make crypto keys
Technology Research News
As we rely on computers for tasks like
handling money and keeping secrets safe, it has become increasingly important
to give our desktops, laptops and PDAs the means to know for sure who
they are dealing with. The classic solution is to lock up the data, and
give the user a cryptographic key.
The main challenge to improving this type of security is to make it more
difficult to steal or reconstruct the keys, but easier for legitimate
users to access computing resources.
Researchers from Lucent Technologies' Bell Labs have tapped the individuality
of the human voice to generate unique cryptographic keys for computer
users. Under the researchers' scheme, a user speaks a password, and the
system listens for both the correct word and the correct voice.
The method uses the random variability of people's voices to add a layer
of security to even a simple password, said Fabian Monrose, a member of
technical staff at Bell Labs. "The randomness of [a] key is drawn from
both the pass-phrase that is spoken and the speech patterns of the user...
speaking it," he said. The more randomness contained in the information
the key is constructed from, the harder the key is to figure out.
The scheme uses cepstral coefficients, which are numbers that model the
vocal tract, to help construct the key. These coefficients are also commonly
used in speech and speaker recognition software. They are robust, meaning
they contain a lot of information, and reliable, meaning they are fairly
consistent for a single speaker, but vary across a population.
The researchers' prototype software, which runs on a Compaq Ipaq PDA,
uses 60 different features from a given voice sample to form a mathematical
descriptor, then uses the descriptor to construct cryptographic keys and
verify whether keys generated by users are correct. "We've been... generating
60-bit keys from a few seconds of speech," said Monrose. "Our studies
suggest that the techniques... enable significant randomness from pass-phrase
Because there is variability even in the way a single user says a password,
the method allows for some legitimate errors in the 60 parameters used.
These errors are due to background noise or changes in vocalization. "Since
the biometric readings are hardly exact across successive measurements,
we typically need to correct... five errors on average for the legitimate
user," Monrose said. "An adversary speaking the password, however, will
cause a far greater number of errors," he said.
The scheme also includes software to protect reverse-engineering of the
key in the event that the device being protected is captured, said Monrose.
Information about the scheme stored on the device is protected using a
secret-sharing scheme, which divides a secret into two or more pieces.
The secret is revealed only when the pieces are combined. "The key is
regenerated from scratch in each reconstruction attempt, and no speaker-specific
information is stored in the clear," said Monrose.
To make the prototype work, the researchers needed to make sure that the
system did a good job of processing the user's speech in order to minimize
error correction for the legitimate user, and they had to devise secret-sharing
schemes and reconstruction algorithms that allowed the system to recognize
a legitimate user in a reasonable amount of time, according to Monrose.
"The challenge... is to find the right balance of eliminating environmental
effects early via signal processing versus relying on the error correction
in the key generation step to compensate for the effects of noise and
silence that may occur in the user's utterance," he said.
The researchers' attempts to fool the system using recorded and synthesized
speech did not work, said Monrose. "Cut-and-paste attacks of a user's
speech, and text-to-speech attacks... did not significantly outperform
random guessing," he said.
This could change as speech synthesis and audio sorting tools get better,
however, Monrose said. As advances are made in speech synthesis and in
tools for automatically finding phonemes in an utterance, these types
of attacks will become more successful, he said. "We're actively exploring
effective countermeasures against such attacks," he added.
The work is an efficient way to use a natural user interaction to provide
personal information security, said Philip Robinson, a researcher at the
University of Karlsruhe in Germany.
Although biometric techniques like speech or fingerprints are readily
available and therefore easy to use, there is a potential downside --
you can't change speech and fingerprints if the security is compromised.
The researchers' method addresses this problem, said Robinson. The randomness
associated with a spoken password is increased by basing the key regeneration
process on the variation in a user's speech pattern, he said.
Finding novel ways of facilitating usability while maintaining strong
security is a major underlying theme in ubiquitous computing security
research, Robinson added.
The researchers' prototype has proved the plan plausible, but does not
achieve especially strong security. Their next step is to strengthen the
method, said Monrose. "Our immediate goals are more extensive user trials,
which will involve analyzing ways to increase the strength of the derived
keys," he said. The researchers are aiming to achieve key lengths of 80
bits or longer, he said. The strength of the cryptography programs used
by today's business community generally range from 128 to 8,192 bits.
It will take a couple of years for the researchers to determine if the
scheme is capable of generating strong cryptographic keys that can be
used in commercial applications, said Monrose.
Monrose's research colleagues were Michael K. Reiter of Carnegie Mellon
University, and Qi Li, Daniel P. Lopresti and Chilin Shih of Bell Labs.
They published the research in the Proceedings of the 11th Usenix Security
Symposium, which was held August 5-9, 2002 in San Francisco. The research
was funded by Bell Labs.
TRN Categories: Cryptography and Security; Computer Science;
Story Type: News
Related Elements: Technical paper, "Toward Speech-Generated
Cryptographic Keys on Resource Constrained Devices," Proceedings of the
11th Usenix Security Symposium, August 5-9, 2002 in San Francisco.
Chemists brew tiny wires
Voiceprints make crypto
Stamp corrals tiny bits
Net devices arranged
Quantum scheme lightens
Research News Roundup
Research Watch blog
View from the High Ground Q&A
How It Works
News | Blog
Buy an ad link