Exchanging pictures to generate passwords?
Today, Ileana Buhan, a Romanian computer scientist, is presenting her PhD Thesis at the University of Twente in the Netherlands. She is using biometrics to protect confidential information when it is exchanged between two mobile devices. This is a very innovative approach to security. Buhan's biometric application will generate almost unbreakable passwords from photos taken by the connected users. Here is how it works. 'To do this, two users need to save their own photos on their PDAs. They then take photos of each other. The PDA compares the two photos and generates a security code for making a safe connection.' But read more if you're not convinced...
On the slide above, you can see that even the lead researcher was thinking initially of using "faces as keys" (Credit: Ileana Buhan, University of Twente)
But by using two pictures exchanged by the users, you can see above how safe exchanges of information can be envisioned. (Credit: Ileana Buhan, University of Twente)
This research work has been led by Ileana Buhan, a PhD student at the University of Twente -- which has probably received it as I'm typing this. Her PhD thesis is titled "Cryptographic keys from noisy data: theory and applications" and will be registered by the CTIT (Centre for Telematics and Information Technology) as number 08-129. The University of Twente news release mentioned in the introduction says that this thesis is available online. It is not -- at least as I'm writing this. But please check this PhD Thesis 2008 page tomorrow and I'm sure it will be available. You also might want to check the list of Buhan's publications.
Now, let's read more details about Buhan's method. "Buhan developed a mathematical method for storing biometric data securely. Using this data, a mobile device is able to recognize people under different circumstances, so even if the user has altered his hair drastically, the system can still recognize him. Buhan wondered if you could also use such photographs or other biometric data for accomplishing secure information exchange between two mobile devices. If Bluetooth is used to do this – again with a simple four-digit password – security and privacy cannot be guaranteed. Instead, Buhan suggested constructing a password from two photos so that it would be almost impossible to decode it. To do this, two users need to save their own photos on their PDAs. They then take photos of each other. The PDA compares the two photos and generates a security code for making a safe connection. The users can then use this connection to exchange confidential information. The photos are stored as a template that contains the essential features for recognition. This safe template transfer is not just suitable for PDAs, but for every other biometric recognition system."
For more information, you can read a 2007 technical paper written by Ileana Buhan and her three supervisors, Pieter Hartel, Raymond Veldhuis and Jeroen Doumen. This paper, published in 2007, is titled "Secure Ad-hoc Pairing with Biometrics: SAfE." Here are two PDF links to this paper, as a slide presentation (12 slides, 138 KB) and as the full technical paper (7 pages, 224 KB). The two pictures above have been extracted from the slide presentation.
Here is the abstract of this technical article. "The pairing problem is to enable two devices, which share no prior context with each other, to agree upon a security association that they can use to protect their subsequent communication. Secure pairing should offer guarantees of the association partner's identity and it should be resistant to eavesdropping or to a man-in the middle attack. We propose a user friendly solution to this problem. Keys extracted from images of the par-ticipants are used for authentication. Details of the SAfE pairing system are presented along with a discussion of the security features and a usability analysis.
Finally, I hope that Ileana Buhan got her PhD today.
Sources: University of Twente news release, October 22, 2008; and various websites
You'll find related stories by following the links below.