Upon entry of the passphrase, the system measures biometric
features of the user's entry of the passphrase. We denote the -th
feature by , and denote the value of feature on the
-th (successful or unsuccessful) attempt to log into this user's
account (i.e., generate this user's key) by . In the
case of a spoken passphrase, the features are features
extracted from the user's utterance as described in [16].
For the -th login attempt, the system then generates a bit
string
from
; is called a feature descriptor, and
the -th bit of , denoted , is determined from
the -th feature . Algorithms for generating
from
are proposed and
evaluated in [16], but for the purposes of this paper, the
reader can think of being determined by
After a history of feature descriptors from successful logins is observed (i.e., logins in which the key was successfully reconstructed), those elements of the table that are not typically accessed by the user are perturbed randomly. So, for example, if the feature descriptors induced by a user's biometric measurements are such that consistently, then the element of the table is randomly altered. If is sufficiently consistent that element in the table is perturbed in this way, then is called a distinguishing feature. We will give a precise characterization of distinguishing features in Section 5.
The correct user, when inducing feature descriptors consistent with
those she has induced in the past, should not encounter any of the
altered elements in the table. We have found, however, that in
practice it is necessary for the system to attempt reconstruction
using feature descriptors within some Hamming distance
of the induced feature descriptor, to correct for up to
``errors'' by the user (e.g., see [15]). This results in up
to
Specific secret sharing schemes for populating this table were investigated in [15]. That paper also included an evaluation of this approach with feature descriptors of length derived from the keystroke timings of a user while typing an -character password. There, we evaluated an implementation in which the table was additionally encrypted with the password; in this way, the technique serves to render a dictionary attack against the password up to times more difficult. Our subsequent work on voice features [16] described algorithms for generating feature descriptors from the user's voice while speaking a passphrase. It further evaluated the security and reliability of the resulting technique with feature descriptors of length derived from preexisting recordings of users over a phone line. However, in contrast to the keystroke case, here our evaluation presumed a table that was not encrypted with the passphrase, in order to avoid the costs of automatically recognizing the spoken passphrase (to decrypt the table). In this case, does not provide nearly enough security for important applications.
In this paper we address the computational challenges of performing key reconstruction on a resource-constrained PDA with more realistic parameters than our previous voice study explored. Specifically, we evaluate our implementation of this approach for feature descriptors of length , and argue that regenerating the key can be reliably achieved on a MHz StrongARM processor by correcting for up to errors (in the sense described above). The challenges in achieving this are the front-end signal processing needed to keep small so that expression (2) remains manageable, and in devising a secret sharing scheme and corresponding reconstruction algorithm that permits this reconstruction to occur in a reasonable amount of time on this platform. Consequently, we focus on these contributions in this paper, and refer the reader to [16] for the algorithmic details comprising other steps of the key (re)generation process.