal or reconstruct the keys, but easier for legitimate users to access computing resources.

Researchers from Lucent Technologies' Bell Labs have tapped the individuality of the human voice to generate unique cryptographic keys for computer users. Under the researchers' scheme, a user speaks a password, and the system listens for both the correct word and the correct voice.

The method uses the random variability of people's voices to add a layer of security to even a simple password, said Fabian Monrose, a member of technical staff at Bell Labs. "The randomness of [a] key is drawn from both the pass-phrase that is spoken and the speech patterns of the user... speaking it," he said. The more randomness contained in the information the key is constructed from, the harder the key is to figure out.

The scheme uses cepstral coefficients, which are numbers that model the vocal tract, to help construct the key. These coefficients are also commonly used in speech and speaker recognition software. They are robust, meaning they contain a lot of information, and reliable, meaning they are fairly consistent for a single speaker, but vary across a population.

The researchers' prototype software, which runs on a Compaq Ipaq PDA, uses 60 different features from a given voice sample to form a mathematical descriptor, then uses the descriptor to construct cryptographic keys and verify whether keys generated by users are correct. "We've been... generating 60-bit keys from a few seconds of speech," said Monrose. "Our studies suggest that the techniques... enable significant randomness from pass-phrase utterances."

Because there is variability even in the way a single user says a password, the method allows for some legitimate errors in the 60 parameters used. These errors are due to background noise or changes in vocalization. "Since the biometric readings are hardly exact across successive measurements, we typically need to correct... five errors on average for the legitimate user," Monrose said. "An adversary speaking the password, however, will cause a far greater number of errors," he said.

The scheme also includes software to protect reverse-engineering of the key in the event that the device being protected is captured, said Monrose. Information about the scheme stored on the device is protected using a secret-sharing scheme, which divides a secret into two or more pieces. The secret is revealed only when the pieces are combined. "The key is regenerated from scratch in each reconstruction attempt, and no speaker-specific information is stored in the clear," said Monrose.

To make the prototype work, the researchers needed to make sure that the system did a good job of processing the user's speech in order to minimize error correction for the legitimate user, and they had to devise secret-sharing schemes and reconstruction algorithms that allowed the system to recognize a legitimate user in a reasonable amount of time, according to Monrose. "The challenge... is to find the right balance of eliminating environmental effects early via signal processing versus relying on the error correction in the key generation step to compensate for the effects of noise and silence that may occur in the user's utterance," he said.

The researchers' attempts to fool the system using recorded and synthesized speech did not work, said Monrose. "Cut-and-paste attacks of a user's speech, and text-to-speech attacks... did not significantly outperform random guessing," he said.

This could change as speech synthesis and audio sorting tools get better, however, Monrose said. As advances are made in speech synthesis and in tools for automatically finding phonemes in an utterance, these types of attacks will become more successful, he said. "We're actively exploring effective countermeasures against such attacks," he added.

The work is an efficient way to use a natural user interaction to provide personal information security, said Philip Robinson, a researcher at the University of Karlsruhe in Germany.

Although biometric techniques like speech or fingerprints are readily available and therefore easy to use, there is a potential downside -- you can't change speech and fingerprints if the security is compromised. The researchers' method addresses this problem, said Robinson. The randomness associated with a spoken password is increased by basing the key regeneration process on the variation in a user's speech pattern, he said.

Finding novel ways of facilitating usability while maintaining strong security is a major underlying theme in ubiquitous computing security research, Robinson added.

The researchers' prototype has proved the plan plausible, but does not achieve especially strong security. Their next step is to strengthen the method, said Monrose. "Our immediate goals are more extensive user trials, which will involve analyzing ways to increase the strength of the derived keys," he said. The researchers are aiming to achieve key lengths of 80 bits or longer, he said. The strength of the cryptography programs used by today's business community generally range from 128 to 8,192 bits.

It will take a couple of years for the researchers to determine if the scheme is capable of generating strong cryptographic keys that can be used in commercial applications, said Monrose.

Monrose's research colleagues were Michael K. Reiter of Carnegie Mellon University, and Qi Li, Daniel P. Lopresti and Chilin Shih of Bell Labs. They published the research in the Proceedings of the 11th Usenix Security Symposium, which was held August 5-9, 2002 in San Francisco. The research was funded by Bell Labs.

Timeline:   Unknown
Funding:   Corporate
TRN Categories:  Cryptography and Security; Computer Science; Human-Computer Interaction
Story Type:   News
Related Elements:  Technical paper, "Toward Speech-Generated Cryptographic Keys on Resource Constrained Devices," Proceedings of the 11th Usenix Security Symposium, August 5-9, 2002 in San Francisco.


October 16/23, 2002

Page One

Chemists brew tiny wires

Voiceprints make crypto keys

Stamp corrals tiny bits

Net devices arranged fractally

Quantum scheme lightens load


Research News Roundup
Research Watch blog

View from the High Ground Q&A
How It Works

RSS Feeds:
News  | Blog  | Books 

Ad links:
Buy an ad link


Ad links: Clear History

Buy an ad link

Home     Archive     Resources    Feeds     Offline Publications     Glossary
TRN Finder     Research Dir.    Events Dir.      Researchers     Bookshelf
   Contribute      Under Development     T-shirts etc.     Classifieds
Forum    Comments    Feedback     About TRN

© Copyright Technology Research News, LLC 2000-2006. All rights reserved.