THESIS

Non-Intrusive Subscriber Authentication for Next Generation Mobile Communication Systems

by

P H I L I P M A U R I C E RODVVELL

A thesis submitted to the University of Plymouth in partial fulfilment for the degree of:

D O C T O R O F PHILOSOPHY

School of Computing, Communication & Electronics

\w collaboration with

Orange Personal Communication Services Ltd.

January 2006

Universtiy of Plymoutn

Ubraiv

Shelfmaik „

Abstract

Abstract

Non-Intrusive Subscriber Authentication for Next Generation Mobile Communication Systems

Philip Maurice Rodwcll B.Eng.(Hons)

The last decade has witnessed massive growth in both the technological development, and the consumer adoption of mobile devices such as mobile handsets and PDAs. The recent introduction of wideband mobile networks has enabled the deployment of new services with access to traditionally well protected personal data, such as banking details or medical records. Secure user access to this data has however remained a function of the mobile device's authentication system, which is only protected from masquerade abuse by the traditional PIN, originally designed to protect against telephony abuse.

This thesis presents novel research in relation to advanced subscriber authentication for mobile devices. The research began by assessing the threat of masquerade attacks on such devices by way of a survey o f end users. This revealed that the current methods o f mobile authentication remain extensively unused, leaving terminals highly vulnerable to masquerade attack. Further investigation revealed that, in the context of the more advanced wideband enabled services, users are receptive to many advanced authentication techniques and principles, including the discipline o f biometrics which naturally lends itself to the area o f advanced subscriber based authentication.

To address the requirement for a more personal authentication capable o f being applied in a continuous context, a'novel non-intrusive biometric authentication technique was conceived, drawn from the discrete disciplines of biometrics and Auditory Evoked

Responses. The technique forms a hybrid multi-modal biometric where variations in the behavioural stimulus of the human voice (due to the propagation effects of acoustic waves within the human head), are used to verify the identity o f a user. The resulting approach is known as the Head Authentication Technique (HAT).

Evaluation of the HAT authentication process is realised in two stages. Firstly, the generic authentication procedures of registration and verification are automated within a prototype implementation. Secondly, a HAT demonstrator is used to evaluate the authentication process through a series of experimental trials involving a representative user community. The results from the trials confirm that multiple H A T samples from the same user exhibit a high degree o f correlation, yet samples between users exhibit a high degree of discrepancy. Statistical analysis o f the prototypes performance realised early system error rates of; FNMR = 6% and FMR = 0.025%. The results cleariy demonstrate the authentication capabilities of this novel biometric approach and the contribution this new work can make to the protection o f subscriber data in next generation mobile networks.

Ml

.for Neeta.

I V

Dedication

Contents

Contents

Abstract iii

Contents v

List of Figures xii

List of Tables xviii

Acknowledgments xix

Declaration xxi

Use of Conventions xxii

Glossary of Abbreviations xxiii

Glossary of Terms xxvi

1 Introduction and Overview 2

I . I The Mobile Telephone 2

1.2 Research Requirements 6

1.3 Thesis Structure 8

1.3.1 PhD Research Foundations 8

1.3.2 PhD Research and Development 10

1.3.3 PhD Research Conclusions 11

2 Mobile Communications and Mobile Security 13

2.1 IntnDduction 13

2.2 Mobile Communications Systems 15

2.2.1 A Basic Mobile Communications Architecture 15

2.2.2 2"** Generation Mobile Communications 17

2.2.2.1 Introduction to GSM 17

2.2.2.2 GSM Services 18

2.2.2.3 GSM Derivative Technologies (2.5G) 19

Contents

2.2.3 3"* Generation Mobile Communications 19

2.2.3.1 3G Bodies and Standards 19

2.2.3.2 Introduction to UMTS 20

2.2.3.3 30 (UMTS) Services 21

2.2.4 Beyond 3"* Generation 24

2.2.4.1 High Speed Downlink Packet Access 25

2.2.4.2 4"*" Generation 26

2.3 Mobile Security 27

2.3.1 The SIM Card 27

2.3.1.1 SIM Formats 28

2.3.2 The IMEI Code 29

2.3.2.1 IMEI Black Listing 30

2.3.2.2 Reprogramming the IMEI: The Mobile Reprogramming Act, 2002 ... 31

2.3.2.3 Subscriber Identity Confidentiality (IMSI and TMSl) 32

2.3.3 The User PIN - Real Subscriber Authentication 33

2.3.3.1 Bypassing a handset's PIN code 35

2.3.3.2 Enhancing Authentication Security 36

2.3.4 3"* Party Security 38

2.3.5 Mobile Authentication Methodology 38

2.3.6 3G (UMTS) Security Drivers 40

2;3.7 Terminal vs. Network-centric Security 43

2.3.7.1 Terminal-centric Security 43

2.3.7.2 Network-centric Security 44

2.3.7.3 Mobility 45

2.3.8 Continuous, Non-Intrusive Security 47

2.4 Conclusion 48

Assessing Subscribers' Attitudes towards Mobile Services and

Security 50

3.1 Introduction 50

3.2 Demography 52

3.3 Access and Services 53

V I

Contents

3.3.1 Network Operator Survey Shares 53

3.3.2 Handset Supplier Survey Shares 55

3.3.3 Network Operator Selection Criteria 56

3.3.4 Handset Selection Criteria 58

3.3.5 Services Usage 59

3.3.6 Preferences for Future Services 60

3.4 Mobile Security 62

3.4.1 Experiences of Mobile Handset Abuse 62

3.4.2 User Issues Regarding Mobile Handset Authentication 64

3.5 Topic Awareness 67

3.6 Conclusion 69

4 Biometrics and Mobile Devices 71

4.1 Introduction 71

4.2 What You Are 73

4.2.1 Authentication Security Focus 74

4.2.2 Factors Affecting Biometric Systems 75

4.2.3 False Match and False Non-Match Errors 80

4.2.4 Identification versus Verification 82

4.2.5 Threats to Biometric Systems 84

4.3 Biometric Techniques 85

4.3.1 Physiological Biometric Techniques 89

4.3.1.1 Fingerprint 89

4.3.1.2 Hand-Geometry 90

4.3.1.3 Facial-Recognition (2-Dimensional) 91

4.3.1.4 Iris-Scan 92

4.3.2 Other Physiological Techniques 94

4.3.2.1 Retina-Scan 94

4.3.2.2 Vein-recognition 95

4.3.2.3 Facial-Recognition 3D 95

4.3.2.4 Ear-Geometry 96

4.3.2.5 Facial Thermography 96

4.3.3 Behavioural Biometric Techniques 97

V I I

Contents

4.3.3.1 Speaker-Recognition 97

4.3.3.2 Signature-Recognition 98

4.3.3.3 Keystroke-Dynamics 99

4.3.4 Other Behavioural Techniques 101

4.3.4.1 Service Profiling 101

4.3.4.2 Gait-Recognition 101

4.4 Biometrics and Mobile Handsets 102

4.5 Assessing Subscribers' Attitudes towards Biometrics and Advanced Mobile

Security 104

4.5.1 Users' attitudes towards biometric authentication 104

4.5.2 User's awareness and understanding of biometric techniques 105

4.5.3 User's impression of continuous authentication 108

4.5.4 Storing biometrics' templates 109

4.5.5 Conclusion 110

5 Conception of the Head Authentication Technique 113

5.1 Introduction 113

5.2 The Human Ear and Auditory Analysis Techniques 115

5.2.1 Hearing and Anatomy of the Human Ear 116

5.2.1.1 The Eustachian tube 118

5.2.2 Ear-prints and 'earology' 119

5.2.3 Auditory Evoked Responses & Otoacoustic Emissions 120

5.2.3.1 Introduction to OAEs 121

5.2.3.2 Capturing OAEs 123

5.2.3.3 OAE Stimuli 123

5.2.3.4 A Practical Evaluation o f OAEs for an Authentication Role 125

5.2.3.4a Tympanogram 125

5.2.3.4b Audiogram 126

5.2.3.4c Otoacoustic Emissions 128

5.2.3.4d Clinical Tests Conclusion 129

5.3 The Human Head and Acoustic Head-Recognition 130

5.3.1 Anatomy of the human head 131

5.3.1.1 Propagation of sound waves in the head 132 v n i

Contents

5.3.2 Acoustic biometrics o f the human head for user authentication 134

5.3.2.1 Acoustic Stimuli 135

5.3.2.1a Out-of-band stimuli 135

5.3.2.1b In-band Stimuli 136

5.3.2.1c Naturally Occurring Stimuli 137

5.3.2.2 Authentication Approaches 137

5.3.2.2a Artificial stimulus: Ear-in, Ear-out 138

5.3.2.2b Artificial stimulus: Ear-in, Mouth-out 138

5.3.2.2c Artificial stimulus: Mouth-in, Ear-out 139

5.3.2.2d Natural stimulus (Voicebox): Ear-out, Mouth-out (HAT) 140

5.4 Conclusion 142

6 Realisation of the Head Authentication Technique 144

6.1 Introduction 144

6.2 The Head Authentication Absorption Method 145

6.2.1 Stage-1 Capture HAT Sample Data 147

6.2.1.1 HAT Microphones 148

6.2.1.2 Captured Soundfile Format 149

6.2.1.3 The Captured Soundfile Waveform 152

6.2.2 Stage-2 Filter HAT Sample Data 153

6.2.2.1 Finite Impulse Response HAT Filter : 155

6.2.3 Stage-3 Absorption between Filtered Frequency Pairs 160

6.2.4 Stage-4 Neural-Network Analysis of Absorption Frequency Pairs 162

6.2.4.1 A Neural-Network for HAT 164

6.2.5 Stage-5 User Classification and System Response 167

6.2.6 The HAT Template 169

6.2.6.1 The 4000Hz Cut-off 172

6.2.6.2 Statistical Analysis o f a HAT Template 176

6.3 The Head Authentication Correlation Method 178

6.3.1 Stage-3 Correlation o f Filtered Frequency Pairs 179

6.3.1.1 Normalisation o f the Ear Sample Waveform 181

6.3.1.2 The 4000Hz Cut-off 182

6.3.2 Correlation Analysis 187

IX

Contents

6.4 Conclusion 189

7 Evaluation of the Head Authentication Technique 191

7.1 Introduction 191

7.2 The HAT Demonstration Tool 193

7.2.1 The HAT Headset 193

7.2.2 The HAT Application 196

7.2.2.1 Foundations of the HAT Application 196

7.2.2.2 Navigating the HAT Application Interface 199

7.2.2.3 Registering a New User 204

7.2.2.4 Authenticating an Existing User 209

7.2.2.4a The HAT 'Identify' Confidence-bar 212

7.3 The HAT Trials 213

7.3.1 Preparation for the Trials 213

7.3.2 Selection of the Trial Volunteers 214

7.3.3 Conducting the Trials 215

7.3.4 HAT Trials Results 215

7.3.4.1 HAT Stage-3 Absorption templates 216

7.3.4.2 HAT Stage-4 (Neural-network) Analysis 220

7.3.4.2a Example 1: User u18_And (Threshold > 0.9) 222

7.3.4.2b Example 2: User u09_Stv (Threshold > 0.7) 222

7.3.4.2c Example 3: User ul0_Pau (Threshold ~ 0.4) 222

7.3.4.2d Example 4: User u01_Phi (Threshold = 0.2) 226

7.3.4.2e Example 5: User ul7_Pet (Foreign Language, Threshold = 0.5). 226

7.3.4.3 System Authentication Thresholds and Error Rates 229

7.4 Conclusion 230

8 Conclusion 232

8.1 Achievements of the Research 235

8.2 Limitations of the Research 236

8.3 Future Research Work 237

8.4 Authentication in Next Generation Mobile Systems 238

Contents

References 240

Internet Links 249

Bibliography 254

Appendices 256

Appendix A Anatomy of the Subscriber Identity Module (SEVI) 258

Appendix B A Breakdown of die IMEI Code 262

Appendix C Mobile Phone Security Survey 265

Appendix D The Resource Interchange File Format (RIFF) 274

Appendix E An hitroduction to Neural Networks 278

Appendix F The HAT Demonstration Tool Manual 281

Appendix G HAT Trials Timetable 306

Appendix H Published Works 308

H1 Conference Invited Speaker (Powerpoint) 309

H2 Published Paper 314

H3 Poster Presentation 321

H4 Published Paper 323

H5 Journal Article 328

H6 Poster Presentation 332

H7 Published Paper 334

H8 Journal Paper 340

H9 Poster Presentation 353

HIO Poster Presentation 355

H11 Additional Published Works 357

Appendix I Patent Material 359

11 Patent Proposal 360

12 UK Patent Application - no. 2,375,205 364

13 US Patent Application - no. 10/476,588 399

(Notes) 406

X I

Contents : List of Figures

List of Figures

Figure 1-1 : The evolution of the cellular mobile handset: Nokia brand 3

Figure 2-1 : Schematic o f a basic mobile communications architecture 15

Figure 2-2 : 3G Services framework 22

Figure 2-3 : Woridwide revenues forecast from all 3G services 24

Figure 2-4 : Plug-in STMs 28

Figure 2-5 : Example of an IMEI reprogramming utility 32

Figure 2-6 : The mobile telephony authentication chain 34

Figure 2-7 : A mobile handset modified to bypass the PIN 36

Figure 2-8 : The Sagem MC 959 ID mobile handset {ST/Upek fingerprint sensor) 37

Figure 2-9 : The Fujitsu F505i mobile handset (Authentec fingerprint sensor) 37

Figure 3-1 : Security survey demography 52

Figure 3-2 : Network operators' market-shares 54

Figure 3-3 : Handset manufacturers' market-shares 55

Figure 3-4 : Handset manufacturers' market-shares correlation plot 56

Figure 3-5 : Network operator user selection criteria 56

Figure 3-6 : Network operator user selection criteria (linked maximum values) 57

Figure 3-7 : Mobile handset user selection criteria 58

Figure 3-8 : Mobile services popularity (circa 2003) 59

Figure 3-9 : Future mobile services' user preferences 60

Figure 3-10 : Personal experiences of handset abuse 63

Figure 3-11: Frequency of mobile handset PIN changes 65

Figure 3-12 : Users perceived effectiveness o f the PFN mechanism 66

Figure 3-13 : General user awareness o f mobile issues 68 xii

Contents : List of Figures

Figure 4-1 : Biometric revenue growth, 2001-2006 73

Figure 4-2 : Security focus in a knowledge/token based security system 74

Figure 4-3 : Security focus in a biometric based security system 74

Figure 4-4 : The ideal FNMR vs. FMR performance curve(s) 81

Figure 4-5 : Typical FNMR vs. FMR performance curve(s) 81

Figure 4-6 : Zephyr diagram of key biometric criteria (IBG 2004) 87

Figure 4-7 : Biometrics market-share, by technology (IBG 2004) 88

Figure 4-8 : The mutually opposed goals of speaker and speec/i-recognition 97

Figure 4-9 : Biometrics applicable to mobile handsets 102

Figure 4-10 : Survey respondent's acceptance of biometric authentication 104

Figure 4 - 1 1 : Survey respondent's awareness and acceptance of biometric techniques 105

Figure 4-12 : Survey respondent's acceptance of continuous authentication 108

Figure 4-13 : Survey respondent's preference for biometric-template storage 109

Figure 5-1 : Frequency ranges o f the human vocal and auditory systems 116

Figure 5-2 : The anatomy of the Human Ear 117

Figure 5-3 : Clinical Tests - Tympanogram 126

Figure 5-4 : Clinical Tests - Audiogram 127

Figure 5-5 : Clinical Tests - Otoacoustic Emissions 128

Figure 5-6 : M R l vertical bisection of a human head 131

Figure 5-7 : Intensity of common sounds encountered by the human ear 135

Figure 5-8 : Acoustic authentication using artificial stimulus: Ear-in, Ear-out 138

Figure 5-9 : Acoustic authentication using artificial stimulus: Ear-in, Mouth-out 139

Figure 5-10 : Acoustic authentication using artificial stimulus: Mouth-in, Ear-out 139

Figure 5-11: Natural voicebox stimulus approach to acoustic head authentication .... 140

Figure 5-12 : The frequency ranges o f the human voice (voicebox) 141

X l l l

Contents : List of Figures

Figure 6-1 : The five discrete stages o f the HAT (absorption) authentication process 146

Figure 6-2 : The HAT Headset microphones configuration 147

Figure 6-3 : HAT Stages flowchart - Stage-1 (Capture waveforms) 148

Figure 6-4 : Compound fi-equency absorption curves of the numbers ' 0 ' to '9' -

HAT trial participant 'u03_viv' (lOOHz < bw < 8000Hz) 151

Figure 6-5 : A Typical HAT wavefile pair 152

Figure 6-6 : Typical noise floor(s) o f a HAT wavefile pair 152

Figure 6-7 : HAT Stage-2 Filter spot-ft-equencies 153

Figure 6-8 : HAT Stages flowchart - Stage-2 (Filter waveforms) 155

Figure 6-9 : Frequency response of an ideal HAT Stage-2 Filter (n = 6001) 157

Figure 6-10 : Frequency response of an inadequate HAT Stage-2 Filter (n = 101) 158

Figure 6-11 : Frequency response of an improved HAT Stage-2 Filter (n = 501) 158

Figure 6-12 : Frequency response of the final HAT Stage-2 Filter ( n = 1301) 159

Figure 6-13 : HAT Stages flowchart - Stage-3 (Absorption calculation) 161

Figure 6-14 : HAT Stages flowchart - Stage-4 (Neural-network analysis) 163

Figure 6-15 : The single layer, twenty-five neuron neural-network adopted by HAT... 164

Figure 6-16 : A twenty-five input HAT neuron 165

Figure 6-17 : Training a new user's HAT neural-network for 1 in 10,000 errors 165

Figure 6-18 : Training a new user's H A T neural-network for 1 in 1000 errors 166

Figure 6-19 : The mutually exclusive relationship between HAT authentication thresholds and match error rates vs. user-base template variance 167

Figure 6-20 : Complete HAT Stages flowchart - Stage-5 (User Classification) 168

Figure 6-21 : Mouth, Ear inpia and HAT template output curves of the number '0' 170

Figure 6-22 : Mouth, Ear input and HAT template output curves of the number '3' 170

Figure 6-23 : Compound Mouth, Ear input and HAT template output curves of the number M H A T trial user 'u01_phi' (lOOHz < bw < 4000Hz) 171 xiv

Contents : List of Figures

Figure 6-24 : Compound Mouth, Ear input and HAT template output curves of the numbers '0' to ^9'. HAT trial user'u01_phi' (lOOHz < bw < 4000Hz)... 171

Figure 6-25 : Compound frequency absorption curves o f the number ' T (xlO) -

HAT trial user 'u01_phi' (lOOHz < bw < 8000Hz) 173

Figure 6-26 : Compound frequency absorption curves of the numbers '0' to '9' -

HAT trial user 'u01_phi' (lOOHz < bw < 8000Hz) 173

Figure 6-27 : Compound frequency absorption curves of the number ' T (xl 0) -

HAT trial user 'u02_nit' (lOOHz < bw < 8000Hz) 174

Figure 6-28 : Compound frequency absorption curves of the numbers '0' to '9' -

HAT trial user 'u02_nit' (lOOHz < bw < 8000Hz) 174

Figure 6-29 : Five mean frequency absorption curves o f the numbers '0' to '9' -

HAT trial user'u01_phi' (lOOHz < bw < 8000Hz) 175

Figure 6-30 : Three mean frequency absorption curves of the numbers "0' to '9' -

HAT trial user 'u02_nit' (lOOHz < bw < 8000Hz) 175

Figure 6-31 : Statistical analysis curves for a HAT capture waveform set 176

Figure 6-32 : The five discrete stages of the correlation authentication process 179

Figure 6-33 : Cross-correlation of Mouth and Ear waveforms 179

Figure 6-34 : Modified HAT Stages flowchart - Stage-3, showing additional correlation method Stage-1 Normalisation and Stage 3 Correlation 180

Figure 6-35 : Captured HAT waveform pair (Mouth & Ear) of the number ' 2 ' 181

Figure 6-36 : Normalised HAT waveform pair (Mouth & Ear) of the number '2' 182

Figure 6-37 : Legend of correlation Figure 6-37 to Figure 6-44 inclusive 182

Figure 6-38 : HAT Analysis - Capture, Filter and Correlation @ lOOOHz 183

Figure 6-39 : HAT Analysis - Capture, Filter and Correlation @ 2000Hz 183

Figure 6-40 : HAT Analysis - Capture, Filter and Correlation @ 3000H2 184

Figure 6-41 : HAT Analysis - Capture, Filter and Correlation @ 4000Hz 184

Figure 6-42 : HAT Analysis - Capture, Filter and Correlation @ SOOOHz 185

Figure 6-43 : HAT Analysis - Capture, Filter and Correlation @ 6000Hz 185

X V

Contents : List of Figures

Figure 6-44 : HAT Analysis - Capture, Filter and Correlation @ 7000Hz 186

Figure 6-45 : HAT Analysis - Capture, Filter and Correlation @ 8000Hz 186

Figure 6-46 : Compound frequency absorption curves o f the numbers '0' to '9' -

HAT trial user 'u01_phi' (lOOHz < bw < 8000Hz) 187

Figure 6-47 : Compound frequency absorption curves o f the numbers '0' to '9' -

HAT trial user 'u02_nit' (lOOHz < bw < 8000Hz) 188

Figure 7-1 : The replacement ear microphone o f the HAT Headset 193

Figure 7-2 : A HAT headset high-quality electret lavalier microphone 194

Figure 7-3 : The hardware composing the HAT Headset 195

Figure 7-4 : Correlation Authentication Rig - Collector 197

Figure 7-5 : Correlation Authentication Rig - Analyser 198

Figure 7-6 : Early example of the HAT Application 199

Figure 7-7 : The HAT Application main interface during a HAT Capture cycle 200

Figure 7-8 : HAT Application tabbed options frames 202

Figure 7-9 : HAT Help menu example - HAT Introduction 203

Figure 7-10 : HAT Application settings review frame (two views) 205

Figure 7-11: HAT Application - Stage-1 Capture and validation plot 206

Figure 7-12 : HAT Application - Stage-3 Absorption plot of a user's waveform pair.. 207

Figure 7-13 : HAT Application - Registered HAT trial user's pull-down list 209

Figure 7-14 : HAT Application - Stage-4 (neural-network) Analysis plot 211

Figure 7-15 : HAT Application - Identity confidence-bar 212

Figure 7-16 : HAT Template of trial participant - u01_Phi 217

Figure 7-17 : HAT Template of trial participant - u03_Viv 217

Figure 7-18 : HAT Template of trial participant - u04_Ang 218

Figure 7-19: HAT Template of trial participant - u06_Zak 218

Figure 7-20 : HAT Template of trial participant - u09_Stv 219

Figure 7-21 : HAT Template of trial participant - ulO_Pau 219

X V I

Contents : List of Figures

Figure 7-22 : Neural-network testing: Ideal response 221

Figure 7-23 : Neural-network testing of user: ul 8_And (Training Session 1) 223

Figure 7-24 : Neural-network testing o f user: ul8_And (Identify Session 2) 223

Figure 7-25 : Neural-network testing of user: u09_Stv (Training Session 1) 224

Figure 7-26 : Neural-network testing of user: u09_Stv (Identify Session 2) 224

Figure 7-27 : Neural-network testing o f user: ulO_Pau (Training Session 1) 225

Figure 7-28 : Neural-network testing of user: ulO_Pau (Identify Session 2) 225

Figure 7-29 : Neural-network testing of user: u01_Phi (Training Session 1) 227

Figure 7-30 : Neural-network testing of user: u01_Phi (Identify Session 2) 227

Figure 7-31 : Neural-network testing o f user: ul 7_Pet (Training Session 1 - Foreign) 228

Figure 7-32 : Neural-network testing of user: ul 7_Pet (Identify Session 2 - Foreign). 228

Figure A-1 : Block diagram of a typical SIM 258

Figure A-2 : The code variations of the IMEI 262

Figure A-3 : A single layer five neuron neural-network 278

Figure A-4 : A single input neuron 279

X V I I

Contents : List of Tables

List of Tables

Table 2-1 : The evolution of cellular mobile communication technologies 14

Table 2-2 : Format of the IMSl 32

Table 4-1 : Comparison o f the three authentication categories, with a selection o f key authentication issues 75

Table 4-2 : Equal error rates o f popular biometrics, by technology 82

Table 4-3 : Summary of physiological biometric techniques for mobile application ... 93

Table 4-4 : Summary of behavioural biometric techniques for mobile application.... 100

Table 4-5 : Suitability of various biometric techniques to application within a mobile handset 103

Table 5-1 : Relative densities o f the biological components of the human head 134

Table 6-1

Table 6-2

Table 6-3

Quantisation levels and dynamic-range based on bits-per-sample 150

Matlab Code for the HAT Stage-2 Filter 156

Computers traditional strengths and weaknesses 162

Table 7-1 : Technical specifications of the HAT headset microphones 194

Table A-1

Table A-2

Table A-3

IMEI Final Assembly Codes (FAC) 263

Table of common neural-network transfer fiinction 279

HAT Trial participants' session data 306

Notes

Table A-4 : Thesis Statistics 406

Table A-5 : Development System 406

Table A-6 : Software Bibliography 407

XVI11

Acknowledgments

Acknowledgments

This research PhD was made possible through the industrial sponsorship of Orange PCS

Ltd.', and the resources of the Network Research Group at the University o f Plymouth^.

I am deeply indebted to my Director of Studies, and manager of the Network Research

Group, Dr. Steven Fumell; whose patience and support, beyond his professional calling, enabled the author to realise an academic achievement far beyond his own vision. A consummate professional and a yardstick by which any Supervisor can be measured.

Thanks must also go to my industrial supervisor. Professor Paul Reynolds, whose original vision set down the foundations for the research and with whose professional experience and expertise the head authentication patents were drafted. A man whose intolerance o f adverbs is matched only by his generosity and wit.

Thanks go to Dr. Howard Taylor (Chief audiologist, Derriford hospital, circa 2002) for our discussions on the principles of sound, the anatomy of the human ear and for conducting the audiology (otoacoustic) trials (Section 5.2.3.4). Special mention also goes to my colleagues within the University of Plymouth, notably: Dr. Zaki Achmed for his non-impulsive finite responses to my questions on digital filters; Dr. Nathan Clarke for his cooperation conducting the security survey and discussions on neural-networks; Dr.

Paul Dowland for his encyclopaedic knowledge of software engineering and willingness to share it; Dr. Licha Mued for sharing the psychological burden o f a research PhD; and

Dr. Harjit Singh for his enlightened sole and spirit for research: Akal.

' Orange Persona! Communications Services Limited, Bradley Stoke, Bristol, UK.

^ University of Plymouth, Drake Circus, Plymouth, UK.

xix

Acknowledgments

To my wife I dedicate this work, for her patience and unerring support through the PhD years; no words can ever express my love and gratitude, and no gesture repay her devotion and sacrifice. I would also like to thank my parents for their life investment in me, most recently for my mother's time and family support during the latter writing up phase of the research.

Finally to my children, who have become as much a part of this journey as the research itself: As you take your first steps into the world of academia, I hope that you are inspired by the wealth of knowledge that awaits you and tempted by the new discoveries that await your generation.

Phil Rodwell

XX

Declaration

Declaration

At no time during the registration for the degree of Doctor of Philosophy has the author been registered for any other University award.

This research was funded by Orange Personal Communications Services Ltd., and is solely the work of the author.

Relevant conferences were regularly attended, where work was frequently presented, and a number of external establishments visited for consultation purposes. Details of publications are listed in the thesis appendices.

Thesis word count (Abstract and Chapters I through 8) : 48,000 words (approx.).

Signed:

Date:

X X I

U s e of Conventions

Use of Conventions

Within the context o f this document the following conventions apply:

Chapter/Section numbering

Syntax: <Chapter #>.<Section #>[.<sub-Section #>][.<sub-Section #>][.<Char>]

• Where <Chapter #> is defined by: I # 8

• Where <[sub-]Section #> is any number

• Where <Char> is a lower-case letter in the series: a, b, c.. .z

Cross-reference(s)

Syntax: ([see] Chapter # | Section #. #[.#. #])

• Where Chapter # is defined by: 1 # 8

• Where Section # is any number

• Where the optional [see] denotes a subject covered later in the thesis.

Figures and Tables

Syntax: Figure | Table <Chapter #|A> - <Figure #>

• Where <Chapter #> is defined by: 1 # 8 or A (denotes Appendix)

• Where <Figure #> is any number

Footnote(s)

Footnote numbering is page independent.

internet Links

Syntax: (Link: <name>).

• Where <name> is an index to a reference in the list of Internet Links at the end of the thesis.

Reference citation(s) (Harvard)

Syntax: (<Sumame> <year>).

• Where <Sumame> is an index to a reference in the list of References at the end of the thesis. xxn

Glossary of Abbreviations

Glossary of Abbreviations

#G - # Generation (of mobile communications) (see Table 2-1)

3GPP - Third Generation Partnership Project

ABR - Auditory Brainstem Response

ADSL - Asynchronous Digital Subscriber Line

AER - Auditory Evoked Response

AuC - Authentication Centre (ref SIM) bps - bits-per-second (ref PCM)

CCD - Charge Coupled Device (digital camera light sensor)

CCTV - Closed Circuit Television

CDMA - Code Division Multiple Access

CEIR - Central Equipment Identity Register (ref IMEI)

CEPT - Conference of European Posts and Telegraphs

CHEOAE - CHirp Evoked OtoAcoustic Emissions (ref. OAE)

CPU - Central Processing Unit (a microprocessor)

DECT - Digital Enhanced Cordless Telephone (range < 300m)

DPOAE - Distortion Product OtoAcoustic Emissions (ref OAE)

EDGE - Enhanced Data rates for GSM Evolution

EEPROM - Electrically Erasable Programmable ROM (ref SIM)

EER - Equal Error Rate

EIR - Equipment Identity Register (ref IMEI)

ENT - Ear Nose and Throat (Medical field)

EOAE - Evoked OtoAcoustic Emissions (ref OAE)

ESN - Electronic Serial Number

ETSI - European Telecommunications Standards Institute xxni

ISO

ITU

LBS

M M I

MMS

MWIF

OAE

HAT

HCl

HSCSD

HSDPA

IMEI

IMSI

INCITS

OHG

OMA

PCM

FAR

FIR

FMR

FNMR

FRR

G3G

GPRS

GSM

Glossary of Abbreviations

False Acceptance Rate (see also Glossary of Terms)

Finite Impulse Response (ref. Digital filters)

False Match Rate (see also Glossary of Terms)

False Non-Match Rate (see also Glossary of Terms)

False Rejection Rate (see also Glossary of Terms)

Global 3"* Generation

General Packet Radio Service

Global System for Mobile communications

originally: Croupe Speciale Mobile (French)

Head Authentication Technique

Human-Computer Interface

High Speed Circuit Switched Data

High Speed Downlink Packet Access

International Mobile Equipment Identity

International Mobile Subscriber Identity

International Committee for IT Standards

International Organization for Standardization

International Telecommunications Union

Location Based Services

Man-Machine Interface (an outdated term referring to an HCI)

Multimedia Message Service

Mobile Wireless Internet Forum

OtoAcoustic Emission (ref AER)

Operator Harmonisation Group

Open Mobile Alliance

Pulse Code Modulation (digital sampling technique)

X X I V

Glossary of Abbreviations

PCS - Personal Communications System

PDA - Personal Digital Assistant (electronic filofax)

PCN - Personal Communications Network

PIN - Personal Identification Number

PoE - Point of Entry

QoS - Quality of Service

RAM - Random Access Memory (ref SIM)

RCA - Radio Control Authority

RFID - Radio Frequency IDentification (electronic tagging)

RIFF - Resource Interchange File Format (Appendix D)

RMS - Root Mean Square

ROM - Read Only Memory (ref EEPROM)

SIM - Subscriber Identity Module

SMS - Short Message Service

SOAE - Spontaneous OtoAcoustic Emissions (ref OAE)

TACS - Total Access Communication System ( I G Analogue)

TEOAE - Transient Evoked OtoAcoustic Emissions (ref OAE)

TDMA - Time Division Multiple Access (2G/GSM)

TMSI - Temporary Mobile Station Identifier

UMTS - Universal Mobile Telecommunications System

3G mobile technology for Europe, Japan and North America

WAP - Wireless Access Protocol wav - File extension for wavefile format (ref RIFF, Appendix D)

W-CDMA - Wideband - Code Division Multiple Access

X X V

Glossary of Terms

Glossary of Terms

Within the context of this document the following definitions are assumed:

Authentication

The act of proving the validity of the claimed identity o f a user on a system.

(See also the definition of 'Biometric Authentication' in thesis sub-Section 4.2.4.)

Broadband

A bandwidth defined by: 2 Mbps < Broadband < 1 Gbps.

Biometric Password

An authorisation code derived fi-om a users distinctive Physiological or Behavioural characteristics; known as biometric markers.

Continuous

A discrete action occurring indefinitely at either a fixed or variable time interval.

Cordless Handset

A low range mobile telephony device specifically for use in the home. E.g. DECT

Equal Error Rate

The common threshold value where the FAR and FRR of a system are equal.

False Acceptance Rate

a Type II error (see also FMR).

Glossary of Terms

False Match Rate

Alternative to 'False Acceptance Rate'. Used to avoid confusion in scenarios that reject the claimant i f their biometric template matches that o f an enrolee. In such applications, the concepts of acceptance and rejection are reversed, thus reversing the meaning o f

'False Acceptance' and 'False Rejection' (Link: iAfB/ICSA).

False Non-Match Rate

Alternative to 'False Rejection Rate'. Used to avoid confusion in scenarios that reject the claimant i f their biometric template matches that of an enrolee. In such applications, the concepts of acceptance and rejection are reversed, thus reversing the meaning of

'False Acceptance' and 'False Rejection' (Link: iAfB/ICSA).

False Rejection Rate

The probability that an authorised user will falsely fail system authentication: also known as a Type I error (see also FNMR).

Identification

The act of determining the identity of an unknown user on a system.

(See also the definition of 'Biometric Identification' in thesis sub-Section 4.2.4.)

Mobile Device

Any hand-held mobile communications device, including though not exclusively: mobile handsets. Personal Digital Assistants (PDA), laptop & palmtop computers.

Mobile Handset

A mobile (cellular) device, designed primarily, though not exclusively, for telephony.

XX v n

Glossary of Terms

Mobile Terminal

A wireless interface to a distributed communications network: not necessarily a mobile handset.

Mobility

The convenience o f accessibility o f a distributed communications network via:

• Terminal - The ability of a mobile terminal to roam within a distributed network

• Personal - The ability of a mobile user to roam within a distributed network.

Non-Intrusive

A service or procedure that is transparent in operation to the system user.

Smartphone

Any electronic handheld device that integrates the functionality of a mobile handset with a personal digital assistant or other information appliance.

Subscriber

The legitimate registered user of: a mobile device, mobile network or mobile service.

User

Any person capable o f utilising a mobile device; not necessarily the registered user.

Verification

See Authentication.

Wideband

A bandwidth defined by: 9.6 Kbps < Wideband < 2 Mbps. xxvni

"Measure what is measurable, and make measurable what is not so. "

Galileo Galilei

X X I X

Chapter 1 : Introduction and Overview

Chapter 1

Introduction and Overview

Chapter 1 : Introduction and Overview

1 Introduction and Overview

This chapter introduces the PhD research area, identifies the research focus, specifies the research requirements and objectives and provides a complete systematic breakdown of the thesis with individual chapter summaries.

1.1 The Mobile Telephone

Within a single generation, a vision of personal communications proposed by luminaries such as Arthur C. Clarke (1945) & Carl Sagan (1978), has left the realms of conceptual theory and become an everyday reality; spearheaded by a multi-functional masterpiece of miniaturisation, endearingly referred to, as the 'mobile'.

With, the introduction of the domestic CD in 1985 (Philips 1985), digitised sound was perceived to enter homes en-masse for the first time and the term 'digital' firmly entered the vernacular of the general population. The adoption o f digitisation of the human vocal spectrum for telephony application, brought management of the data stream within the control of advancing computer technology and the subsequent convergence of communications and computer technology was inevitable.

The introduction of the Global System for Mobile communications (GSM) in 1991

(CellularOnline 2006a) gave digital telephony the mobile medium it required to appeal to a new technology hungry generation. The implications to the consumer were that the once dumb shackled telephone has evolved into a mobile, intemationally networked, computing device with excellent processing and storage capabilities. By the early years o f the 21^* Century, GSM based mobile communications devices represented 78% of the world's digital mobile market and numbered in excess of 1.6 billion (GSM World 2005);

Chapter 1 : Introduction and Overview outstripping even the sale of traditional personal computers which themselves experienced excellent annual growth in 2005 of 16% (Sharma 2005).

Figure I - I shows the generational evolution of the mobile handset over the last 15 years, from the modem day multi-functional network terminal back to the first rudimentary mobile telephone, as presented by one of Europe's biggest handset suppliers: Nokia.

N O K I A

3Q NOK1A7«00 2 9 a NOKUMOO

2 0 NGK1A3S10

Figure 1-1 : The evolution of the cellular mobile handset: Nokia brand

The primary selling point of post 2G mobile devices is the plethora of services the hardware enables. Having inherited many of the capabilities of the traditional Personal

Digital Assistant (PDA), including: comprehensive address books, work planners and schedulers; current mobile devices offer many functions originally only available on a networked computer, including: email, internet, e-commerce and extensive multimedia capabilities. The latest *smartphone' mobile devices have evolved into a new generation of combined hardware and services, enabling users to perform video-conferencing, watch live news, weather or sports broadcasts, locate bars and restaurants near to their location and pay for goods with virtual money, locate theatres near to their location and book tickets before receiving live directions to the venue (Link: BBC Mobile Services).

Chapter 1 : Introduction and Overview

With around I in 4 of the world population now in possession o f a mobile communications device (CelluIarOnline 2006b), along with the decentralisation o f the modem business environment, current mobile service providers are competing for unprecedented access to hundreds of millions of customers, for whatever post telephony services they care to conceive. It is, however, a disturbing reality that as these services probe deeper into the world of personal consumer data, once the preserve o f trusted redbrick institutions, the levels of data protection offered are emerging as secondary to the revenue such services can provide. In fact, in many cases, confidential information is usually only a 4 digit PoE PIN away firom prying eyes (CellularOnline 2006c). Depending upon the security awareness of the user and the capabilities of the mobile device, even this basic defence itself, may be rendered ineffective (see Section 3.4.2). Alternate knowledge based security approaches such as ones mother's maiden name or even complex passwords can usually be bypassed fairly easily using established social engineering techniques (Granger 2001). A topical example being the current trend in phishing, the spoofing of legitimate service providers via unsolicited communications, maybe emails or phone calls, in order to persuade a targeted service subscriber to divulge sensitive security details to unscrupulous parties (Link: APWG). This information is then used by a 3"^ party to masquerade as the legitimate service subscriber in order to defi-aud the system.

Mobile devices have consequently become the target o f more than the opportunistic thief (Chopra 2002). In the UK alone, 2001 saw in excess o f 700,000 mobile handsets stolen (Harrington & Mayhew 2001), leading the government to set-up a National

Mobile Phone Crime Unit to specifically target the problem (NMPCU 2003). Even more valuable to criminals who target mobile devices is the data which these devices carry, and owing to their essential networking capabilities, the wider data and services which they have access to (see Section 2.3.6). Eugene Kaspersky, founder of Kaspersky

Chapter 1 : Introduction and Overview

Labs recently warned that hackers will become increasingly interested as mobile phones proliferate and "...when they get cheap enough, smart phones will become a real problem. It will happen sooner or later" (Kaspersky 2006). In the UK in the year o f

2004, identity theft was estimated at £1.3 billion (Home Office 2006) and it would be naive to believe that with no apparent end in sight to either the market penetration o f mobile technology, or the advancement o f the underlying technology itself, that the size of this problem is going to do anything other than increase.

The growth of mobile networks capacity with the introduction of next generation networks (Section 2.2.3) and services (Section 2.2.3.3) has placed even more emphasis on the mobile device to act as a gatekeeper to both local and network-centric data. The aim of the PhD is to research a novel biometric technique, specifically applicable to the mobile arena, capable of not only offering a more secure Point-of-Entry (PoE) authentication mechanism than the traditional PIN, but subsequently continuously monitoring the authentication status of the user beyond PoE. Continuous authentication, using existing biometric and non-biometric approaches is wholly impractical owing to the intrusive requirement of specific user interaction. Therefore, the proposed solution must be transparent in operation to the user; not interfere or impede normal interaction with the mobile device. In addition, i f authentication was managed within the network, rather than the mobile device (Section 2.3.7.3) it has the potential to revolutionise personal mobility, enabling a new level of convenient network accessibility within the mobile community.

Apart fi-om the security implications of subscriber's biometric signature data, the very nature of biometrics themselves, or the measuring o f a person's physiology or behaviour

(see Chapter 4), constitutes personal medical data and therefore itself should fall under the jurisdiction o f established confidentiality data protecfion protocols.

Chapter 1 : Introduction and Overview

1.2 Research Requirements

The goal o f the research is to investigate, develop and evaluate a novel user authentication system for application in the new generation of personal mobile communication devices with enhanced services. This work is ultimately aimed at addressing authentication issues within the emerging wideband PDA/telephony hybrid devices o f post 2"** Generation (2G) networks and encompassed under the umbrellas o f

2""* generation wideband (2.50) and 3"* generation (30) networks: assigned UMTS

(Link: 3GPP) in Europe. To this end, the aim is to develop a technique, which compliments existing mobile equipment and the knowledge-base of existing mobile users. The work draws upon the field o f biometrics in order to realise an authentication system that enables transparent and continuous online monitoring; a significant improvement over the current 2"^ generation one-time, PoE authentication system.

There are a number of objectives to the research as follows:

• Research Assessment: Review current security systems in place within OSM and UMTS based mobile networks and devices and assess the extent to which these systems meet the present and future security needs o f the subscriber.

Establish the need for improved authentication security within the developing market for advanced mobile services.

• Conception: Conceive an original idea for an improved mobile authentication technique addressing any deficiencies identified within the research assessment and drawn from the discipline of biometrics.

• Development: Realisation and development of the aforementioned technique to the point of a prototype demonstrator, which can subsequently be used for validation and evaluation of the technique.

Chapter 1 : Introduction and Overview

• Validation: A Proof of Concept demonstration o f the viability o f the technique, for trial evaluation approval, using the prototype demonstrator and cross comparisons with a small sample set o f volunteer users.

• Evaluation: Statistical evaluation o f the technique via an extended trial involving a group of volunteers, over an extended period.

To gain a full understanding o f the research requirements, it was necessary to perform a complete review of current mobile security systems, from the inception o f GSM in 1991 to the recent introduction of 3"* generation UMTS networks. The review encompasses all aspects of mobile security in parallel with the impact of the offered services, which are the essence of the investment effort into misuse and abuse.

The research subsequently required the inspiration, development and validation of an original form of non-intrusive authentication suitable for continuous application within the mobile communications arena. In order to achieve the objective, development realised an approach incorporating the individual strengths o f both physiological and behavioural biometric techniques: a hybrid approach which was later submitted to the

UK and US patents offices (Rodwell 2001) and presented in Appendix I .

Upon successfijl completion of the development stage, the core research was realised within a prototype demonstration and validation tool. For evaluation purposes, the demonstrator was suitably modified for general use, via automating the authentication process and adding appropriate help information, before being released for an extended trial involving a group of volunteers, yielding real-world results. This is essential, if the practicality and effectiveness of the realised technique is to be considered in context.

Chapter 1 : Introduction and Overview

1.3 Thesis Structure

The thesis can essentially be divided into three main research areas. The chapters covering each of these areas will now be introduced in detail:

• PhD Research Foundations

Chapters 2, 3, 4 introduce and review the foundations to the PhD research.

• PhD Research and Development

Chapters 5, 6, 7 cover respectively; conception, development and evaluation o f the PhD core research proposal(s).

• PhD Research Conclusions

Chapter 8 presents and discusses the research conclusions.

1.3.1 PhD Research Foundations

Chapter 2 discusses the results of a review of the evolution o f current mobile communications technologies, with an in depth look at the security systems in place to protect users and their property. Current mobile security systems were originally conceived to protect 2"^ generation mobile communications networks, specifically the

Global System for Mobile communications (GSM), and have remained fundamentally unchanged through the subsequent generation(s) o f mobile technology.

The security aspect of Chapter 2 focuses upon mobile subscriber authentication and the approaches employed by the network operators and the hardware manufactures. Security provisions within current mobile telephony based networks are primarily aimed at secure communication: subscriber authentication is achieved via use of a handset serial number and a token smart card containing subscription details; authentication is fundamentally between the token smart card and the mobile network. Subscriber authentication with the

Chapter 1 : Introduction and Overview

mobile handset relies on a PoE knowledge-based approach, only usually performed at handset switch-on and therefore vulnerable to masquerade attack. Chapter 2 discusses these issues in detail, before identifying some potential technological areas from which solutions may be drawn to overcome essentially what are 1^ generation security deficiencies within post 2™* generation and 3"* generation networks.

Chapter 3 presents the results o f a public survey investigating mobile users' views towards existing mobile security and subscriber authentication. Participants were asked about their personal experience o f mobile fraud or theft. They were also asked their opinion on the protection the mobile handset access control, the PoE four digit Personal

Identification Number (PIN), provides for their network subscription. The survey goes on to explore participants usage o f existing mobile services and their requirements for future services and the security risks which they may carry. Finally there are a selection of questions on participant's awareness and opinion on a selection of advanced security approaches to authentication, including biometrics and specific mobile related issues.

Introduced in Chapter 2, Chapter 4 covers the topic o f biometrics, including a comprehensive review of the state-of-the-art, and the scope, o f current biometric approaches and systems. The chapter investigates market penetration of various biometric techniques and specific system applicability to the mobile arena. The chapter concludes with an extension to the security survey covered in Chapter 3 addressing specifically issues relating to biometrics and advanced authentication. Participants' views on various generic advanced security issues are explored, their awareness o f current and emerging biometric techniques and their attitudes towards security issues affecting future mobile technology.

Chapter 1 : Introduction and Overview

1.3.2 PhD Research and Development

Chapter 5 introduces the Head Authentication Technique (HAT), a proposed solution to the authentication deficiencies introduced in Chapter 2, discussing the technique from conception through to realisation. In order to place the proposed solution in context, a number o f alternative approaches are also discussed, two o f which are followed up in the research and the others rejected due to feasibility or practicality reasons. As mobile handsets are developed far beyond their simple telephony roots, it is accepted that in practical terms no single approach is appropriate in isolation to protect all mobile services, and that a multi-modal approach to authentication is expected to provide the most comprehensive solution. The successful application of such a system, especially in a continuously monitoring environment, will depend on a comprehensive mobile security framework, capable of managing multiple authentication techniques under differing scenarios.

Chapter 6 covers the finalised methodology o f the Head Authentication Technique in detail, as realised through the HAT demonstration tool discussed in Chapter 7. The chapter discusses the HAT operational principles by cumulatively revealing and explaining the discrete stages of the HAT process, with the aid o f comprehensive, flow diagrams. The chapter also discusses some o f the developmental processes which led to the final HAT methodology, explaining and defending the reasoning behind some o f the key research direction choices with the aid o f empirical data. There is also a section discussing an altemafive HAT methodology partly developed in tandem alongside the principle choice, and characterised by a modified yet equally novel biometric data analysis algorithm, demonstrating some of the future research potential o f the this novel biometric technique.

10

Chapter 1 : Introduction and Overview

Chapter 7 covers the evaluation stage o f the research project including the development and operation of a HAT demonstration tool. A group o f twenty volunteers, including different sexes, ages and nationalities, was asked to authenticate themselves in a series of HAT trials using the developed demonstration tool. The HAT trials produced twenty sets of biometric HAT samples which were used for system evaluation through post trials analysis, A complete set of results is presented in Chapter 7, which includes a series of graphical outputs demonstrating the authentication performance of the H A T process including:

• how HAT audio spectra ft'om the same user follows a common shape;

• how HAT audio spectra between different users follow a different shape;

• the calculations of the system false-acceptance and false rejection error rates;

1.33 PhD Research Conclusions

Finally Chapter 8 summarises and reasserts the original research problem, before proposing a possible solution: HAT. The research is also critically assessed through sections on research achievements and limitations, effectively defining the operational envelope of the HAT process. The chapter proceeds to identify areas for future work, generally directions where the development o f the HAT process was curbed due to available resources, before finally demonstrating the contribution that the research has made to the subject area of biometric authentication in the mobile arena.

A ftjll list of References and Internet Links, followed by the appendices, containing significant Public Outputs, and the research Patents is included at the end o f the thesis.

11

Chapter 2 : Mobile Communications and Mobile Security

Chapter 2

Mobile Communications and Mobile Security

12

Chapter 2 : Mobile Communications and Mobile Security

2 Mobile Communications and Mobile Security

This chapter reviews and discusses current mobile technology and the security authentication systems in place to protect users' mobile subscriptions; data link security being outside the scope of the thesis. The chapter highlights potential weaknesses in the current authentication methodology and their increasing relevance to the enhanced services of evolving 2"^* generation wideband (GPRS, EDGE) networks, the recently introduced 3"* generation wideband (UMTS) networks and embryonic post 3"* generation broadband (HSDPA) networks.

2.1 Introduction

Cordless and cellular mobile communications devices ftinction via the transmission and reception of signals within the radio frequency bands o f the electromagnetic spectrum.

Security for these devices must therefore protect three principal areas from compromise: the mobile subscriber, the mobile hardware and the radio link, in equal measure.

Security provisions within the current, predominantly 2"** generation, GSM networks addresses each of these security issues as follows: to protect the subscriber from masquerade attack, subscriber authentication is performed via the use o f a smart card token; to protect the mobile hardware from amongst other things, spoofing, mobile

terminal authentication utilises an electronic serial number and to protect the mobile data on the radio link from eavesdropping, strong data encryption is employed.

All of the UK's, major network operators (at the time o f writing: Orange, Vodafone, O2 and T-Mobile, in order of market share), although still heavily involved with 2"** generation technologies, are all actively finalising post 2"^ generation wideband

13

Chapter 2 : Mobile Communications and Mobile Security

networks. Vodafone, Orange and T-Mobile, are in the process o f enabling data communications across their 3"* generation UMTS networks, with Hutchison 3G being the first operator to market with a commercial system known as '3' in March 2003

(BBC News 2003). 02, in association with Nortel, recently completed live tests o f their

High Speed Download Packet Access (HSDPA) network, with extended commercial field trials scheduled for the second quarter of 2005 (Nortel 2005). Table 2-1 below, maps the history and evolution of mobile technology networks.

Generation

1G

2G

2.5G 2.75G

3 G 3.xG

E U Acronym

Technology

Characteristic

Max

TAGS

Analogue coding

X

G S M

Coding S c h e m e Analogue

Digital

Digital coding

9.6

HSCSD

< 115

G P R S

< 171

E D G E

UMTS

HSDPA

Digital Digital

Digital

Digital Digital

Multiple time-slots

Packet switching

3G speed

Advanced over 2G

Services

IP Core

Network

<384 < 2000 <10000

Real X

- 4 " 12

- 4 0 - 1 0 0

- 4 0 0 >2000

Frequency (MHz)

900

900/1800 1800

900/1800 900/1800

2000 5000

Switching

Circuit

Circuit

Circuit Packet Packet

Packet

Packet

Voice

(Rich)

^ (Rich)

SMS/MMS

X to u

>

Internet

X

^ (Rich) ^ (Rich)

mMedIa

X

^ (WAP) ^ (WAP) ^ {WAP)

X

>/

G P S enabled X

X X

X

X

/

Wailablllty

1983

1992 2000

2001

2005 2004 >2006

Table 2 - 1 : The evolution of cellular mobile communicalion technologies

The £22.5 billion investment in 3G licenses in the year 2000 (Brown ct al. 2001), even before any investment in infrastructure (estimated to exceed the value o f the 3G licenses,

CNN 2001), demonstrates the commercial strength of the current mobile marketplace and the confidence existing major network operators have in the continued development o f new mobile technology and the revenue streams that the enabled services will produce.

14

Chapter 2 : Mobile Communications and Mobile Security

2.2 Mobile Communications Systems

The evolution on mobile communications technology has produced a rich heritage o f revolution and innovation in communications. Table 2-1 introduces key technologies which have shaped the industry today and these will now be discussed in greater detail.

2.2.1 A Basic Mobile Communications Architecture

lAuthentication

Centre visitor

Register

Home

Register

Equipment

Register

Land-line

Network

Gateway

Exchange licrowavj

Link

Mobile Service

Switching

Centre

Base

Station

Base

Station Base

Station

Subscnber

Token

Mobile

Handset

Figure 2-1 : Schematic of a basic mobile communications architecture

Figure 2-1 shows a basic architecture for a distributed mobile communications network similar to the cellular networks in use today and covered in Section 2.2.2. Although not comprehensive, the schematic and associated information provides those readers which require it, with a basic understanding of some o f the key elements which come together to form a typical mobile network architecture.

15

Chapter 2 : Mobile Communications and Mobile Security

Key to Figure 2-1

(J) Subscriber Token: Network subscriber authentication token (smart card, aka SIM).

(D Mobile Handset: The physical terminal interface to the distributed mobile network.

(3) Base Station: The interface between the radio link and the mobile network.

® Microwave Link: Employed when base stations are cited in remote locations.

(§) Network Switching Centre: The mobile network telephone exchange.

(g) Equipment Register: Database o f mobile handsets security status.

(2) Home Register: Database of mobile network subscriptions.

(g) Authentication Centre: Database o f authentication and encryption parameters.

(§) Visitor Register: Database for the temporary storage of visiting subscribers.

(1)(§) Gateway Exchange: Switches connections to landline network.

(JXD Landline Network: The Public Switched Telephone Network (PSTN)

There follows a simplified explanation and walkthrough of the generic mobile communications architecture shown in Figure 2-1. Although an in-depth explanation is beyond the scope of this text, ftirther information on current mobile network architectures can be obtained ft-om their respective goveming bodies, which are identified in Section 2.2.2 for 2G and Section 2.2.3 for 3G systems.

The Mobile Handset © containing, the Subscriber Token (J) (ref Section 2.3.1, The

SIM Card) for network authentication, communicates with the distributed mobile networks' Base-Stations over a secure radio link: Table 2-1 shows the link fi-equencies of current European mobile networks. The Base-stations Q) are connected to the Mobile Service Switching Centre Q), either via cable or Microwave Link ® , depending on location and terrain. The Mobile Service Switching Centre © c o n t a i n s a number of operational databases: the Home Register the Equipment Register (§) and the Visitor Register @L The Equipment Register ® (see Section 2.3.2, The IMEI

16

Chapter 2 : Mobile Communications and Mobile Security

Code) contains security information regarding the validity of the Mobile Handset @ such as, 'has it been reported stolen?' or 'is it compatible with the network?' The Home

Register © (see Section: 2.3.5, Mobile Authentication Methodology), contains security information regarding the validity of the network subscription and works together with the Authentication Centre to validate the subscription of the Subscriber Token (JL

The Visitor Register @ is a special database for the storage of temporary subscription data for persons visiting the network. I f all security criteria are met, the Mobile Service

Switching Centre Q) will complete the appropriate connection; either within the host network or transfer the link externally to the Gateway Exchange (D®^ which will route the connection to the traditional Landline Network

2.2.2 2"^ Generation Mobile Communications

Although 3"^ generation mobile networks and their advanced services are now becoming available to the consumer, 2"'' generation technology and its hybrid derivatives still predominate the European mobile marketplace; the most successful of these is GSM,

2.2.2.1 Introduction to G S M

The backbone o f the European system for wide area mobile communications came into commercial existence in January 1992, when 'Oy Radiolinja Ab' o f Finland, opened the first GSM network for business (CellularOnline 2006a), the standard having been ratified by the European Telecommunications Standards Institute (ETSl) some 3 years earlier, after taking over control fi-om the original GSM working group. It was in fact in

1982, that the Conference of European Posts and Telegraphs (CEPT) first formed the study group known as the Groupe Special Mobile (GSM) to research and develop a pan-

European public land mobile system: the GSM acronym later being changed, in 1987, to the now familiar and broader ranging: Global System for Mobile Communications.

17

Chapter 2 : Mobile Communications and Mobile Security

GSM is a narrowband digital cellular radio network, originally developed for mobile telephony. It has experienced worldwide adoption since its introduction in 1992, with 32 networks by the following year and over 570 operational networks by 2004, covering

190 countries supporting 1.6 billion subscribers (GSM Worid 2005), representing 80% of the world's mobile market and one quarter o f the world population. GSM currently provides almost complete coverage in Western Europe, and growing coverage in the

Americas, Asia and elsewhere. Although GSM supports extensive intemational roaming, there are in fact three operational frequencies: 900MHz (Original GSM;

Europe), 1800MHz (Personal Communications Network (PCN); Europe) & 1900MHz

(Personal Communications System (PCS): North America), and a tri-band handset is required, along with a network operator agreement, in order to roam within the three intemational standards.

2.2.2.2 G S M Services

The first 2"** generation mobile handsets, circa early 1990s, only supported very basic mobile services: telephony, FAX, Short Message Service (SMS). As the technology matured and entered its second decade, the digital nature of GSM and its open standard, has allowed mobile networks operators to develop enhanced data services and enabling technologies like High Speed Circuit Switched Data (HSCSD) and the Wireless

Application Protocol (WAP) (OMA 2005). Rudimentary data services, such as text messaging via Short Message Service (SMS), have proved popular, challenging the market dominance of voice based services and although light Internet browsing via

WAP has not lived up to industry expectations (vnunet 2000), the trend is still towards

Intemet connectivity via wireless communications with mobile devices, such as laptop and palmtop computers, through Bluetooth (Link: Bluetooth).

18

Chapter 2 : Mobile Communications and Mobile Security

2.2.2.3 GSM Derivative Technologies (2.5G)

The limited bandwidth of a single standard GSM link is 9.6 Kbps. Where this is sufficient for voice and rudimentary data services, the popularity and move towards enhanced data based services have driven the market to develop a number of wideband

GSM derivative technologies, see Table 2-1:

• High Speed Circuit Switched Data (HSCSD) utilises multiple GSM TDMA time slots, to provide up to 115 Kbps.

• General Packet Radio Service (GPRS) offers bandwidths approaching 10 times the standard GSM rate: up to 171 Kbps.

• Enhanced Data Rates for GSIM Evolution ( E D G E ) utilises a new air-interface modulation technique to offer data rates approaching 3"* generation performance over existing 2"^ generation infrastructure: up to 384 Kbps.

2.2.3 3^^^ Generation Mobile Communications

As 2"** generation mobile networks entered their second decade, the growth in data services drove the industry to conceive the next generation o f wideband networks to deliver advanced wideband services, via suitably enhanced handsets or network interface portals, including video telephony, always on rich Internet and multimedia. 3"* generation (3G) mobile networks offer data rates up to 200 times that of a basic 2"** generation network: the 3G service developed for Europe is known as UMTS.

2.2.3.1 3G Bodies and Standards

The governing body for both GSM and 3G in Europe, UMTS, is ETSl (European Telecommunications Standards Institute), formed in 1988. Along with other international bodies: ARIB (Japan), T l (USA), TTA (Korea) and CWTS (China), a harmonising

19

Chapter 2 : Mobile Communications and Mobile Security project group was established, the 3"* Generation Partnership Project (Link: 3GPP), holding its first meeting in Sophia, France on 7^*" December 1998. SGPP's aim was to co-operate in the production o f globally applicable 3G mobile system standards, based on evolved GSM technology. In June 1999, OHG (Operator Harmonisation Group) proposed the evolution of 3GPP, along with the USA's 3GPP2 cdma2000 proposal group, into a harmonised G3G (Global 3G) standard. Another influential body was the

Mobile Wireless Internet Forum (MWIF), an international harmonisation association, whose key goal was to influence 3GPP and 3GPP2 into the acceptance and adoption o f a single open mobile architecture, independent of the access technology.

2.2.3.2 Introduction to U M T S

The term UMTS was first defined in 1986 as part o f the Commission of European

Communities (CEC) Research into Advanced Communications in Europe (RACE).

Developed by the European Community as a commercial 3"* generation mobile technology, UMTS was adapted by the International Telecommunications Union (ITU) standards effort as part of IMT-2000 (International Mobile Telephone for the year

2000)' (ITU 2001). UMTS is based on the core network architecture o f GSM, allowing current GSM network operators to protect their infrastructure investments and combines evolved current technologies with new developments in the field. UMTS frequencies were allocated at the World Radio Conference in Malaga (WRC-92) in February 1992.

In addition to Europe, UMTS is the interpretation of 3G adopted by Japan and North

America, One of UMTS's core developments was its packet-based wideband CDMA technology, allowing global roaming and always-on networking facilities. The technology offers data transmission rates far in excess o f the 9.6 K.bps of basic 2"^ generation GSM technology, providing up to (best case):

' IMT-2000 replaced the FLPMTS (Future Land Public Mobile Telecommunications System) initiative.

20

Chapter 2 : Mobile Communications and Mobile Security

• 144 Kbps in macro cellular environments; Roaming: -10km.

• 384 Kbps in micro cellular environments; Building: -lOOm.

• 2000 Kbps in Pico cellular environments; Room: -10m.

UMTS currently represents the ultimate evolution o f commercially available public access mobile telephony aligned with associated mobile data services: Richardson

(2000) summarised UMTS as "a revolution o f the air-interface, by an evolution o f the core network."

The final quarter of 2004 saw strong growth in the demand for UMTS 3G handsets in

Europe, rising to 16 million subscribers across 60 networks, a 60% increase on the 10 million subscriber milestone set in September 2004 (UMTS Forum 2005).

2.2.3.3 3 G ( U M T S ) Services

The availability o f services that meet genuine market requirements are accepted as the key to the success o f 3"* generation technology. "Unlike 2G, where services were specified within the standard, central to the concept of 3G are services' capabilities and toolkits - which enable the creation o f customised, operator-specific services to drive new revenues streams" (Watson 2001). Further research commissioned by the UMTS

Forum (2003) showed that, even at a conservative estimate, 30 services represent a cumulative revenue potential of one trillion US dollars for mobile services providers' between now and 2010. How big is the 3G services market expected to be by 2010? A total of 2.25 billion mobile subscribers (both 2G and 3G) are being forecast, of which more than 28% are predicted to be subscribers to 3G enabled networks.

21

Chapter 2 : Mobile Communications and Mobile Security

Service Categories

Information and Content

Voicf

Vidro

MOBILITY WIRELESS ACCESS

A

Intrrnrt

Access

Intranet/

Extranet

Access

Customised

Infotain-

ment

MyhiiM t i l locatkm

Messaginf

Seivkc Scnnces

(MMS) (1-BS)

Voirt and

Mobile

Portal

Mobile Specialised

Services

Mobile ISP

REAL-TIME

Figure 2-2 : 3G Services framework

What will 3G services be? Services are expected to evolve in fundamentally three different directions: Personal Communications; Wireless Internet and Mobile media.

Out of these three areas, the UMTS Forum defines a clear structure of six service categories, illustrated in Figure 2-2, for discussing, planning and reporting on services and applications for 3G over the next ten years (UMTS Forum 2003). The services are:

• Multimedia Content

These include: live video, ore-recorded video clips, music (mp3s) and games formatted for a mobile handset.

• Multimedia Messaging

A development of the popular 2"** generation SMS text only service that enables: video clips, music or graphics to be sent to another mobile handset.

• Internet Access

A rich Intemet service, not the light browsing environment of the 2"** generation

WAP service, which proved unpopular on introduction.

22

Chapter 2 : Mobile Communications and Mobile Security

• Instant Messaging

A mobile version of the popular real-time PC text messaging service.

• Location Based Services

Utilising the global positioning capabilities o f 3G. Services could include directions from the subscriber's current location to, for example, the nearest fuel filling station, cinema or restaurant.

• Rich Voice

An enhanced rich voice telephony service. In addition to improved audio quality, services include: Presence, the ability to see i f a user is currently 'on-line' to receive communications; 'Push-to-talk', a simultaneous group communications service, similar to the service offered by private radio networks.

Conservative forecasts predict that total service provider-retained revenues for 3G services in 2010 will reach US$322 billion. Of those revenues, 66 percent will come from 3G-enabled data services (VisionGain 2005). Figure 2-3 shows the predictive cumulative revenue potential for mobile services providers between now and 2010 is estimated to rise in excess of one trillion US dollars.

Services like e-mail and Web browsing are expected to have little direct revenue potential, as users will expect them to be included as part o f their service package at no additional charge; their benefit comes mainly from their role as drivers of traffic. The single largest revenue opportunity is expected to come from multimedia based services by virtue of its low cost and mass-market appeal, contributing USS86 billion in 2010. It is also predicted that much of the additional revenue will be generated from increased mobile usage, driven by new services, rather than through new sources o f revenue.

23

Chapter 2 : Mobile Communications and Mobile Security

Long-term Revenue Growth

Worldwide Revenues - All Services

S300.000

S250.000

S200.000

SI 90.000

Location-Based S

Business MMS

Mobile Inlernet Aoc

Con&unief MMS

Mobile Intranet'^xtranet A a

CusliDmlsed Nolalnment

1 1 I 1 1— 1 I

2001 2002 2003 2004 2005 2006 2007 2008 2009 2010

Figure 2-3 : Worldwide revenues forecast from all 3G services

2.2.4 Beyond S'^'* Generation

It has been shown that mobile communications is evolving rapidly and the drive towards broadband mobile data communications shows no signs of slowing. Although the introduction of the first 3G mobile network marks a milestone in both data rates and offered services, when compared to the field o f distributed computing networks, such as

Wi-Fi, mobile telephony based technology is still over one hundred times slower. It is not unexpected therefore, that development o f cutting edge mobile technology is continuing apace, before 3G has even firmly established itself within the market place.

In order to further strengthen the presented case for enhanced authentication security, where enhanced services are intimately linked to enhanced data rates, two post 3G approaches currently in development are briefly acknowledged below.

24

Chapter 2 : Mobile Communications and Mobile Security

2.2.4.1 High Speed Downlink Packet Access

High Speed Downlink Packet Access (HSDPA) is a packet-based data service based on an evolution of the core 3G architecture. HSDPA uses a new modulation technique which increases peak downlink data rates by to up to 5 times the peak data rate of the most advanced 3G networks; improving spectral efficiency. The Third Generation

Partnership Projects (Link: 3GPP) standards, Release 4 specifications provide IP support enabling provision o f services through an all-IP core network. The Release 5 specifications focuses on HSDPA to provide initially up to 10 Mbps to support packetbased multimedia services (3GPP 2005).

The increased bandwidth will enable network operators and service providers to offer their advanced services at lower costs, owing to the higher number of users supported by a single carrier and with greatly reduced delays over the air interface. This will also enable new time critical services, like streaming high-definition video.

In essence the benefits to the HSDPA user will be:

• Higher data rates

• Shorter service response times

• New services

• Better availability o f existing services

• Improved overall quality o f service

25

Chapter 2 : Mobile Communications and Mobile Security

2.2.4.2 4**^ Generation

The Ministry of Internal Affairs and Communications (MIC), in addition to the ITU working group 8F, are actively addressing the issues for the 4*^ generation of mobile communications (4G), like the international coordination of frequencies, spectrum harmonisation and standardization. A coarse timetable has been set of establishing the necessary 4G technology for mobile communications systems by the end of 2005 and putting a system into practice by 2010.

One debate is currently tackling the issue of whether 4G will be an evolution of existing

3G standards or a revolutionary development. What is likely is that 4G will be a packetswitched technology offering bandwidths similar to the broadband distributed computer networks of the 2G mobile era. Based on Ethernet and wireless standards o f around 100

Mbps, bandwidths 10,000 times that o f current 2G technology are being proposed. This would enable the sending and receiving o f high quality streaming video, even whilst roaming at high speed across cell boundaries, something even the most advanced currently proposed technologies, such as HSDPA, cannot do. Although 4G is broadly based on similar goals to 3G, with an emphasis on bandwidth enabled services rather than purely high data rates, one specific target area for improvement is interoperability between hardware and networks, via technologies such as 'software defined radio'. This will enable subscribers to freely roam across networks utilising various different mobile interfaces without suffering any loss in quality of service.

These proposals present a very strong case for not only an enhanced subscriber authentication system, but also a network-centric security system capable of enabling the proposed personal mobility criteria discussed in Section 2.3.7.3.

26

Chapter 2 : Mobile Communications and Mobile Security

2.3 Mobile Security

Introduced in Section 2.1, GSM authentication is achieved on two separate levels, authentication of the mobile subscription and authentication of the mobile hardware, as follows:

• Mobile subscriber authentication is achieved through use o f a token-based,

Subscriber Identity Module held on a multi-standard smart card.

• Mobile terminal authentication is achieved via issuing the mobile terminal

(handset) with an International Mobile Equipment Identifier at point of manufacture, uniquely identifying the hardware on the network.

These two approaches to mobile authentication form the minimum' standard for all post

2"^* generation mobile handsets and they will now be reviewed and discussed in depth.

2.3.1 T h e S I M C a r d

The Mobile Station (MS) consists of the Mobile Equipment (ME, the handset) and a smart card containing a micro controller, the Subscriber Identity Module or SIM.

GSM was the first international mobile communication system to employ a smart card based SIM as a secure device for the authentication o f a user subscription. The SIM contains subscription and security related data as well as user and/or network operator specific data. In addition the SIM can contain operator specific applications via the SIM

Application Toolkit^: this service is completely separate from the GSM functionality of the SIM. A schematic breakdown o f a generic SIM is included in Appendix A.

' Hardware manufactures and/or Network-operators may augment the minimum authentication standard with additional security measures, such as a biometric fingerprint scanner (see Section 4.3.1.1).

~ The SIM Application Toolkit was originally integrated into the GSM standards in Release 96.

27

2.3.1.1 S I M Formats

SIMs shown actual size

Chapter 2 : Mobile Communications and Mobile Security

Figure 2-4 : Plug-in SIMs

The Sub Technical Committee SMG9, established in 1994 as the successor of the

Subscriber Identity Module Expert Group (SIMEG) itself founded in 1988, defined three formats of SIM. The first and original specification was for an integrated circuit card, employing Surface Mount Device (SMD) packages and having a credit-card format: the ID-1 SIM. Aware of the inevitable size reduction developments of the ME,

SMG9 also defined a second smaller semi-permanent plug-in SIM for those units unable to accept an ID-1 SIM. This SIM was obtained by removing the excess plastic from an

ID-1 SIM. The plug-in SIM is 25mm x 20mm and normally installed behind the battery as opposed to being slotted externally.

An altemate specification proposed an integral SIM, a part of the ME itself. Although more reliable than the plug-in SIM owing to the removal o f the SIM-ME interface, it introduced network operator security problems related to the utilisation of operator specific algorithms. It would be difficult, if not impossible, for network operators to use their own security algorithms and keep close control over secret keys and other operator specific security data without a dedicated security module. It was also believed that non-

28

Chapter 2 : Mobile Communications and Mobile Security specific mobiles would open the market for manufacturers reducing trade barriers. It is interesting however, that the USA took a different view for their PCN network, universally adopting the integral SIM.

Current market forces are also behind a drive for a Third Form Factor (3FF), which was recently approved at a plenary meeting of the ETSI Smart Card Platform project (ETSI

2003). Essentially, with the development of smaller and smaller handsets, the point will eventually be reached where the plug-in SIM card occupies too much volume in the mobile device, especially in those devices whose primary purpose is not mobile communications, i.e. miniature digital cameras or watches. The new card is proposed at half the size of the existing card, with the majority of the remaining excess plastic cut away, whilst leaving the contact area unchanged. In this way, the change will have minimal effect on the established standard and not affect existing chip size performance.

2.3.2 The IMEI Code

The International Mobile Equipment Identity (IMEI) is a unique 15-digit code assigned to every GSM and UMTS mobile handset at point o f manufacturer, by the

Global Decimal Administrator (GDA), identifying the Mobile Equipment (ME) or hardware as opposed to the subscriber to the network. It was initially produced for type approval reasons so that out of specification mobile handsets may be removed fi-om a mobile network. The IMEI constitutes sensitive information, being the mobile handsets unique electronic serial number. This form of identification is analogous to the

Electronic Serial Number (ESN) of 1^* generation ( I G ) systems, such as AMPS. A historical' breakdown of the IMEI code is provided in Appendix B.

' The IMEI code has undergone some evolutionary changes since its introduction in 1992.

29

Chapter 2 : Mobile Communications and Mobile Security

A list of all the mobile handset IMEIs on an operator network is stored in a central location known as the Equipment Identity Register (EIR). This enables, among other things, a handset reported stolen to be blocked from further use in the network; assuming that the networks infrastructure contain the necessary routines for checking the IMEI number against the central blocking register. The status returned in response to an IMEI query to the EIR is one of the following:

• White Listed:The handset is not considered suspicious

The handset is allowed to connect to the network,

• Grey Listed:The handset is under observation for possible problems.

The handset is allowed to connect to the network.

• Black listed: The handset has been reported stolen, or is not type approved.

The handset is denied access to the network.

A Central Equipment Identity Register (CEIR) is operated by the GSM Association in

Ireland, allowing GSM network operators to share their individual lists o f IMEIs. (Link:

GSM Association). The CEIR lists are automatically updated on a daily basis and at the same time local EIRs download the aggregated lists for their own use.

A handsets IMEI code is not kept secret from the user. It can normally be found on the retail packaging and on the handset itself, normally on a self-adhesive compliance label under the battery. It is also possible to display the IMEI by dialling the code *#06#.

2.3.2.1 I M E I Black Listing

A black-list contains the equipment identities, or IMEIs, o f handsets barred from using the particular network: handsets reported lost, stolen or otherwise unsuitable for use. In

October 2002, in an attempt to curb the rise in handset abuse, network operators started

30

Chapter 2 : Mobile Communications and Mobile Security sharing their black-lists within the GSM Associations CEIR in an attempt to curb the rise in handset abuse (GSM Association 2002).

2.3,2,2 Reprogramming the I M E I ; The Mobile Reprogramming Act, 2002

It is not a secret that the IME! of a mobile handset can be changed relatively easily. This is due to the fact that the GSM specification does not explicitly exclude re-programming of the IMEI by authorised individuals. This is quite serious from a security perspective, as this places the IMEI in firmware where it is ultimately vulnerable to abuse. This is in contrast to the data encryption/ciphering keys, which are masked directly into hardware at the point of manufacturer, denying any possibility o f software alteration.

In an attempt to curb abuse of the system, standards for improved IMEI Security were drafted and agreed by manufacturers and ETSI members at the ETSI TC SMG#30

Plenary meeting (ETSI 1999). Their amendment policy statement proposing:

"77ie IMEI shall not be changed after the ME's final production process.

It shall resist tampering i.e. manipulation and change, by any means

(e.g. Physical, electrical and software^.

This has led to The Mobile Reprogramming Act 2002, which came into force on I^^

April 2002. The Act states that it is now a criminal offence to "Offer, change or reprogramme any mobile phone from any network which changes its designed purpose to allow it to unlock or to change the IMEI Number": the act carries a maximum penalty of 5 year imprisonment. The Act does not however include the unlocking of a mobile handset fi-om a designated service provider, known as SIMLock deactivation, unless it includes changing the IMEI or other identifying features being changed or removed.

31

Chapter 2 : Mobile Communications and Mobile Security

A brief search on the Internet however, demonstrates that it is still relatively easy to find

IMEI firmware reprogramming utilifies for mobile handsets, showing that the system is still openly abused, see Figure 2-5.

>^ Universal Nokia IMEI changer ver 1.0

NOKIA

Q? 21>C><

0 51>O</Old 8110

Q61XK/8810

Q TAm

Q N e w 8110

Change IMEI

IMEI:

Change

m

New IMEI: [OOOOOO |j-(or|j-|OO0OOO

Open Exit

Figure 2-5 : Example of an IMEI reprogramming utility

2.3.2,3 Subscriber Identity Confidentiality ( I M S I and T M S I )

Subscriber identity authentication allows mobile subscribers to originate calls, update their location, etc, without revealing their International Mobile Subscriber Identity

(IMSI) to an eavesdropper on the radio link. It thus prevents location tracing of handsets by listening to the signalling exchanges on the radio path. A l l mobiles and networks must be capable of supporting the service, though its use is not mandatory.

Mobile Country Code

(MCC)

3 digits

Mobile Network

Code (MNC)

2 digits

Table 2-2: Format of the IMSI

Mobile Subscriber

Identification Code (MSIC)

10 digits

32

Chapter 2 : Mobile Communications and Mobile Security

In order to provide the subscriber identity confidentiality service it is necessary to ensure that the IMS!, or any information which allows an eavesdropper to derive the

IMSI, is not normally transmitted 'in-clear' in any signalling message on the radio path.

The mechanism used to provide this service is based on the use o f a temporary mobile subscriber identity (TMSI), which is securely updated after each successfijl access to the system. Thus, in principle, the IMSI need only be transmitted in clear over the radio path at registration. In addition, the signalling elements which convey information about the IMSI are enciphered.

The T M S I updating mechanism functions in the following manner. For simplicity, assume the MS has been allocated a

T M S I ,

denoted by

T M S I o ,

and the network knows the association between

T M S I o

and the subscriber's IMSI. The MS identifies itself to the network by sending

T M S I o -

Immediately after authentication (assuming this takes place), the network generates a new

T M S I ,

denoted

T M S I n ,

and sends this to the MS encrypted under the cipher key IQ. Upon receipt of the message, the MS deciphers and replaces T M S I o by T M S I n -

2.3.3 The User PIN - Real Subscriber Authentication

Subscriber authentication within current mobile network architectures is limited to the authentication of the SIM (also see Section 2.3.5) which may or may not be in the possession of the SIMs legitimate subscriber; handset authentication via the IMEI is not a subscriber issue. The only tangible security system existing between the SIM and the legitimate subscriber is the user's SIM access Personal Identification Number (PIN); see

Figure 2-6. The user PIN is the first line of defence against both casual, opportunistic unauthorised use and more serious pre-meditated masquerade attack. The PIN provides

33

Chapter 2 : Mobile Communications and Mobile Security a personal authentication check at the mobile handset, restricting open access to the SIM card and therefore the network; the onus on PIN activation being in the hands of the subscriber. With the intrusive nature of this security technique (i.e. requires conscious subscriber interaction) it is not uncommon to find subscribers actually choosing to leave the option disabled; this issue is investigated in greater depth in Chapter 3.

Handset Net>»ork

fM\ (

^Kk-

IMSI ( cKle

I M S I Code

PIN - Personal Identification Number

IMFJ - International Mobile Equipment Identifier

IMSI - International Mobile Subscriber Identifier

TMSI - Temnorarv Mobile Subscriber Identifier

Figure 2-6 : The mobile telephony authentication chain

Although offering a relatively secure form of protection in terms of a brute force attack, offering normally 4 digits, with restricted attempts, the traditional subscriber PIN remains a Point-of-Entry (PoE) technique, triggered only when the handset is brought out of standby. I f a handset is left in active mode, the PIN offers no handset protection whatsoever. Some handsets do offer an additional PfN facility to lockout the keypad after a specific time period, but generally this feature is limited to prevention of accidental activation rather than a security feature, with a simple two key access. In essence, the PIN authentication technique remains one o f the primary security issues that needs to be addressed and improved upon in order to protect the enhanced services data of next generation wideband and broadband networks. Current mobile authentication therefore depends on two things:

34

Chapter 2 : Mobile Communications and Mobile Security

• the PIN facility being activate;

• the user not inadvertently compromising the PIN protection themselves.

In a similar manner to traditional passwords in desktop IT systems, the PIN is based on a secret knowledge approach and is therefore inherently vulnerable to subscribers compromising their own security. This can be achieved by a user either selecting an inappropriate value, such as 1234, transferring or sharing the knowledge with others, or simply writing it down (Lemos 2003, Jobusch and Oldehoeft 1989). In addition, the secret knowledge approach is not strictly unique to any particular subscriber, leaving the technique openly vulnerable to masquerade attack.

2.3.3.1 Bypassing a handset's P I N code

In a similar approach to compromising a handsets IMEI, software to break mobile handsets PIN codes can be found relatively easily over the Internet in downloadable pirate versions. WinTelsa, for example, is a Nokia handset utility, designed to be used in authorized Nokia repair centres, for among other tasks, the recovery and maintenance of handset security data including the PIN. The very existence of such utilities represents a security risk: WinTelsa is already available illegally over the internet.

Examples have also been found where a mobile handset has been physically opened and hard-wired in order to bypass the PIN protection altogether. By inspecting the enlarged section o f the mobile handset's main circuit board, illustrated in Figure 2-7, notice the multiple thin trailing wires around the ICs (Integrated Circuits) effectively 'hot-wiring' the board (Geissler 2001).

35

Chapter 2 : Mobile Communications and Mobile Secunty

Figure 2-7 : A mobile handset modified to bypass the PIN

2.3.3.2 Enhancing Authentication Security

Recognising the security weaknesses of the PIN, highlighted in Section 2.3.3, some manufacture!^ have tried to address the issue by introducing some form o f truly personal authentication; biometric authentication. In 2002, Sagem released the first mobile handset to incorporate a biometrics (see Chapter 4) authentication approach (Sagem 2000): the

Sagem MC959ID (Figure 2-8) incorporated a buih in fingerprint sensor. Although, the device seemed to mark a turning point in the market, acceptance has been slow and currently only NTT DoCoMo of Japan offer a similarly equipped device (NTT DoCoMo

2004): the Fujitsu F505i (Figure 2-9). Although fundamentally more secure than existing authentication approaches, the system still suffers the major drawback of requiring conscious subscriber interaction with the mobile device: it is therefore only suitable for

PoE protection of mobile hardware or services.

36

Chapter 2 : Mobile Communications and Mobile Security

Figure 2-8 : The Sagem MC 959 ID mobile handset (ST/Upek fingerprint sensor)

i%

«i

3X

SIi.

BJL

7SL

az. m

#ii

ogt

Figure 2-9 : The Fujitsu F505i mobile handset {Authentec fingerprint sensor)

37

Chapter 2 : Mobile Communications and Mobile Security

2.3.4 3'** Party Security

An already established Internet trend is for service providers to enforce their own specific security safeguards, usually some form o f knowledge-based (password) authentication system. In a mobile context, this security technique would reside after the standard security provided by the mobile handset and somewhere between the network and the specific service access point. This approach is especially relevant to separately billed services such as mobile e-commerce. With the convergence of mobile and land based services and the introduction of rich web browsing, provided by the wideband next generation systems, this trend is certain to predominate for the short term.

Looking to the future, in practice, a hybrid approach is likely to represent the most appropriate solution, where a security management system determines and maintains the most efficient security at the least expense on system transparency, from an available cache of security approaches, techniques or protocols.

2.3.5 Mobile Authentication Methodology

Anyone who uses a mobile handset is susceptible to masquerade attack and the subsequent compromise of personal and potentially sensitive data. Authentication is the corroboration that an entity is the one claimed and in mobile terms, this translates to the verification of the identity of the SIM registered to a subscriber. The design of the GSM authentication and encryption schemes is such that this sensitive information is never transmitted over the radio channel.

The main entities responsible for the authentication of a subscriber to a network are the subscribers SIM and the Authentication Centre (AuC) o f the home network. Both

38

Chapter 2 : Mobile Communications and Mobile Security

contain the operator specific one-way authentication algorithm (A3), and a secret authentication key Kj, unique to the users SIM subscription. The authentication process employs a challenge-response protocol/mechanism between the AuC, a part o f the

Home Location Register (HLR) and the SIM, using non-predictable numbers.

When the home network receives an authentication request, and established the claimed identity of the SIM, it transmits a non-predictable number RAND as a challenge to the

MS. The ME passes this number to the SIM, which computes the response SRES to this

challenge using the algorithm A3 using the arguments RAND and the key ICj stored in the SIM. The response SRES is then transmitted back to the network, where it is compared with the value pre-computed by the network using the same network algorithm A3 and the same arguments RAND and the key K; associated with the claimed identity o f the subscriber. The MS is granted network access only i f the value generated by the SIM and transmitted by the ME is identical to the value generated by the home network; i.e. subscriber authentication is approved.

Accompanying the challenge-response pairs calculated in the HLR/AuC is a new 64 bit cipher key Kc. This is computed using the key K; and the same non-predictable RAND number with a new operator specific algorithm A8. The purpose of enciphering is to ensure the privacy of the subscriber's information over the radio interface. A discussion of ciphering is beyond the scope of this thesis.

Functional descriptions of security aspects are contained within Technical Specification,

GSM 02.09 (1998), with security related network ftinctions within Technical

Specification, GSM 03.20 (1999) (Link: ETSI).

39

Chapter 2 : Mobile Communications and Mobile Security

2.3.6 3G (UMTS) Security Drivers

It is sensible that the sensitivity o f information associated with the services of a given network should be commensurate with the levels o f protection inherent in that network.

The proposed services o f wideband 2G and 3G networks (Cox 1997) require increased amounts of specific user data. This data will, at least, represent sensitive information, the user's current location for example and potentially highly confidential information, financial details or third party authentication codes. These services demand more secure authentication systems to protect the information in the event of a masquerade attack.

The security functions incorporated into 3G (UMTS) are fundamentally based on those established with 2G (GSM), even when considering the enhanced services o f 3G.

Inherited security functions have generally been improved upon, like a stronger airinterface encryption algorithm and where new security features exist, they are focused around stronger protection and storage o f the data stream. There is no specific improved subscriber authentication aspect to the new security architecture.

The main security elements inherited from GSM are:

• Authentication of subscribers via secret knowledge

• Authentication of handsets via removable SIM

• Subscriber identity confidentially

• Radio interface encryption

Security elements new to UMTS are:

• Security against using false base stations with mutual authenfication

• Encryption extended fi-om air interface only to include Node-B to RNC

• A mechanism for upgrading security features

40

Chapter 2 : Mobile Communications and Mobile Security

Security data in the network to be protected in data stores and while transmitting ciphering keys and authentication data in the system

The security needs of UMTS are covered by standards drawn up by its governing bodies

(3GPP 1999), with work progressing within five feature groups (3GPP TS 33.102):

• Network access security

Secure access to 3G sennces: protecting the wireless link

• Network domain security

Secure exchange of signalling data: protecting the wired link

• User domain security

Secure access to MSs

• Application domain security

Secure exchange of application data

• Visibility and configurability of security

Features to continuously monitor and report the security state of the device and also set the security dependence of the device

Considering the attention 3G enabled devices are currently receiving and the new revenue streams covered in the previous Section, 3G is attracting a great deal of interest ft-om the criminal element, in a similar way to the public Internet. With services suggested including medical records data, e-commerce, and online banking, an improved level of subscriber authentication is not only recommended, but a necessity.

The always-on Internet service further demonstrates the need for not only enhanced authentication, but a continuous monitoring scheme capable of detecting an intruder at the earliest possible stage.

41

Chapter 2 : Mobile Communications and Mobile Security

On a typical 2"** Generation GSM handset, the consequences from theft or impostor access can be broadly grouped into two categories:

• Financial loss, as a result of the thief making calls at the legitimate subscriber's expense (depending upon the policy o f the operator, these losses may not be passed on to the subscriber once the handset is reported as stolen).

• Breach of personal privacy, as a result of subscriber contacts' details being stored in the handset; although it is acknowledged that this is a limited amount of information, the disclosure o f which would not normally be considered highly sensitive. Stored text messages may potentially have more significance, but would not generally represent a significant body of information.

When considering the nature of a 3G devices, however, the potential consequences become far more severe. The inevitable convergence o f current mobile telephony devices with PDA style devices, in addition to the novel services, 3G itself will spawn, presents a completely different security picture. An always-on 3G mobile device can store, in addition to a phonebook:

• fijl! contact details of friends, business colleagues and associates

(Microsoft Outlook style contact lists can contain extensive personal contacts information, including spouse details, anniversaries etc.);

• personal financial details enabling mobile e-commerce (m-commerce);

• electronic certificates for digital signatures;

• email account details and history archives;

• miscellaneous information of a commercially sensitive or private nature

(e.g. entered into a personal scheduler or simply-plain text notepad documents);

• Possible medical information enabling telemedicine.

42

Chapter 2 : Mobile Communications and Mobile Security

2.3.7 Terminal vs. Network-centric Security

An important issue in the subscriber authentication debate is whether fliture security authenfication and monitoring systems and/or their enabling data, should reside within the mobile handset or within the operator network; or perhaps a hybrid o f the two based on, at least, a security weightings for the required service.

Although UMTS, similar to GSM, shares the concept o f a home network, the 'universal' aspect suggested in the name is based upon roaming between operators to suit the service requirements. This raises a number o f important issues, not least o f which being that any future security system designed to protect the enhanced services o f wideband mobile networks, needs to transcend the technological barriers o f both the systems software and hardware, both nationally and intemationally, raised by the different operator networks.

2.3.7.1 Terminal-centric Security

Considering first the terminal-based approach, where a subscriber's security profile or perhaps a biometric template are held within the mobile terminal (handset), or more likely within the mobile handsets SIM. This places responsibility for the security o f any sensitive authenUcafion data and consequently security of the network portal, in the hands o f the subscriber. Although from an operator's perspective, this negates the need for specific government legislation on data-protection o f potentially uniquely personal subscriber data or additional network server security to protect such data, ensuring sufficient protection from abuse in such a system may be difficult, i f in not in practice, impossible.

43

Chapter 2 : Mobile Communications and Mobile Security

A terminal-centric security based technique would perform and maintain the integrity o f its chosen authentication approach completely within the mobile handset. One major advantage to this approach, relevant to the current predomination o f 2"^ generation networks, is that the technique would not be a burden on network bandwidth; this will be far less o f an issue in post 2"^ generation networks. Subscriber authentication can also be performed completely independent o f link/bandwidth availability, a potentially important issue considering the convergence o f mobile with PDA style devices.

There are a number of hardware issues relevant to the terminal-centric solution also worth introducing. Firstly, additional authentication cycles, will require additional processing within the mobile handset, requiring a more poweriul handset CPU i f the authentication process is not to impact on the normal operation of the handset. O f course, this would also have an associated toll on the handsets battery pack and subsequent recharge interval, in addition to operational temperature criteria.

2.3.7.2 NetAvork-centric Security

There are some very strong arguments for introducing a network based security system, in fact some operators have shown reluctance to consider anything less; i.e. that placing security into the handset and effectively the control o f the subscriber, is inherently insecure fi-om the offset. The justification for this approach is not the flexibility offered by enhanced personal mobility or the costing o f the mobile handset, although these are certainly important issues, but the inherent insecurity o f any network access system security outside of their own jurisdiction and management. Although this attitude may add fijel to the civil liberties debate. Part 2 o f the user authentication survey in Section

4.5 found a strong bias towards terminal-centric security (50%) compared to a networkcentric approach (33%), in practice, the network-centric solution represents a far more

44

Chapter 2 : Mobile Communications and Mobile Security elegant and powerful solution. It enables network operators to better protect themselves

and their subscribers, by centrally managing and securing subscriber security information, in a similar way to the IMEI (Section 2.3.2) and better distribute new security systems and updates, offering ultimately a more secure solution to both the subscriber and the network operator. The discussion in Section 4.5 goes on to argue that the survey results may in fact represent participants ignorance of the holistic view and the benefits a network-centric solution can offer.

Apart from the security management benefits offered by a centralised system, when compared to a distributed one, the network-centric technique offers the mobile consumer a significant convenience benefit, in the form o f enhanced personal mobility.

2.3.7.3 Mobility

Potentially, one of the most attractive benefits of a network-centric security system is that of increased personal mobility (Fumell et al. 1996), where a subscriber may for example register with any terminal (fixed or mobile) in order to access their mobile operators services, under their own personal subscription. Although GSM was originally designed to offer personal mobility via the SIM, operator network incompatibilities (both hardware and software) have restricted this to a limited mobility only within the subscribers own operator network. In practice, the personal network mobility aspect offered by the mobile

SIM is rarely utilised: how often is a network SIM card removed from a handset after being installed and the battery inserted? Even ignoring the obvious fact that the SIM usually resides behind the battery, within the closed body of the mobile handset, it is inherently too small and the SIM hardware interface too inconvenient to be of practical use as a token of true personal mobility. This argument is even more relevant with the introduction o f the 3FF SIM standard, see Section 2.3.1.1. The sort o f personal mobility

45

Chapter 2 : Mobile Communications and Mobile Security proposed for next generation wideband systems (Section 2.2.4.2) can only be enabled via a: non-token-based, non-knowledge-based, subscriber based, network-centric, nonintrusive continuously monitoring authentication system. Current doctrine dictates that this can only be achieved through biometrics.

Of course, this ideal mobility scenario does however suffer its own set o f consequences.

The primary points of issue being:

• Increased data (authentication) traffic over the wireless link;

• Subscriber authentication sample confidentiality;

• Subscriber location confidentiality;

• Biometric samples variability.

Taking each point in turn, the massively increased bandwidth of the next generation mobile networks should have little trouble handling the extra handshaking required by a subscriber based security system, even i f authentication was performed continuously, especially when compared to the bandwidth of say a video conferencing signal. The second point of subscriber signature confidentiality reverses the trust issue mentioned earlier in Section 2.3.7.1. With the onus o f data confidentiality in the hands o f the network operator, subscribers must entrust sensitive, potentially biometric, data to a third party. Considering the current trend o f seemingly mass distribution o f personal contact information to the highest bidder and the albeit justified paranoia of national security agencies, after world events like the September 11'^ terrorist attack (9! 1 2001), confidentiality of bank, medical or biometric information must be brought into the spotlight. Following on with this discussion, confinuously monitoring mobile systems also have the potential, whether desired or not, of tracking users across heterogeneous networks (Herzberg 1994). When considering the dynamic nature o f biometric samples,

46

Chapter 2 : Mobile Communications and Mobile Security this is less o f an issue when considered within the context of a continuously monitoring security system. Such a system could incorporate a middleware architecture, designed specifically for the management of biometric templates, including:

• threshold management of non-Boolean authentication outcomes;

• continuous maintenance and augmentation o f signature data over time;

• alternative access provision(s) in the event of authenfication failure due to, for example, a change in a users' biometric markers as a resule of physical injury.

Subsidy Lock and Mobility

The subsidy lock is popularly used by network operators to lock mobile handsets to the service provider's own network, irrespecfive o f the SIM card. Once a mobile handset is subsidy locked to a specific operator network, inserting a SIM card from an altemate operator network will cause the handset to lock. The relevance of subsidy lock to the issue of mobility is that by physically tying the terminal to the host network, mobility originally designed into the mobile hardware, is being restricted. The reason for this is the business model network operator's use, which depend on mobile handsets being sold at subsidised prices, in return for the consumer committing to a minimum term contract.

2.3.8 Continuous, Non-Intrusive Security

One of 3GPP's requirements for secure UMTS service provision is it should be possible for network service providers to "authenticate users at the start of, and during, service delivery" (3GPP 1999). Authentication during service delivery represents a departure from the established 2G approach and again implies the need for a non-intrusive approach to avoid disrupfing a subscriber's legifimate network activity. Options for achieving this may be related to periodic or continuous supervision of subscriber acfivity, utilising behavioural profiling techniques or continuous biometric monitoring.

47

Chapter 2 : Mobile Communications and Mobile Security

There is already a significant emphasis upon subscriber profiling in order to counter fi-aud, with operators applying data analysis techniques to network data in order to identify and flag potentially fi-audulent transactions (Modisette 1999). The same principles could be extended to the user authentication environment for anomaly detection. Profiling could encompass factors such as the types o f services typically accessed and the times/durations of access in order to construct a model of the subscriber's normal behaviour. Such techniques have been the focus o f work in the general IT domain for some time and have already been incorporated into networkbased intrusion detection systems (Porras and Neumann 1997).

Features of 3G handsets that will enable advanced subscriber services, also offer the potential to facilitate more advanced security options. For example, a number o f biometric approaches (Cope 1990) could conceivably be integrated in a non-intrusive manner, depending upon the nature of the mobile device and the service being accessed.

2.4 Conclusion

Mobile security within the currently evolving generations o f mobile communications technology are still predominantly based on the security systems set in place over a decade ago when 2"^* generation mobile communications networks, and rudimentary services, were first introduced. As the technology rapidly progresses and new individual services are conceived, the supporting security systems need to evolve rapidly in order to maintain protection commensurate with the risks and consequences associated with the new developments. The next chapter is devoted exclusively to the opinions of the general public on the specific mobile security related issues raised within this chapter.

48

Chapter 3 : Assessing Subscribers' Attitudes towards Mobile Services and Security

Chapter 3

Assessing Subscribers^ Attitudes towards Mobile

Services and Security

49

Chapter 3 : Assessing Subscribers* Attitudes towards Mobile Services and Security

3 Assessing Subscribers' Attitudes towards

Mobile Services and Security

As an integral part o f the assessment stage of the PhD, in addition to the technological review covered in Chapter 2, a public opinions survey into mobile telephony based security and related issues was conducted. This chapter, along with a separate subsection on biometrics and advanced security (see Section 4.5), presents an in depth discussion and interpretation of the survey results; a full copy of the survey questions is included in Appendix C.

3.1 Introduction

It has been established in the previous chapters that the current 2"^* generation GSM and

3"* generation UMTS systems offer only one line of defence at the Human-Computer

Interface (HCI), an impersonal knowledge-based system susceptible to masquerade attack: the traditional Point-of-Entry (PoE) PIN. In order to gauge public opinion on this and other mobile authentication issues, a survey was conducted. The survey was primarily distributed online over an extended period of two years, with additional hard copy local distribution within the University of Plymouth (Rodwell and Clarke 2002), accumulating just under 300 sets of respondents' results. The survey was also marketed through various online links and university-based public announcements.

The primary aim of the survey was to evaluate subscriber awareness and attitudes towards the various forms o f security available within their mobile devices and their understanding and opinions regarding the various forms of enhanced security available in general. A hypothesis was formed which the survey aimed to investigate that states:

50

Chapter 3 : Assessing Subscribers' Attitudes towards Mobile Sen/ices and Security

The majority of mobile subscribers either do not understand or are lacking well founded opinion on mobile security issues. They are also generally ignorant of the security implications of the advanced services being offered through the next generation of wideband networks known as 3G,

This attitude unfortunately reflects the success o f the technology suppliers' marketing campaigns, where the latest ring-tones and third party connectivity are highlighted over security features, which are usually disabled by default and their activation buried within the user manual. Although to date, security has rarely been a marketing attractor, a fact highlighted by survey respondent's purchasing priorities, discussed later in this chapter, it could also be argued that product marketing is simply reflecting the fact that there have been no new or significant security developments to market or promote.

The survey consists of four main sections, each intended to assess a certain aspect of the participant's views and understanding o f their mobile usage. These sections are:

• Demography: Fundamental data on participant's gender, age group and affiliation (if any) with the University o f Plymouth.

• Services: Questions covering operator networks, hardware and services usage and which aspects the user considered important when selecting them. This helps gauge the level to which additional security can be considered necessary.

• Security: A selection of questions covering respondents' views and awareness of existing and ftiture methods of mobile security. User's perception of security is considered to be fundamental to its acceptance and subsequent adoption.

• Topic Awareness: A selection of topical mobile related questions, in order to gauge the participant's basic depth of knowledge of the subject area.

51

C h a p t e r 3 : A s s e s s i n g S u b s c r i b e r s ' Attitudes towards Mobile S e r v i c e s and Security

3.2 Demography

The survey was available online for a period of two years, covering the years 2002 and

2003. The only formal requirement of participants was that they had experience o f owning or using a mobile phone at some stage prior to completing the survey.

210

180

188

• Male • Female

§. 120 o 90

H 60

30

25

31

23

1

1

11

11

1

0

1

0

Under 16 17-24 25-34 35-44 45-54 55-64 Over 65

Figure 3-1: Security survey demography

From the 297 respondents, the majority fell into the '17 - 24' category with a bias towards male respondents, as illustrated in Figure 3-1. There are a number o f variables which should be considered when analysing these figures:

• Survey marketing: The marketing and distribution o f the survey amongst a specific population; e.g. Links on Internet websites.

• Survey distribution: The popularity/penetration of the distribution medium(s) within certain sub-groups of a population; e.g. The Internet with Students.

• Respondent interest: The appeal of the survey topic to specific sub-groups of a population; e.g. Mobile technology to Teenagers.

• Respondent character: The willingness o f specific sub-groups to actually participate in a voluntary survey; e.g. the unemployed.

52

C h a p t e r 3 : A s s e s s i n g S u b s c r i b e r s ' Attitudes towards Mobile S e r v i c e s a n d Security

The survey was hosted on a university campus server through a departmental website with a basis towards IT and electro technology; it was therefore expected to have an initial majority penetration amongst males o f classical university age. It can, however, be demonstrated that amongst the general population, adoption of mobile technology is predominant amongst those within the age group 15-24 years (Miller 2001; Squires

2001; Competition Commission 2003), closely reflecting the surveys respondent population. It has also been found that the differing views o f men and women on the adoption of mobile services are in fact minimal (CellularOnline 2004). The surveys results can therefore be accepted, with some confidence, to statistically represent a fair reflection of typical mobile user attitudes.

3.3 Access and Services

Services are the raison d'etre of mobile communications; especially i n the post 2G arena. This section covers respondent's selection criteria for both mobile hardware and services providers', in addition to their usage o f the services available at the time o f the survey and their perceived future services requirements.

3.3.1 Network Operator Survey Shares

In order to obtain an overall picture o f service usage, it is necessary to know some basic details about subscribers' choices of both network operator and mobile hardware. Figure

3-2 shows the variation in respondents' choices o f network operator (by market share) in comparison to the actual UK Figures (W2F 2004). It can be seen, that although the

UK market share of mobile network operators is distributed relatively equally, there is a marked variation in the survey respondents' choices of operator.

53

C h a p t e r 3 : A s s e s s i n g S u b s c r i b e r s ' Attitudes towards Mobile S e r v i c e s and Security

50%

40%

30%

• Respondent

• Actual

CO

10%

0%

T-Mobile Orange Vodafone

Figure 3-2 : Network operators' market-shares

Other

There are a number of possible reasons for this variation, related primarily to the network operators presence in the primary survey location. These are:

• Operator's mobile coverage.

• Operators' commercial outlets.

• Operator specific promotional incentives: services, handsets, gifts.

• Independent 3"* party supplier promotional incentives: services, handsets, gifts.

• Survey population.

Although the main UK network operators share almost complete national population coverage, the T-Mobile brand had the weakest network coverage in the survey region at the time of the survey; reflected in T-Mobiles poor result compared to its actual UK. share.

It could be ftirther hypothesized that a high profile presence of the Orange brand within the city where the survey was marketed could have also biased the local resix)ndents to this brand. As all network operators offer similar services within a standardised security architecture, these results will not bias the overall security aspect of the survey.

54

C h a p t e r 3 : A s s e s s i n g S u b s c r i b e r s ' Attitudes towards Mobile S e r v i c e s and Security

3.3.2 Handset Supplier Survey Shares

There are currently more mobile handsets in the UK than people (W2F 2004), with around 8 out of 10 adults owning at least one of the 60 million active mobile handsets. O f those surveyed, 85% left their handset switched on for more than 10 hours a day, making it the first choice for instant communication. When considering this, it is worth reasserting the point that from the humblest 2G handset to the latest 3G devices, they all share the same basic subscriber PoE PIN and hardware SIM card authentication mechanisms.

Figure 3-3 shows the variation in respondents" choices of handset compared to national and global figures for the year o f completion of the survey (CellularOnline 2003).

75%

I

• Respondent

• Actual (UK)

• Actual (Global)

1

Motorola

Sony

Ericsson

Nokia Samsung Siemens Other

Figure 3-3 : Handset manufacturers' market-shares

Acknowledging slight variations in respondents' choices of handset, compared to U K national figures. Figure 3-4 shows the market share results as a line chart of linked values to visualise the survey results correlation with UK market shares: a good result in support of the validity of the survey. A global plot is also included showing clear correlation with international market shares for the named suppliers, with only the non-

UK other suppliers appearing to significantly upset the trend.

55

75%

Chapter 3 : A s s e s s i n g S u b s c r i b e r s ' Attitudes towards Mobile S e r v i c e s and Security

Actual

Actual c 50%

Motorola Sony

Ericsson

Nokia Samsung Siemens Other

Figure 3-4 : Handset majiufacturers' market-shares correlation plot

3.3.3 Neh^ork Operator Selection Criteria

When considering a mobile subscription, cither contract or Pay-As-You-Go, there are essentially two decisions which the buyer has to make: choice of the network operator and choice of the handset supplier. Dealing with these issues in turn, the survey first investigates the buyers" views on a selection of network operator criteria. The results have been sorted in order of importance to the buyer, from let^ to right in Figure 3-5.

100%

IMPORTANCE

• High

• Medium

• Low

75%

%

c

S 50%

•S)

Price. Deals Network Reliability etc. Coverage

Handset

Choice

Brand

Loyalty

Figure 3-5 : Network operator user selection criteria

Security

Features

56

Chapter 3 : A s s e s s i n g S u b s c r i b e r s ' Attitudes towards Mobile S e r v i c e s a n d Security

It was found that 77% of subscribers considered contract cost, or handset subsidy for prepay, to be o f greatest importance, followed closely by network coverage and reliability.

The results are not surprising as these are quality of service issues and any change or variation would noticeably afTect the service. Choice of handset sits in the middle of the table, neither strongly persuading nor dissuading potential customers; reflecting the fact that not only do the majority of handsets offer similar specifications, but also that all network operators offer a choice of nearly all available handsets. With brand loyalty only commanding 28% of customers votes, it is not surprising the lengths network operators go to in order to keep existing customers, offering the latest handsets and preferential rates when a subscriber threatens to change supplier when a contract expires. Finally and in support of the hypothesis introduced in Section 3.1, security features reside at the bottom of the list of buyer's criteria of importance when considering a network operator.

100%

75%

I High

I Medium

Low

S 50%

V

25%

0%

Price. Network Reliability Handset Brand

Security

Figure 3-6 : Network operator user selection criteria (linked maximum values)

The line chart of linked maximum values in Figure 3-6, clearly visualises that security was considered the least impi^rtance operator selection criteria, with the highest (26%)

Low importance vote and the lowest (23%) High importance vote. To further emphasise the point, security also received the highest (51%) moderate (no strong opinion) vote.

57

C h a p t e r 3 : A s s e s s i n g S u b s c r i b e r s ' Attitudes towards Mobile S e r v i c e s and Security

3.3.4 Handset Selection Criteria

When considering the choice of handset, 61% of respondents considered battery life to be of greatest importance from the selection of choices; more than double the second most popular issue of 3"* party connectivity (Bluetooth, IR Etc.) With a similar result to the network operator result in Section 3.3.3, brand loyalty was considered of higher importance than security, albeit by a narrower margin. Although security features command a stronger overall position than in the network operator results, they still received the highest proportion (49%) of the moderate vote and a significant quarter

(27%) of the low importance vote, demonstrating either consumer misunderstanding or genuine lack of consideration for security issues. Once again, this is an important result in support of the hypothesis stated in Section 3.1. It is also interesting to consider that the only issues that respondents considered less important than security were essentially insubstantial: mobile accessories, handset games and swappable fascias.

100% I — - r

,

y A j ^ ^ t v ^ - ' - . ' — .

...

- . 1 : ^ ,

. ' j i . ^ - .

'M^.

IMPORTANCE

75%

• High

• Medium

• Low

^? 50%

Battery ConnectBrand Security Accessor- G a m e s Swapable

Figure 3-7 : Mobile handset user selection criteria

Figure 3-7 shows a complete breakdown of the results, sorted in order o f considered high importance. It is accepted that the list of otTercd criteria is not exhaustive: it does however enable security to be ranked within a representative selection of options.

C h a p t e r 3 : A s s e s s i n g S u b s c r i b e r s ' Attitudes towards Mobile S e r v i c e s and Security

3.3.5 Ser\ ices Usage

Having justified the need for enhanced subscriber authentication, based on the enhanced services of the new wideband mobile networks, the survey proceeded to explore existing service usage and investigate the trend towards acceptance and adoption of enhanced data services. It is not unexpected to find that the majority o f respondents still use their mobile handset principally as a form o f mobile communication, either through real-time telephony or the data based Short Message Service (SMS), currently in the order of 2.1 billion per month nationally (W2F 2004). What is of more interest is that

5% of respondents DO NOT consider telephony of high importance, preferring the data based services of their device; translated nationally this represents around 3 million users, or the entire population o f Wales (UK) (Link: National Statistics).

100%

75%

• Y e s

• No

• Not Available

a:

50%

m

0%

Text Telephony WAP International Information Email

Message Services Roaming Services

Figure 3-8 : Mobile services popularity (circa 2003)

The results shown in Figure 3-8 are representative of the primary existing services o f 2 generation networks at the time of the survey. Although the usage of WAP Internet based services only accounted for 36% o f respondents' votes, nationally around 780 million WAP pages were being accessed per month (W2F 2004). To demonstrate the recent growth in this area, this figure had risen by 42% the following year to 1.11 billion

59

C h a p t e r 3 : A s s e s s i n g S u b s c n b e r s Attitudes towards Mobile S e r v i c e s a n d Security

(W2F 2004), driven by factors such as the massive rise in pc^pularity of ringtones and the Euro 2004 football competition, some matches of which were only available live online and not available in a mobile context through any other service.

3.3.6 Preferences for Future Services

The number of mobile handsets with GPRS-enabled Internet and Multimedia Message

Service (MMS) capability doubled in the year 2003 to 2004 and is expected to account for

75% of all UK mobiles by the end o f 2005 (W2F 2004). This will bring the total number of Internet capable handsets in the UK to around 53 million, potentially connecting up to

88% of the UK population to the World Wide Web via at least one access terminal.

Although many o f the future services offered for opinion at the commencement of the survey are now current technology, such is the growth in the area, all were proposed as future services, with only MMS being rolled out nationally by the completion of the survey in 2002. The selected services were all based on the enhanced services' capabilities enabled by the network access technologies o f wideband mobile networks.

100%

DES RED [J Yes

GPS MMS Video Music Video on OnLine Mobile Extra

Calls Dovsnload Demand PDA Comm'rce Games

Figure 3-9 : Future mobile services' user preferences

6 0

C h a p t e r 3 : A s s e s s i n g S u b s c r i b e r s ' Attitudes towards Mobile S e r v i c e s a n d Security

Figure 3-9 shows the results of the respondents' preferences, placed in order of desire.

Notice the general strength of opinion towards future services, supporting current mobile growth trends and consumer's insatiable appetite and desire for more services.

Coming out top with 82% were Global Positioning Services (GPS) based services, offering the facility to not only inform the user as to where they are at any particular time, but essentially enabling Location Based Services (LBS); for example, to supply real-time directions to a local facility (a bar or a petrol station). With the SMS service well established in the psyche of the mobile user, it should not be too surprising to find its multimedia equivalent, the MMS, very high in the chart, proving a popular choice with 80% of respondents. Two years on and the growth in camera phones has translated this desire into a MMS market estimated to be worth £5 billion by 2004 (Juniper

Research, 2002). From the remaining video based services, video conferencing proved marginally more desirable than video on demand (VoD), although it could be argued as to the respondent's appreciation of scope o f VoD, as its current existence in the world o f television limits it to films. Scenarios o f a VoD file arriving on your handset the instant: a favourite sports team scores a goal; an intruder alarm is triggered in your home; a local news story breaks from a location outside the UK (for foreign nationals) may not have been considered. Mobile commerce is still in its infancy in the UK compared to the now well established Internet-based ecommerce. This is likely to change rapidly with the growth of wideband networks and the improved rich Internet browsing experience they offer The demise of WAP enabled light browsing and slow unreliable 2G data links should finally bring ecommerce to the mobile, with subscribers purchasing online goods in much the same way and frequency as seen on traditional Internet-enabled computers. It is interesting that although only 10% o f respondents considered games of high importance when selecting a handset in Section 3.3.4, 44% expressed a desire for

61

C h a p t e r 3 : A s s e s s i n g S u b s c r i b e r s ' Attitudes towards Mobile S e r v i c e s a n d Security more or better games in the ftiture. Although games still reside at the bottom of the popularity chart, the growth in wideband enabled online gaming will surely change user's perception of a mobile game from being 'Tetris', in a similar way to early computer user's view of a computer game as being 'Pong'.

This section o f the survey has shown that the trend in mobile usage is moving inexorably towards wideband data services, which the respondents have indicated they would be keen to use. The majority o f these services will require the use o f some form of personal data, whether it is stored purchasing profiles or banking details for mobile commerce, current subscriber position for LBS or private video messages recorded for

MMS or video conferencing. These services demand a commensurate level of protection to guard against masquerade abuse, protection currently not offered and only realisable through a subscriber-based authentication system.

3.4 Mobile Security

This section covers a selection of questions investigating respondents' views and awareness of existing and future methods of mobile security. User's perception o f security is considered to be fundamental to its acceptance and subsequent adoption.

3.4.1 Experiences of Mobile Handset Abuse

It has been established that the primary method of user authentication for mobile handsets is a PoE PIN code. Before ascertaining the survey respondent's awareness and attitude towards existing security techniques, they were questioned on their own experiences of mobile handset abuse. It was found that 28% of respondents reported cases of thefl or abuse of their handset, as shown in Figure 3-10.

62

Chapter 3 : A s s e s s i n g Subscribers" Attitudes towards Mobile S e r v i c e s a n d Security

30%

- M

SEVERITY

• +

^ 20% o

Q.

V)

I

10%

10.8% 10.8%

11.4%

5 4%

0%

Borrowed: Borrowed: Stolen:

No calls. Tampering Calls made

No calls

Figure 3-10 : Personal experiences of handset abuse

Stolen:

Calls m a d e

It can be seen from the results that handset theft is the most common form o f criminal abuse, with half of those handsets stolen being subjected to further masquerade network abuse. It can be strongly argued that although abuse o f a handset loaned to a friend or colleague can be inconvenient (e.g. changing the handset default language) and even unexpectedly cost the legitimate user money (for example; calling a premium rate number), in such cases a high degree o f liability rests with the legitimate user and their own judgement. This is not to say that a suitable subscriber authentication mechanism would not be appropriate. On the contrary, imagine a scenario where a network had the appropriate security infrastructure to reliably authenticate subscribers in real-time and immediately react to services that fall outside of a pre-defined operational envelope or behavioural profile; without specific permission fi-om the legitimate user. Chapter 5 introduces a novel authentication system conceived specifically to address this issue, when integrated into an appropriate mobile security framework.

63

Chapter 3 : Assessing Subscribers' Attitudes towards Mobile Services and Security

3.4.2 User Issues Regarding Mobile Handset Authentication

Section 2.3 of the thesis introduced and discussed the IMEI, the primary mobile hardware authentication mechanism. The survey questioned respondents on their awareness of the

IMEI and its relevance to security, with an alarming 41% of participating users claiming no knowledge even of its existence. This could have serious implications for the recent security drive to harmonise and regularly update network operators IMEI black lists

(GSM Association 2002). I f 4 1 % of users are unaware of the existence and significance of the IMEI, 4 1 % of users are unlikely to realise the importance of reporting a stolen handset, risking the handset's IMEI not being black listed within the CEIR.

When asked about the primary user authentication mechanism, the Personal

Identification Number (PIN), it was not a surprise to find more than 99% o f respondents familiar with the technique; this approach is universally used outside of mobile circles.

Although 69% of those users questioned also engage the PIN to protect their handsets at switch on, this still leaves 3 1 % of respondent's handsets completely unprotected by the only form of subscriber authentication currently available. I f this result is scaled up to the UK population (2004), it represents some 18.6 million handsets, or approximately the population of greater London (Link: National Statistics 2003). Perhaps the reason for this is the fact that a remarkably similar 31 % of survey respondents consider the PIN authentication mechanism to be inconvenient and intrusive. This highlights the point that no matter how effective a security system may or may not be, i f it is a voluntary system and is not perceived as being convenient, it will not be widely accepted. Any proposed future authentication mechanism must therefore not even be a convenience issue, but completely transparent in operation.

64

Chapter 3 : Assessing Subscribers' Altitudes towards Mobile Services and Security

Of those users questioned who regularly use the PIN, it was found that over a third (39%) have never changed it from the factory default (usually *0000*): this would be the first and most obvious attack for a potential abuser. As manufacturer hardware default PIN codes are easily found, usually printed in the hardware handbooks, by not changing the default

PIN a user is effectively advertising their PIN code to every similar hardware user, in addition to openly on the internet via chat rooms and forums. These users essentially have no more protection than the 31 % of users who do not use the PIN at all; they can therefore be aggregated to give an overall figure of unprotected handsets in the UK o f 70%!

50%

SEVERITY

M • +

36.4%

39.1%

40% c

-o 30%

20%

13.1%

10%

5.4%

6.1%

0%

Monthly Yearly Initially at purchase

Never

Figure 3-11 : Frequency of mobile handsel PIN changes

Other

For those users who do change their PIN, Figure 3-11 clearly shows that the vast majority perform the action only once at time of purchase and not again. Although this is a major improvement over using the default PIN, it does imply another recognised

PIN-related security issue: PIN multi-casting. With 36% of respondents admitting to using the same PIN code for multiple services, the probability o f an individual PIN being compromised is greatly increased, as are the consequences. A likely reason for extensive PIN reuse is the proliferation of knowledge-based authentication mechanisms, the average person now having to remember up to 10 password/PINs (Link: CompTIA).

65

C h a p t e r 3 : A s s e s s i n g S u b s c r i b e r s ' Attitudes towards Mobile S e r v i c e s a n d Security

With the majority of personal resources now password/PIN protected (bank cards, mobile communications, internet based services), users are now required to memorise many critical security access codes, with the almost inevitable consequence of reuse or multi-casting. When those surveyed were asked i f they have ever used a PIN Unlock

Code (PUK), due to either forgetting or miss-entering their PIN. It is debatable whether the 38% of 'yes' respondents were admitting just poor memory, or good security protocol by conscientiously assigning different PINs to different personal services.

50%

40% +

42%

30% +

I

20%

10%

2 0 % /

\ l 9 %

14%

0%

1

1

1

Very Confident Confident Adequate Inadequate Indifferent

Figure 3-12 : Users perceived effectiveness of the PIN mechanism

Considering the PFN-related security issues discussed previously, 86% of those surveyed had a definite opinion on the effectiveness of the PIN technique. The curve in

Figure 3-12 represents a distinct Gaussian distribution around a feeling o f only adequate protection offered by the PIN approach. When considering this result, it needs to be reaffirmed that around the time of the survey, mobile services were still predominantly

2"** generation telephony-based services, with data-based services still in an embryonic state. A recent joint study by Cranfield University and the London School of Economics

(LSE) and ftinded by the Department of Trade and Industry (DTI) broadly supports this mood, indicating that consumer confidence in mobile communications devices, including wireless devices is at it's lowest point for a decade (lEE IP 2005a).

66

C h a p t e r 3 : A s s e s s i n g S u b s c r i b e r s ' Attitudes towards Mobile S e r v i c e s a n d Security

Although the PFN has not moved on as the basis o f HCI security for mobile handsets, it has been shown in Section 2.2.3.3 and subsequently discussed, that mobile devices, the networks which they serve and the advanced services they enable certainly have.

3.5 Topic Awareness

To gauge an awareness of the survey participant's level of understanding of mobile related issues, the demography performed in Section 3.2 was complimented with a selection of three, progressively more specialised, mobile communications questions.

The first question relates to the issue covered in Section 3.3.1, that o f UK mobile network operators and it was expected that the majority o f UK mobile users would be familiar with the major UK network providers and spot the rogue provider (Nokia).

Question 2 presented a more difficult choice o f IT based acronyms, one of which

(ADSL) is not related to the field of mobile communications, but wire-based communications. The final technical question required the participant to identify the basic data-rate of GSM mobile communications. A l l the offered solutions are widely advertised valid communications data-rates fi*om both mobile and wire-based disciplines and as such present a difficult choice to the respondent not familiar with the correct solufion. The multiple-choice options were:

• 9.6 Kbps - The standard GSM data-rate.

• 14.4 Kbps - An example of a multiple time-slot (x2) HSCSD rate.

• 56.6 Kbps - The standard V.90/92 home dial-up internet data-rate.

• 64 Kbps - The standard (x2 channels) ISDN data-rate.

67

Chapter 3 : Assessing Subscribers' Attitudes towards Mobile Services and Security

The set o f results shown in Figure 3-13 tend to indicate that the survey population were relatively familiar with the issues and terminology o f mobile communications, primarily indicated by the high success rate achieved on question 3. This was not entirely unexpected after the demographic results in Section 3.2 indicated that the predominant profile for a survey respondent was male, aged 17-24, with a bias towards technology.

100%

75%

I

50%

25%

80%

77%

47%

0%

Q1 - Nokia Q2 - ADSL Q3 - 9.6 kbps

Figure 3-13 : General user awareness of mobile issues •

In analysing the results, only 80% of respondents identified Nokia as one o f the dominant mobile handset suppliers and not a mobile network operator. This could be due to the fact that both are essentially mobile service providers and distinguishing between the two may be inconsequential to the consumer. 77% of respondents recognised ADSL as a landline telephony delivery service and not a current mobile technology. This is a strong result for a technology question and is likely influenced by the heavily marketed broadband intemet rollout over the last few years, enabled by ADSL technology and marketed as such.

Almost half of respondents (47%) knew the basic data transmission rate o f 2"^^ generation

GSM to be 9.6 Kbps. This is anodier strong result, for this technical question and indicates a high degree of understanding o f mobile issues, by a large proportion of the respondent audience; backing-up the survey results on technical questions.

68

Chapter 3 : Assessing Subscribers' Attitudes towards Mobile Services and Security

3.6 Conclusion

The rapid growth in mobile data services has highlighted the weakness o f the existing user authentication system. This survey identified that by the end o f 2003, users were already using rudimentary data services and that they are willing to use future services as and when they became available. Recent research from the Gartner Group suggests that currently around 90% o f mobile devices are lacking the security to prevent hackers from gaining access (Gold 2004).

The hypothesis introduced in Section 3.1 has been upheld. Although 85% o f respondents appeared to recognise the need for additional security in future generations of mobile devices, this is in clear contradiction to the 70% o f respondents who do not actively use the existing PIN system. This tends to indicate that it is the authentication mechanisms themselves, rather than the concept o f security that users are rejecting.

To address this issue, what is needed is a non-intrusive subscriber authentication mechanism, not token-based or knowledge-based, but user-based. A mechanism that can be implemented transparently, reliably authenticating the active user continuously and conveniently; acting as a network gate-keeper in addition to protecting sensitive subscriber data from masquerade abuse. A system that will be:

• Accepted by network operators and service providers.

• Tolerated by mobile subscribers.

• Widely used.

The next chapter investigates truly personal authentication mechanisms, drawing from the discipline of biometrics as a foundation for a solution to the problem.

69

Chapter 4 : Biometrics and Mobile Devices

Chapter 4

Biometrics and Mobile Devices

70

Chapter 4 : Biometrics and Mobile Devices

4 Biometrics and Mobile Devices

Having established a need for enhanced mobile subscriber authentication in Chapter 2, this chapter proceeds with a review and discussion of biometrics and its applications.

The field o f biometrics has been chosen as the primary resource for tackling the authentication issues raised and forms the foundation o f the novel authentication mechanism introduced in Chapter 5; which is the core of the PhD research.

4.1 Introduction

Biometrics describes the 'automated recognition o f individuals based on their behavioural or biological characteristics' (ISO/IEC JTCi/SC37 2004). It is the method of identification we all use everyday to recognise everyone we meet, from the closest family member to the occasional chance meeting of an old friend in a corridor. In its purest form, biometrics is incredibly powerftil and enables near perfect recognition in minimal time.

They allow a person to recognise a familiar character from within a group of almost limitless size, almost instantly, then continuously reconfirming the identity with near zero error. Even when used with human senses in isolation, we have all recognised a familiar voice within the melee of a bar or on the end of a phone, or a familiar face in a crowd from a distance or on the television, without giving it a second thought. It is perhaps therefore not surprising that security firms are striving to harness this powerfiil technique, for i f a system were even to approach the efficiency of the human biometric system, masquerade attacks could be reduced significantly, releasing funds currently lost to identity fraud and litigation, estimated at £1.3 billion in 2004 (Home Office 2006) and enabling a host of new identity-assured services to be brought to market.

71

Chapter 4 : Biometrics and Mobile Devices

In practice, the human biometric system has been perfected over thousands of years and an artificial implementation of techniques familiar to a young child are incredibly complex without the processing resources o f the human brain. Nevertheless, groundbreaking biometric techniques like fingerprint recognition have been in use by New

Scotland Yard, the headquarters of the Metropolitan Police, since 1901 (MET 1901) and as early as 1968, saw the introduction of 'Identimat', the first commercial electronic biometric system, costing US$20,000, for a Wall Street (USA) investment bank

(Konstantinos 1997). Although in IT terms, progress within the field of biometrics has been relatively slow, in 2003 the Massachusetts Institute of Technology (MIT) predicted biometrics to be one of the top-ten emerging technologies expected to "change the world" (MIT Tech 2003). After the September 11**' terrorist attacks on the United States

(911 2001), the U.S. Government announced "Biometric Identifiers" as a top priority in their fight against terrorism (Bush 2002), forming the InCITS (International Committee for IT Standards) M l Technical Committee for domestic biometrics standards.

Widespread adoption of biometric security systems is still however in its infancy. A recent sobering report by the London School of Economics (LSE), rather ironically not even addressing the predominant technical hurdles o f biometrics, warned that the biometric techniques proposed for the UK governments National Identity Card program may fall foul of 'disability anti-discrimination legislation' (lEE IP 2005b). However, before negotiating societies politically correct minefield and individual disability issues, such as the difficulty a blind person could have positioning appropriately for an iris scan, certain biometric approaches consistently work better or produce lower error rates, with certain individuals. Even considering these issues, Figure 4-1 shows that biometrics is currently witnessing substantial commercial growth, with revenues increasing by around 60% year on year, from USS20million in 1996, to USS1.2billion in 2004 and predicted to exceed USS2.5billion by 2006 (Norton 2004; IBG 2004).

72

Chapter 4 : Biometrics and Mobile Devices

3000

2500

2000

1500

1000

500

225

421

719

1201

1847

2001 2002 2003 2004 2005

Figure 4-1 : Biometric revenue growth, 2001-2006

2006

4.2 What You Are

The process o f user authentication, which describes the comparison of an input sample against one or more reference samples, can traditionally been broken down into three distinct categories, those of: IVhat you know. What you have and What you are.

Arguable the simplest forni of authentication is the password or ubiquitous PIN

(Smith 2002, pp.163), representing What you know. As discussed in Section 2.3.3, the

PIN is the established authentication mechanism for validating a user to their mobile handset. To validate the mobile subscription on the network, a SIM is inserted into the handset, carrying the appropriate authentication data (Section 2.3.1). This SIM represents the second authentication category, that o f What You Have and together with the PIN, these two mechanisms constitute subscriber authentication within the current mobile security framework. Although biometrics are rarely applied to current mobile technology, the third authentication category o f What You Are offers networks many advantages over existing mechanisms.

73

Chapter 4 : Biometrics and Mobile Devices

4.2.1 Authentication Security Focus

With traditional knowledge-based and token-based authentication systems, the effective security resides solely in the strength o f the password and location of the hardware, respectively, which can exist independent o f the authentication system; see Figure 4-2.

Consequently, any user can use the registered user's authentication mechanism to gain access to the protected network, a masquerade; independent o f security policy.

Registered

User

Any User

H Security h

Password or

Token

Authentication

Gateway

Protected

Network

Any User

Figure 4-2 : Security focus in a knowledge/token based security system

In contrast, biometric-based security utilises an authentication mechanism or biometricmarkers which are inseparable from their owner and authentication cannot be performed independently of the registered user. Authentication is truly personal and unique to each registered user, it cannot be shared and security is dependent on security policy.

Security

Registered

User

Biometric

Markers

Any User

Authentication

Gateway

Protected

Network

Any User

Figure 4-3 : Security focus in a biometric based security system

74

Chapter 4 : Biometrics and Mobile Devices

4.2.2 Factors Affecting Biometric Systems

Table 4-1 compares the three different authentication approaches discussed, with a selection of nine key authentication issues, ranking the three approaches of: IVhat You

Know, Wiat You Have and What You Are, in order of their inherent ability to address each chosen issue: M ' being the most suitable and '3' being the least. Totals have also been included for mutual comparison o f the issues raised. The table demonstrates that with these nine authentication issues, the inherent properties o f biometrics' clearly lend themselves to advanced authentication and although not ideal, with the approaches currently available and acknowledging possible contextual variations, present the most comprehensive set of results and therefore the best generic security solution.

( 0

E

SI

j O

CM

>

c

8

<

SI

c

<

O c o o

0 )

(/)

Issue #

What Y o u Know

Password

What Y o u Have

Token

What Y o u Are

Biometrics

23'

^7'

13'

Table 4-1 : Comparison of the three authentication categories, with a selection of key authentication issues

o

JO

o

Notable by its absence, performance is dealt with separately later in the thesis. A full discussion o f the remaining authentication issues raised in Table 4-1 and their relevance to mobile authentication and security will now be discussed in greater depth.

' Cumulative results are subjective and for mutual comparison only. No allowance has been given for specific contextual applications.

75

Chapter 4 : Biometrics and Mobile Devices

1. Intrusiveness: Can the technique be applied non~intnisively and continuously?

In addition to realising the security potential o f biometrics, certain approaches have the added and very marketable benefit o f being able to be performed transparently (see Section 4.3), increasing subscriber acceptability.

Non-intrusive identity-assurance is a key driver in the move towards advanced authenticafion systems and has a number of distinct advantages over the intrusive

PoE techniques which still predominate in current entry systems:

• The ability to perform subscriber authentication continuously, reducing the security emphasis on any single authentication cycle failure; reducing false rejections, whilst maintaining identity-assurance.

• The user convenience o f not having to suspend current activity to perform an authentication cycle; the system can perform re-authentication as security protocols dictates, again, maintaining identity-assurance.

2, Intimacy: Is the signature truly personal to the subscriber?

One of the ftindamental properties o f biometrics is the inherent intimacy of the physiological or behavioural markers, introduced in Section 4.2.1. which cannot be forgotten or mislaid any more than the registered users head! Even i f a user's personal biometric sample data is illegally intercepted, it would be extremely difficult to suitably reconstruct the template and present it appropriately to the relevant authentication system collector. This is in contrast to a knowledge-based approach, where although authentication data can potentially be personal in nature

(mother's maiden name), it is not tangibly linked to the user and can be changed transferred or re-assigned as conveniently as security protocols dictate,

76

Chapter 4 : Biometrics and Mobile Devices

2a. Distinctiveness: The possibility of somebody else adopting the same signature?

One of the recognised problems o f password based authentication systems is the fact that many people can hold and share the same password. Company names and acronyms, computer names, family names and birthdays predominate in password lists everywhere; there are also some ubiquitous passwords which regularly crop up: 'God', 'password', 'sex' (Geodsoft 2005). It is accepted that all humans are different to some measurable degree, even superficially, all humans look and sound different, even twins. It is this inherent individual distinctiveness of humans and their biometric markers that biometric systems utilise in order to authenticate us. Although when taken as a whole, humans are highly distinctive, biometrics focus upon individual physiological or behavioural human traits which in isolation have varying levels of distinctiveness. This is discussed in Section 4.2.4.

2b. Transferability: Is the sensitive authentication data/sample transferable?

Extending the discussion on the personal nature o f biometric markers (issue 2), biometric authentication data is non-transferable. As discussed in Section 4.2.1, with traditional knowledge-based and token-based authentication, the security lies solely in the password and hardware, respectively, which exists outside of the authentication system and can be applied by any user, regardless o f security policy. In contrast, biometric markers cannot be separated from their host, except via surgical means, and hence biometric samples cannot be shared. Even i f a legitimate subscriber wanted to allow a colleague access to their account on a biometrically protected system, they would still have to perform the authentication process themselves and ensure that the system security was not enforced continuously else even a masquerade without ill intent, would be quickly detected.

77

Chapter 4 : Biometrics and Mobile Devices

3. Vulnerability: Is the technique vulnerable to masquerade or brute force attack?

All authentication systems are vulnerable to some form of circumvention or brute force attack; biometric systems being no exception (Ratha et ai 2001a). The traditional password can be attacked in a number o f ways: either through a social engineering (Granger 2001) probability (calculated guess) attack; or via a brute force (systematic attempt of every possible combination) attack (Smith 2002, pp.258, 274). Even assuming an attacker could simulate a user's biometric markers, or devise a way of presenting pseudo-biometric samples in an appropriate format to a biometric collector, biometric sample data is generally far more complex than traditional passwords. Dependant on the approach, biometric systems utilise up to one thousand individual unrelated markers, significantly reducing the chance of any trial-and-error attack producing an acceptable sample within an acceptable time.

Biometrics' vulnerabilities are explored in more depth in Section 4.2.5.

4. Permanence: Does the authentication data vary in any way?

Biometrics differ from conventional authentication mechanisms in that each authentication cycle produces a slightly different set of biometric samples: all biometrics are dependent to some degree on prevailing environmental conditions; the majority of physiological biometrics vary with age; and behavioural biometrics can change with the subject's mood. This is contrary to password and token-based systems where, once defined, authentication data does not change, unless changed deliberately. This unique property of biometrics is handled by allowing for the variability within either the biometric collector or a middleware architecture, capable of managing authentication thresholds and confidence ratings, rather than simple Boolean responses. This variability is also why biometric samples cannot be protected with a 'hash' function, in a similar way to static passwords.

78

Chapter 4 : Biometrics and Mobile Devices

5. Accountability: How accountable is the user for a signature breach?

Another major benefit of the intimate nature o f biometrics' samples is the accountability of the authentication system. I f a user is actively logged into a system, system administration can be confident that it is in fact the actual account subscriber that performed the login. In addition, i f the security system enforces continuous authentication, it can be confidently assumed that the user online is the legitimate account user and not somebody masquerading in the account. This issue has ftirther reaching implications than simple account access: with a reliable, continuously authenficating system, it will be possible to confidently substantiate the location o f a particular person at a particular time. The privacy implications of this system behaviour will surely set a precedent in the near ftjture.

6. Assignability: Can the signature be easily reassigned, if it is compromised?

The benefits realised fi-om the intimate nature of biometric samples, do not however present the ftjll picture; biometric authentication does suffer a major complication. In the unlikely event of an attacker successfijlly compromising a user's authentication template, by whatever means, it is essentially impossible for the legitimate subscriber to change their own biometric markers; without surgery.

Whereas a password or token is as easily changed as a systems security policy allows, the possibilities for addressing a compromised biometric are more limited:

• Increase the resolution o f the system by utilising additional markers.

• Tighten the authentication threshold(s); at the expense o f increased false rejection of user(s) (see Section 4.2.3).

• Offer users alternative biometric approaches (see Section 4.3).

79

Chapter 4 : Biometrics and Mobile Devices

7. Selection Criteria: Can a subscriber choose an easily compromised signature?

It has been well documented that users o f password based authentication systems regularly compromise system security through the sharing, writing down and poor selection of passwords (Smith 2002, pp. 155-192). Although a systems security policy can enforce good password selection, this is generally at the expense of user's ability to memorise a difficult authentication sequence and the subsequent impact on system administration and account recovery services. A biometric template is loosely synonymous with a traditional password of between ten and one thousand heterogeneous alphanumeric vectors, dependent on the approach chosen, which must be presented simultaneously to the authentication system. User registration on a biometrically protected system does not introduce the potential for human compromise. The user does not need to memorise anything, as the system determines the markers for the authentication template based solely on security.

4.2.3 False Match and False Non-Match Errors

The inherent variability of biometric markers (Section 4.2, Issue 4) and the subsequent variability of the samples generated by the biometric collector, gives rise to two characteristic percentage error rates (or likelihood of an error occurring), within a

biometric system. These are:

• False Match Rate (FMR): Equivalent to the False Acceptance Rate (FAR) of a system. FMR is the probability that an impostor's biometric sample will falsely match the stored enrolment template o f a random user (of a system).

• False Non-Match Rate (FNMR): Equivalent to the False Rejection Rate (FRR) of a system. FNMR is the probability that a biometric sample will falsely notmatch the stored enrolment template from the same user (of a system).

80

Chapter 4 : Biometrics and Mobile Devices

Synonymous with FAR and FRR, FMR and FNMR are mutually exclusive, in that as one error rate decreases the other tends to increase proportionally, giving rise to the

EER (Equal Error rate) where the two rates become equal. Figure 4-4 shows a theoretical ideal performance plot for FMR vs. FNMR, with both curves converging at zero percentage error; ' t " , representing the ideal threshold setting. There would be no point in setting a different threshold in the ideal case, as the EER is already at zero error and any variation o f t " would only increase FMR or FMNR system errors. In reality, a typical biometrics system will produce a plot similar to that shown in Figure 4-5, where the EER is above zero percent (Cope 1990). In this case, the system has to trade o f f

FMR against FNMR, depending on the security requirements of the current operation.

Starting with a threshold setting equal to the EER o f the system, 't^' can be dynamically biased, towards either tighter security (at the expense o f increased user inconvenience) or greater user convenience (at the expense of slacker security), dependent on the current operational scenario. For the system designer, FMR and FNMR curves are fijndamental in managing the quality-of-service for the system end-users.

L U

10

FMR (False Match Rate)

FNMR (False Non-Match Rate)

FMR (False Match Rate)

FNMR (False Non-Match Rate)

EER (Equal Error Rate)

EER (Equal Error Rate)

Threshold Setting

Figure 4-4 : The ideal FNMR vs. FMR performance curve(s)

81

(Slack)

(Tight)

Threshold Setting

Figure 4-5 : Typical FNMR vs. FMR performance curve(s)

Chapter 4 : Biometrics and Mobile Devices

Table 4-2 below shows some typical EERs and commercial hardware solutions for the selection of biometric techniques, identified in Section 4.3, with currently the highest market shares (2004).

Biometric Technique

Fingerprint

Speaker-recognition

Iris-scan

Hand-geometry

Signature-recognition

Facial-recognition (2D)

Market

Share^

Typical

E E R

Example Hardware Supplier (Product)"

Internet Link: Supplier Homepage

48%

6%

9%

11%

2%

12%

1.5%

2.5%

3.5%

4.5% n/a

7%

IDTeck Co. Ltd. (Finger007/x)

Web: http://www.idteck.com

Voice Security Systems (VoiceProtect®)

Web: http://www.voice-security.com

Argus Solutions (Trueldentity®)

Web: http://www.argus-solutions.com

Recognition Systems Inc. (HandPunch®)

Web: http://www.recogsys.com

Softpro (SignPlus®)

Web: http://www.signplus.com

Identix Inc. (Facelt®)

Web: http://www.identix.com

Table 4-2: Equal error rates of popular biometrics, by technology

4.2.4 Identification versus Verification

In further considering biometrics as a method o f advanced authentication, there are essentially two distinct modes of operation:

• Biometric Verification (Authentication): "The automated process o f assessing a claim that [submitted biometric sample(s)] and [stored biometric sample(s)] are from the same source." (ISO/IEC JTCI/SC37 2004)

• Biometric Identification: "The automated process of comparing [submitted biometric sample(s)] to return an identifier(s) o f the source(s) of the matched

[enrolment record(s)]." (ISO/IEC JTCI/SC37 2004)

' Extracted from Figure 4-7, the Pie-chart: Biometrics market-share, by technology (IBG 2004).

82

Chapter 4 : Biometrics and Mobile Devices

Both of these approaches utilise the same essential capture and comparison mechanism, a fundamental difference lies in the different strengths o f the two approaches in the real worid. In an ideal biometric authentication system, it would not matter which approach was adopted, as once the system had determined the identity of a user, it would be academic as to whom they claimed to be. In reality, biometric systems are not perfect and i f presented with the choice, the ability of a system to verify the user is whom they claim to be, is preferable from a security perspective, to an approach based on the probability of a best fit user, not knowing in advance i f the user under investigation is even enrolled on the system.

The issue is also raised as to the performance and subsequent cost o f the authentication mode. Identification requires the system to essentially check the captured biometric sample(s) against every single user enrolment record (biometric template) stored in its database (one-to-many) in order to confidently formulate the strongest probable identity; also checking that this probability is above a pre-defmed threshold for unknown users. This would require significantly more processing

(powerful hardware) than verification which, on the other hand, can be performed in a single operation: does the captured biometric sample(s) exceed the authentication threshold for the enrolment record o f the claimed identity (one-to-one). Within a mobile environment, all processing imparts a cost on the battery life and inevitable performance (time between charge cycles) o f the mobile device, therefore it is crucial to justify whether an authentication process is PoE or continuous, terminal or network-centric (Section 2.3.7).

83

Chapter 4 : Biometrics and Mobile Devices

4.2.5 T h r e a t s to Biometric Systems

It can be shown that biometric approaches present less risk in the areas of authentication attack when compared to traditional PVIiat You Know, Wliat You Have based systems.

The classic risk to an authentication system is the masquerade attack, or convincing the system security that the actual user is in fact the legitimate user. Biometrics are not knowledge-based, consequently there is no transferable knowledge to hijack. Biometrics is not token-based (the user is not considered a token), therefore there is nothing tangible to steal; although it could be argued that certain dismembered body-parts could fit this category! Therefore, to masquerade undetected on a biometrics protected system, an attacker must essentially present themselves as a clone of the legitimate user, or at least produce biometric samples which beat any system confidence threshold; dependent on which biometric approach the system has in place (see Section 4.3). Biometrics authentication markers cannot be inadvertently lost or deliberately shared in the same way that passwords or physical tokens can (Section 4.2.1), each user template is unique to its owner and as such offers increased accountability.

The second significant risk to authentication systems is that of Trial-and-Error attack, sometime referred to as Brute-Force attack. Again, biometrics present a significant obstacle to an attacker, as biometric templates are generally based on dozens of simultaneously captured, highly variable, loosely related samples, which cannot be guessed; compared to a password which is drawn fi-om a set of alpha-numeric characters and although recommended against, usually arranged in a logical sequence (as words, names, sequential codes etc.). In addition, a well designed biometric system will employ a process known as seeding to ensure biometric sample(s) are in fact original and not replays of previous sample(s) (Ratha et al. 2001b). Certainly to the casual attacker, there is no easy or obvious way of defeating a biometric sentinel system.

84

Chapter 4 : Biometrics and Mobile Devices

The more determined attacker may attempt to literally steal a legitimate subscriber's identity and register themselves with a system, assuming the stolen identity; this is known as identity theft (Home Office 2006). Although identity theft essentially circumvents the authentication system completely, once system registration has been achieved, biometrics may present a solution in the form o f behavioural profiling. I f the security system had access to a behavioural profile for the claimed identity, a possibility in a network-centric security architecture (Section 2.3.7.2) o f a large distributed network, such as a national mobile network operator, the system has a window o f opportunity to flag the intrusion before any potentially defrauding profile refining takes place. I f however, an attacker is determined enough and carefijlly chooses the identity of their victim, utilises social engineering techniques and chooses the identity of an authentication system/network with absolutely no knowledge o f the person whose identity is being stolen, then only a traditional and thorough human-to-human interrogation has any real chance of identifying the fraud.

4.3 Biometric Techniques

Biometrics presents a selection of possibilities when it comes to the collection o f biometric markers for an advanced authentication system. The possible approaches can generally be split into two categories:

• Physiological: Anatomical metrics or What you are,

• Behavioural: Behavioural metrics or How you are.

Physiological approaches such as fingerprint, face-recognition and hand-geometry still command the majority share of current commercial biometric systems, representing the more mature technologies. They are also more invariant and discriminative in comparison to the more transient behavioural approaches (Woodward et al. 2003, pp.45-100).

85

Chapter 4 : Biometrics and Mobile Devices

Although behavioural biometrics are not a new concept, the inherent need for an automated authentication system based on behavioural techniques can be linked with the growth of personal computing. A behavioural biometric that has witnessed massive growth in recent years is 'behavioural-profiling', although not specifically within the area of authentication, but within the area o f targeted advertising; advertising based on individual users purchasing profile (Bisgaard-Bohr 2002). Another approach which has seen recent developments within the field of authentication, is keystroke-dynamics

(Joyce and Gupta 1990, Legget and Williams 1988), or one's typing style, along with the release of commercial applications like: BioPassword (Link: BioPassword).

BioPassword is interesting in that it adopts a hybrid multi-modal approach to authentication, adding biometrics to an established and familiar password authentication mechanism, realising a What you type and How you type approach. This is an excellent application of biometric technology; it not only strengthens an authentication mechanism that the security industry has experience and confidence in, but also enables a soft deployment of biometric technology to consumers in a way less brutal than a novel, purely biometric approach.

The question can be asked, 'Is there a best biometric?'. This depends on the application environment and the task the user is currently engaged in, as each biometrics' inherent qualities will lend themselves more to one particular circumstance than another. For example, although speaker-recognition may not be suited to application on either a loud factory floor or within a quiet library, it could be appropriate for telephony based authentication; whereas hand geometry (owing to the size o f the collector) would not; behavioural profiling could be suitable for continuously monitoring an online banking site, whereas a user having to hold their eye against an iris-scanner would not.

86

Chapter 4 : Biometrics and Mobile Devices

The diverse nature of biometrics is well illustrated in the Zephyr diagram on biometric techniques, performed by the International Biometrics Group (Link: IBG) in 2004, and shown in Figure 4-6. The diagram illustrates the strengths and weaknesses of the various current biometric techniques and the subsequent importance of understanding and defining a system's environmental and application criteria in order to select the optimum technique. The IBG analysis was based on four criteria, selected by the group, to be o f key importance to both the service provider and the user. These were:

• Intrusiveness: The level of intrusive interaction required (by the user).

• Distinctiveness: The level of uniqueness (of the biometric markers).

• Cost: The cost of deployment (primarily of the biometrics collector).

• EfTort: The level of work required on the part of the user (for authentication).

Keystroke-Dynamics

Face-Recognition

Hand-Geometry

Signature-Recognition

Retina-scan

Fmgerpnnt

Ins-scan

Speaker-Recognition n InlrusA^ness

• Distinctiveness • Cost • Effort

Figure 4-6 : Zephyr diagram of key biometric criteria (IBG 2004)

As a reference, the Zephyr diagram includes the ideal biometric result, with all other techniques radiating from a central (worst resuh) point source. By inspection, it can be seen that no single current biometric technique approaches the ideal case scenario:

87

Chapter 4 : Biometrics and Mobile Devices although retina-scan exhibits highly distinctive samples, it is very intrusive and suffers the greatest cost to both the provider and the user; by contrast, although speaker-recognition is non-intrusive (convenient for the user), its biometric markers are indistinct and therefore vulnerable to increased false acceptance. The best generic result, with no significant weaknesses and moderate to good distinctiveness, remains the fingerprint; a result closely reflected in the techniques commercial success, shown in Figure 4-7.

Considering the uniqueness of the human subject, only a handftil o f biometrics' techniques have realised commercial success. Figure 4-7 gives a breakdown of the most commercially successful biometric approaches by technology for the year 2004, with their respective market shares (Link: IBG). By inspection, the more mature and well understood biometric markers, command the greater market shares, with fingerprint(s) commanding nearly half the commercial market.

8lgn«tur«

Flng#fpf1nt

4$%

Figure 4-7 : Biometrics market-share, by technology (IBG 2004)

The next section of the thesis discusses current biometrics' techniques in more detail. The selected list is not considered exhaustive, as research within the field o f biometrics is constantly realising novel biometric markers and sample collection techniques: an example of which is the Head Authentication Technique introduced in Chapter 5, along with some recent commercial approaches introduced in Sections 4.3.2 and 4.3.4.

88

Chapter 4 : Biometrics and Mobile Devices

4.3.1 Physiological Biometric Techniques

A literary summary of established anatomical or physiological metrics: Wfiatyou are.

4.3.1,1 Fingerprint

The technique of fingerprint authentication is based on the fact that everybody's fingerprints exhibit different shapes of ridges and valleys, swiris and loops; even for identical twins. The discontinuities and irregularities, known as minutiae, form the basis of the oldest and most widely recognised biometric markers (Maltoni et ai 2003), dating back to 1858 (Herschel 1858). Fingerprint technology is by far the most commonly deployed biometric authentication system and offers a set of distinct advantages over other physiological biometrics:

• Mature and proven core technology.

• Time invariant discriminative features.

• Excellent economies of scale have driven down prices.

• Small ergonomic, easy to deploy devices.

• Scalable security, with the ability to utilise combinations of fingers.

Fingerprint based authentication systems are traditionally PoE only, requiring deliberate and intrusive interaction by the user with the system. Considering the strength and maturity o f fingerprint recognition, its limitations have not hindered market dominance, see Figure 4-7, in fact the technique has experienced 14% market growth over the last five years (IBG 2004) and will likely remain the dominant biometric for some time.

Although fingerprint recognitions PoE security limitation does not lend itself to transparent or continuous authentication, the technique still lends itself to certain

89

Chapter 4 : Biometrics and Mobile Devices advanced mobile services, such as m-commerce, where transactions may only require a single authentication. This has prompted mobile suppliers like Sagem to pioneer the incorporation of a fingerprint scanner into a mobile handset (Sagem 2000), although to date only one network, NTT DoCoMo (Japan), has introduced a similarly equipped handset commercially; the F505i (NTT DoCoMo 2004).

4.3.1.2 Hand-Geometry

Utilising the same physiological source as fingerprints, i.e. the hands (and fingers), handgeometry employs much coarser and less distinct biometric markers; as a consequence it is does scale well in isolation for identification or secure authenticafion. hi application, the technique uses an image scanner (Link: Recognition Systems Inc.) to capture a featureless silhouette of the users hand; biometric markers include measurements of the surface area of the user's hand and fingers, along with finger length(s) and width(s). Anything which can change the shape of the hand, such as large rings, injury or medical aids, can effect system efficiency and increase false rejection. Although the technique has halved its market share over the last five years (IBG 2004), the technique still proves commercially popular (see Figure 4-7), partly owing to its convenient HCl.

The continual drive within the mobile community for smaller lighter handheld devices sets up a conflict o f interests with hand geometry technology. Owing to the markers employed (hand area), the required size of hand geometry scanners is restricted by the size of the human hand, making diem inappropriate for application within the mobile arena. They are more commonly found in access control or Time & Attendance systems.

Early examples include the system employed at the 1992 Olympic Village in Barcelona, and more extensively 4 years later in Atlanta (Washington Technology 1996): more recently, Disney (Link: Disney) have employed a system for multi-day park passes.

90

Chapter 4 : Biometrics and Mobile Devices

4.3.1.3 Facial-Recognition (2-Diniensional)

Two dimensional facial-recognition systems are currently the second most popular commercial biometric with 12% of the market, a share which has remained relatively unchanged over the last five years (IBG 2004). The technique utilises the geometric placement o f distinctive features within the human face as markers and offers a number o f unique advantages over other biometric systems, it can:

• utilise existing acquisition devices;

• be applied non-intrusively;

• be applied without specific interaction with the biometric sensor;

• remotely search photographic records.

The biometric markers employed are those which exhibit the least variance over time: the size and position o f the eye sockets relative to the nose and sides o f the mouth

(Nanavati et ai 2002, pp.63-75). Areas which can suffer significant variance are normally avoided such as hair lines around the forehead and for men, around the chin.

Although in principle, all two dimensional facial-recognition systems utilise the same biometric source, their exist at least five competing systems:

• Eigenface utilises a set of around 115 common facial templates.

• Feature Analysis utilises sets of common facial features' locations.

• Neural-Network utilises a neural-network to classify prominent features in the fiall face. The PhD research technique proposed and subsequently discussed in

Chapter 6, utilises a similar approach to sample analysis.

• Automatic Face Processing utilises geometric mapping o f the face.

• Thermogram utilises a thermal image of the face produced by an infi-ared camera.

91

Chapter 4 : Biometrics and Mobile Devices

Two examples o f commercial facial-recognition products are: Imagis Technologies

ID-2000 (2004) and Identix Face IT (2004).

One of the drivers for 3"* generation mobile networks is video conferencing (Secfions

2.2.3.3 and 2.3.6). A mobile hardware requirement is therefore image capture capability which has the potential of enabling non-intrusive and potentially continuous face recognition technology to be employed when utilising a service which requires the user to interact with the screen and a suitably positioned camera, such as video conferencing or web browsing. Unfortunately this approach would be ineffective, when the handset is used in the traditional telephony mode, still the predominant mobile application. This limitation is addressed by the HAT approach introduced in Chapter 5.

4.3.1.4 Iris-Scan

Iris-recognition technology utilises one of the most invariant biometric markers, the distinctive features of the iris or richly textured ring o f pigmented membrane surrounding the pupil of the eye. The techniques requires mapping of the trabecular

mesh or complex pattem of unique furrows and ridges of the iris via use of, ophthalmologists approved, inft-ared imaging technology beyond the range of human vision (Daugman 1998). The techniques primary strength is the amount of distinctive data within the iris, offering tremendous potential for reliable identification and secure authenfication, far exceeding the error rates o f the most commercially successful biometric approach; the fingerprint. However, perhaps owing to the complex authentication process, iris-recognition technologies market share has remained stable at a moderate 10% for the last five years (IBG 2004).

92

Chapter 4 : Biometrics and Mobile Devices

From a mobile perspective, the excellent security potential of the iris is offset by a number of factors, preventing it from realising market application to date. These are:

• The need for small, dedicated authentication hardware.

• The limited authentication range of the biometric sensor, usually only a few inches; although there have been research projects into advanced systems capable of identifying pa^^ers by up to a distance o f 10 metres (Zakaria 2003).

• The authentication process is intrusive and requires training.

• Some user apprehension towards eye-based technology.

Table 4-3 summarises the four principal physiological biometrics techniques identified in Figure 4-7 and discussed in this section, with a bias towards their inherent suitability for application within a small handheld mobile device; like a mobile handsel.

1. Fingerprint

Market

Share'

Non-

Intrusive

Security

Strength^

Template

Size^

(in Bytes)

' Mobile

Application

48%

X

250 Discrete^

2., Hand-IGeometry

11%

3. Face-Recpgriition

12%

4. Iris-Scan

9%

X

X

10

1300

500

Unsuitable^

Continuous

Unsuitable^

Table 4-3: Summary of physiological biometric techniques for mobile application

For a further in depth discussion of the application of biometrics in the mobile arena and the suitability o f the available techniques to the medium, refer to Section 4.4.

' Extracted from Figure 4-7, the Pie chart; Biometrics Market Share by Technology.

Extracted from Figure 4-6, the Zephyr diagram: Key Biometrics Criteria.

^ Template sizes are not fixed, but represent typical sizes in current commercial systems.

* Authentication performed deliberately at a specific point within an operation.

^ Owing to the size and inconvenience of the biomctric collector.

93

Chapter 4 : Biometrics and Mobile Devices

4,3,2 O t h e r Physiological T e c h n i q u e s

In addition to the market dominant physiological techniques discussed in Section 4.3.1, a number of less commercially significant techniques exist, with a cumulative market share o f less than 1%; in addition to some novel techniques which are still in the conceptual stages of development.

Although an in-depth discussion of these techniques is beyond the scope o f the thesis, they have been included here to demonstrate the diversity and breadth o f the physiological biometrics field.

4.3.2.1 Retina-Scan

Retina-scan is the most well known and mature o f the lesser biometrics, dating back to the 1930s, and the only technique to realise a successful (albeit limited) commercial application (Das 2005). It utilises an approach to authentication not dissimilar to the iris-scan discussed previously (Section 4.3.1.4), extrapolating a 2-dimensional map of

minutiae points from an infra-red image of the blood vessels at the back o f the eye; the membrane known as the retina. This produces a biometric template, similar to that of a user's fingerprint, though more secure owing to the internal nature o f the biometric markers being less susceptible to deliberate modification or damage. Also, in the event of the subject's death, unlike fingerprint, the retina will deteriorate very quickly negating any need for life testing. Although producing invariable and highly distinctive markers, the technique is expensive to deploy and suffers from high user inconvenience

(see Figure 4-6) and as a result, has only realised application in highly secure physical access areas, where security outweighs convenience; such as government buildings, military installations, power-stations and correction institutions.

94

Chapter 4 : Biometrics and Mobile Devices

4.3.2.2 Vein-recognition

Vein-recognition relies on the mapping of the vascular pattern of blood vessels in either the palm or the back of a subject's hand; not-dissimilar, in principle, to the mapping of minutiae points of fingerprints. The technique utilises an inft-a-red camera to produce an image based on the absorption characteristics o f the deoxidized haemoglobin (in the blood). The technique offers some advantages over other biometric techniques, as it:

• can be implemented without contact with the biometric collector (hygienic);

• is relatively resilient to minor surface abrasions;

• is relatively easy to capture biometric sample(s). The subject simply holds or passes their hand above or below the biometric collector;

• can be implemented non-intrusively, allowing for continuous monitoring, within a suitably designed system.

These tangible benefits make the technique particularly suitable for high-traffic access

control areas (such as airports) or time & attendance systems (found particularly in industry), presenting a real alternative to less robust hand-geometry systems. Vein recognifion technology is currently witnessing steady growth in the marketplace, realising a number o f new commercial applications (Fulton 2005) (Link: Veid Ltd).

4.3.2.3 Facial-Recognition 3D

3D facial-recognition is an extension of the 2D system discussed in Section 4.3.1.3, utilising an additional depth plane. The technique constructs a 3-dimensional topological map of a subject's face, triangulating each point within a 3-dimensional plane, via audio reflections fi-om two sonar style transceivers placed a short-distance apart and in front of the subject (Link: DuPont Authentication; A4Vision)

95

Chapter 4 : Biometrics and Mobile Devices

4.3.2.4 Ear-Geometry

Ear-geometry utilises distinctive characteristics o f a print o f the pinna, or visible part of the outer-ear, not dissimilar in principle to a fingerprint; an ear-print. The unique shape o f the human ear is currently the subject of ongoing investigation (Hoogstrate et al, 2001), with various legal bodies investigating its admissibility within criminal courts (Morgan

1999). In the UK in 1998 a murderer was convicted based on ear-print evidence (BBC

News 1998), leading to ftirther investigation by the National Training Centre for

Scientific Support to Crime in the UK (BBC News 1999). In 2001, Alphonse Bertillon, a respected pioneer of the science of human identification, pronounced the ears uniqueness, stating," It is, in fact, almost impossible to meet with two ears which are identical in all their parts." (Moenssens 1971, p. 17). It has even been suggested that the ear has more distinctive characteristics than the human face (Carreira-Perpinan and Sanchez-Calle

1995), although in balance, it has also been argued that there is no empirical evidence to support the claim that ear-shape is never duplicated (Morgan 1999).

4.3.2.5 Facial Thermography

Facial thermography refers to the pattern o f facial heat produced from the distinctive flow of blood under the skin. The technique utilises an infi-a-red camera to capture a heat image of the subject's face, from which a biometric template is formed. Although the technique has the advantages o f being suitable for non-intrusive, not-contact application, it suffers from highly variant metrics owing to the abundance o f blood vessels in the human face. Factors which can affect the signature are:

• ambient conditions (such as temperature affecting sweat production);

• subjects mood or emotional state of arousal (such as anger);

• subjects medical state (such as sickness, medication or menopause).

96

Chapter 4 : Biometrics and Mobile Devices

4.3.3 B e h a v i o u r a l Biometric Techniques

A literary summary of established behavioural metrics: How you are.

4.3.3.1 Speaker-Recognition

Of^en confxjsed with speech-recognition, speaker recognition (aka voice-verification) utilises die physiological individuality of a user's vocal tract, including: vocal chords, palate, teeth and the shape and density of tissue along with the inherently behavioural characteristics of speech annunciation including: pitch, tone, volume and dynamic range

(Woodward, et al 2003, pp. 101-136). Additional environmental factors, including: colloquial dialect, atmospheric conditions and elocution can also have an affect. Speakerrecognition is a true biometric, focusing on characteristics of whom is speaking (from a security perspective): conversely speech-recognition, concentrates on the generic content of the speech, where diversity of biometric markers actually hinders system performance.

Speech

Recognition

Speaker

Recognition

(Low - Generic) User Discrimination (High - Distinct)

Figure 4-8 : The mutually opposed goals of speaker and ^peecA-recognition

The diagram in Figure 4-8 demonstrates the diametrically opposed goals of the two systems: Speaker Recognition performance is dependent on highly distinct samples; conversely. Speech Recognition performance is dependent on highly generic samples.

97

Chapter 4 : Biometrics and Mobile Devices

Speaker-recognition can be performed in two distinct modes of operation:

• Constrained: Text-dependent, via pre-determined words or phrases.

• Unconstrained: Text-independent, via free-speech.

Although unconstrained speaker-recognition offers a less intrusive user interface and the potential for continuous authentication, in use, the restricted text of a constrained system has proven to offer reduced FMR and FNMR errors (Section 4.2.3) and to date, proven the more popular approach within the 6% market share o f commercial speakerrecognition systems (Link: Persay Inc.; VeriVoice Inc.; Nuance Communications Inc.).

Within the mobile arena, speaker-recognition is inherently suited to telephony based application', not only offering the enhanced non-intrusive security approach required by post 2"^* generation wideband networks, but also offering the opportunity to leverage existing acquisition hardware and existing mobile subscriber behaviour.

4.3.3.2 Signature-Recognition

Signature-recognition is an automatic authentication technique, derived from the established Graphologists art of hand-writing recognition, where it is possible to verify the identity of a person purely from their characteristic writing style. Although graphologists can claim to ftirther determine a persons character traits solely from their hand-writing, signature-recognition focuses only on the verifiable characteristics of the user's writing style and separates the biometric markers into two groups:

• Static Markers: Writing geometry, curvature, shape and histogram.

• Dynamic markers: Writing direction, speed, pen-up/down and pressure.

' Generic suitability in principle. In practice, mobile speaker-recognition is limited by factors including: handset microphone quality, security system centricity, voice codec, bandwidth of the medium.

98

Chapter 4 : Biometrics and Mobile Devices

Signature-recognition systems currently only command 2% o f the biometrics market share (see Figure 4-7), reflecting the current market trend away from signature based authentication, and towards the market dominant and convenient password/PIN based authentication in pre-enrolled systems. Some issues affecting signature-recognition are:

• relatively indistinct biometric markers (see Figure 4-6);

• debit card(s) widespread replacement o f signature-authenticated cheques;

• Chip'n'PINs replacement of signature-authenticated debit/credit card receipts.

However, with the move towards, PDA style mobile devices (Section 1.1), more handhelds are appearing with palmtop style touch-screens and stylus, enabling some leveraging o f existing hardware and software, in the form of handwriting-recognition, for authentication purposes. A key issue is how far this particular HCI technology can penetrate the mass market of mobile handsets. Touch-screen technology is an expensive commodity and is highly unlikely to appear on a device for purely security purposes.

4.3,3.3 Keystroke-Dynamics

Keystroke-dynamics takes advantage of behavioural differences in typing style on any keyed input device, usually a computer style keyboard or numerical keypad; the input device forming the access point to the protected environment. The behavioural markers are primarily user's inter-key latency and hold-down latency, which has been shown to demonstrate unique personal properties (Joyce and Gupta 1990). In a similar way to voice-recognition, keystroke dynamics can leverage existing hardware and be applied in two distinct modes of operation:

• Constrained: Text-dependent, via pre-determined words or phrases.

• Unconstrained: Text-independent, via free-typing.

99

Chapter 4 : Biometrics and Mobile Devices

A natural and commercially successful application of keystroke-dynamics is hardening existing password based authentication systems; a hybrid multi-modal approach, adding biometrics to a mature authentication mechanism (Link: BioPassword). Although offering relatively indistinct biometric samples, keystroke-dynamics non-intrusive nature enables it to continuously and cumulatively monitor a users typing behaviour and over time, statistically offset this vulnerability and reduce system authentication errors.

With traditional 2"^^ generation mobile handsets, the use o f mobile phonebooks all but eliminated the use of the keypad in day-to-day use. However, the introduction of wideband networks and their enabled online services, has seen the evolution of the mobile handset into a device with similar capabilities to a PDA or palmtop computer

(Section I . I ) , with the associated human computer interface; this shift in technology reenabling the possible application of keystroke-dynamics (Clarke et ai 2003).

Table 4-4 summarises the three principal behavioural biometrics techniques, identified in Figure 4-7 and discussed in this section, with a bias towards their inherent suitability for application within a small handheld mobile device, like a mobile handset.

1. Speaker-Recognition

Market

- S h a i - e "

; Non-'. j n t r u s i v e

Security

Strehgth^„

' 1 - r .

Template

Size^

(in Bytes)

. Mobile,

Appltcatloh

6%

2000+ Continuous

2. Signature-Recognition 2% X

3. Keystroke-bynamics <1%^

-1500 Discrete'*

Unknown

Continuous

Table 4-4: Summary of behavioural biomemc techniques for mobile application

' Extracted from Figure 4-7, the Pie chart: Biometrics Market Share by Technology.

^ Extracted from Figure 4-6, the Zephyr diagram: K e y Biomeuics Criteria.

^ Template sizes are not fixed, but represent typical sizes in current commercial systems.

* Authentication performed deliberately at a specific point within an operation.

^ Inferred from Figure 4-7, the Pie chart: Biomeuics Market Share by Technology.

100

Chapter 4 : Biometrics and Mobile Devices

4.3.4 Other Behavioural Techniques

In addition to the market dominant behavioural techniques discussed in Section 4.3.3, a number of alternate techniques are under investigation. An in-depth discussion of these techniques is beyond the scope o f the thesis and they have been included here to demonstrate, once again, the diversity and breadth of biometrics.

4.3.4.1 Service Profiling

Behavioural profiling is the process of determining the identity o f a person via their characteristic interaction with a system. It can describe a path of activity taken by a user to achieve a specific goal, or the order in which a list o f tasks is usually performed on a regular basis; forming a profile. An example may be: Check email, use cursor kevs to scroll; read the news on BBC News website, use mouse to select topics; exit system, use shortcut kevs. Although the process is not unique enough to perform user identification, in a multi-modal system its strength lies in the fight against ft-aud, with its ability to non-intrusively and constantly monitoring a systems' users and flag behaviour which is

out of character (Rogers 2001), for further investigation.

4.3.4.2 Gait-Recognition

Gait-recognition is a spatio-temporal biometric which leverages existing CCTV camera deployment to classify subjects' walking patterns (gait and stride), for either Simple

Harmonic Mofion (SHM) or stafistical Principal Component Analysis (PCA). Although unsuitable as an access technology, its potenfial resides within automatic surveillance systems which can be used to trigger additional security responses, such as CCTV recording or a silent alarm, i f a flagged template is detected within a controlled area.

There are a number of DARPA research projects ongoing within this area (Link: ISIS(a)).

101

Chapter 4 : Biometrics and Mobile Devices

4.4 Biometrics and Mobile Handsets

The evolution of the mobile handset (Section 1.1) from a rudimentary telephony device into, a multi-functional personal mobile computer has had repercussions within the field of mobile biometrics. Although physically smaller than traditional palmtop and laptop computers, mobile handsets now incorporate many of their advanced human computer interfaces, which biometric systems designers can lever in order to realise hiometric security approaches previously impossible owing to the size and cost o f the enabling hardware. Figure 4-9, illustrates the biometric approaches discussed in the previous sections that are relevant to application within a mobile handset.

Camera

Iris-

Scanning

Camera

Face-

Recognition

Reader^

Fingerprint

T o u c h - s c r e e n ^

Signature-

Recognition

K e y p a d

Keystroke-

Dynamics

Microphone

Speaker-

Recognition

^Advanced features not necessarily available on ttie product shown

Figure 4-9 : Biometrics applicable to mobile handsets

With the addition of a high resolution camera', initially for photographic use and later, with the introduction of wideband networks, for video conferencing, 2-dimensional face-recognition and potentially even iris-scanning, is now a possibility.

' Pixel resolution of the C C D in the latest generation of mobile handsets is now realising 3 megapixels, with some specialist units reaching up to 6 megapixels (Grundig Mobile X5000).

102

Chapter 4 : Biometrics and Mobile Devices

Touch-screen technology from the PDA market, along with hand-writing recognition software, is enabling techniques such as signature-recognition. The improved dynamics of high-quahty audio microphones, part of the 3"* generation rich-voice service (Section

2.2.3.3), is enabling speaker recognition. Although the reduction in size o f the handset has dictated the size of the keypad, this has not eliminated the potential for keystrokedynamics, research in this area has shown that even using just thumbs^ there is still enough o f a residual signature to perform authentication (Clarke et al. 2003).

Biometric Technique^

Fingerprint

Hand-Geometry

Market

Share^

Non-

Intrusive

Security

Strength^

Lever

Existing

Hardware

Mobile

Application

48%

X

Limited^

Discrete^

11%

Face-Recognition (2D) 12%

X

y y

X

Unsuitable®

Continuous'

Iris-Scan 9%

Limited* Continuous'

Retina-Scan <1% X X

Unsuitable^

Vein-Recognition

Face-Recognition (3D)

Ear-Geometry n/a n/a n/a

Possibly

X n/a n/a

X

X

X

Unsuitable®

Continuous'

Continuous'

Facial-Thermogram

Speaker-Recognition n/a

6%

2% X n/a

y y

X

Limited*

Unsuitable®

Continuous'

Discrete^

Signature-Recognition o

'>

CD

Keystroke-Dynamics

Service-Profiling

Gait-Recognition n/a n/a n/a n/a

Limited* Continuous'

Continuous

Unsuitable

}^/a = infomiaiion not available at time of writing

Tabic 4-5: Suitability of various biometric techniques to application within a mobile handset

' Techniques in bold arc currently predominant within their panicular discipline (see Figure 4-7).

^ For the year 2004. Extracted from Figure 4-7, Pie chart: Biometrics Market Share by Technology.

^ Extracted from Figure 4-6, Zephyr diagram: K e y Biometrics Criteria.

* Leverage dependent on availability of advanced hardware.

* Authentication performed deliberately at a specific point within an operation.

^ Owing to the size and inconvenience of the biometric collector.

' Whilst within a suitable mode of operation, e.g. video-conferencing for face-recognition.

^ Requires the use of a suitable infra-red camera.

103

C h a p t e r 4 : B i o m e t r i c s a n d M o b i l e D e v i c e s

4.5 Assessing Subscribers' Attitudes towards Biometrics and

Advanced Mobile Security

As part o f the survey into public opinion of mobile telephony based security and related issues, covered in Chapter 3, four questions were composed to probe survey participants understanding and views on a selection of advanced authentication issues, including the topic o f biometrics. The following section is a discussion and interpretation o f the results to these questions. A full copy of the survey is included in Appendix C; with biometrics and advanced security being covered in sub-Section 3.

4.5.1 Users' attitudes towards biometric authentication

Participants were initially asked how they basically felt about biometrics and more specifically their own biometric markers, being used for the purpose of mobile authentication. The available responses were: Good, Bad or Indifferent.

Figure 4-10 shows a majority of 83% of respondents expressing the view that it is a good idea in principle. If this total is combined with the 13% o f respondents who expressed no definite bias either way, the total without obvious objection to biometric authentication being incorporated into mobile handsets is 96%; a significant positive result.

<3-

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Survey respondents

Figure 4-10 : Surv ey respondent's acceptance of biometric authentication

104

C h a p t e r 4 : B i o m e t r i c s a n d M o b i l e D e v i c e s

4.5.2 User's awareness and understanding of biometric techniques

Having established that the majority of respondents were accepting o f additional authentication measures, the survey proceeded to assess their preferences towards the forms that the authentication could take. Having determined that PIN-based protection is problematic at best, it is considered that other authentication methods based upon something the user knows (e.g. password) would be equally under-utilised, inconvenient or vulnerable to similar masquerade attack. The implication of this is that the most sensible route for improving authentication is to base the approach upon some form of physiological or behavioural characteristic. Focusing on proven biometrics, participants were questioned on two levels: firstly, their awareness o f a range o f proven biometrics

(Polemi 1997), both physiological and behavioural, and secondly their willingness to use the respective techniques within a mobile handset. Figure 4-11 summarises the results.

100%

• A w a r e O f

• W o u l d Use

75% {—

0)

50%

4)

£

25%

0%

Fingerprint Speaker- Iris-Scan

Recognition

Hand- Face- Keystroke-

Geometry Recognition D y n a m i c s

(2D)

Figure 4-1 i : Survey respondent's awareness and acceptance of biometric techniques

Having been known about for approaching 150 years (Herschel 1858) and forming the basis o f police forensics for almost as long, the fingerprint received the greatest positive response in both the level o f awareness and participants" willingness to use the

105

Chapter 4 : Biometrics and Mobile Devices

technique. Although the technique suffers the disadvantage o f not being able to lever existing mobile handset hardware, but requires the incorporation of a dedicated biometric collector, as discussed in Section 4.3.1.1, confidence in this technique has already been demonstrated with some limited commercial success, through NTT

DoCoMos fingerprint enabled handset; the F505i (NTT DoCoMo 2004). However, the fingerprint does not naturally lend itself to non-intrusive implementation (Table 2-1), as the user traditionally needs to pass his/her finger over a scanner at discrete times within a process, such as at the checkout within an ecommerce operation.

Speaker-recognition was also rated highly by respondents in both awareness and acceptance. Performing almost as well as the fingerprint, speaker-recognition has attracted much attention through the media and computer software, in addition to the mobile telephone industry, albeit predominantly as a means o f voice activation o f services, rather than as a means of authentication. As speaker-recognition depends upon the distinctiveness of the human voice, the development of hardware to support the increased fi-equency and dynamic-range of 3G's rich-voice service (Section 2.2.3.3) will lend itself naturally to the employment of this technique. However, owing to the vulnerability of this technique to pre-recorded authentication data, this technique can only realise its potential within a continuously monitoring environment.

Out of the biometric techniques provided, it is iris-scan which received one of the best results. Generally being considered an esoteric biometric approach, it was recognised by

76% of respondents and acknowledged by over half of all survey participants as being an acceptable biometric approach to authentication. This was somewhat unexpected, as biometrics relating to the eye, have traditionally been regarded with apprehension (IBG

2004). More unexpected, was the result that iris-scan was not only more familiar than face-recognition, but also preferred by a significant 14% of respondents.

106

Chapter 4 : Biometrics and Mobile Devices

Of the remaining techniques, which received less than half of respondent's confidence vote, hand-geometry received the healthiest vote, with 49%. However, it would have been interesting to question the 43% o f respondents, who agreed to having used it, about how they expected the technique to be realised in practice within physically diminishing handsets! With only a third of the votes, face-recognition was an unexpected fifth in popularity; it is worth remembering at the time o f the survey

(during 2003), 3G was still undergoing testing and commercial video-conferencing was generally confined to desktop-computing. Although keystroke-dynamics naturally lends itself to non-intrusive authentication, facilitating a continuously monitored environment during appropriate keypad-oriented activity, the techniques' indistinct biometric markers (Figure 4-6), generally consign the approach to a support role within a multi-modal security system.

Caution should be exercised when drawing any conclusions ft^om these results, as it is likely respondents may have responded more positively to those techniques with which they were already familiar, or which are proven in the eyes o f the general population. For example, fingerprints have long been known to provide a means of successful and reliable identification, long before any forms o f electronic scanning.

The point, therefore, is not to regard the results as a conclusive attitude towards one technique over another. The key observation that can be made is that, in support of the previous question, all techniques were considered favourably, by at least 25% of respondents and i f a particular technique were to be implemented that was less well known, a degree of re-education and awareness raising would be necessary before wide scale acceptance.

107

C h a p t e r 4 : B i o m e t r i c s a n d M o b i l e D e v i c e s

4.5.3 User's impression of continuous authentication

One advantage certain biometrics offer when compared to the PIN technique, is that they offer the potential for authentication to be performed on a continuous basis rather than as a one-off, usually PoE, judgement. Respondents were, therefore, asked whether they considered continuous authentication during mobile service usage to be acceptable; with the possible responses again being: Good, Bad or Indifferent.

The results, shown in Figure 4-12, reveal that 61% of respondents considered continuous authentication to be a good idea, which if accumulated with the indifferent respondents in a similar way to Section 4.5.1, gives a healthy 83%. Accepting that these 83% of users would likely be unwilling to regularly break their normal mobile activity to perform manual authentication, as discussed previously (Table 4-5) certain non-intrusive authentication techniques clearly lend themselves to this task more than others, such as:

• Speaker-recognition: talking is still the top activity on mobile handsets.

• Face-recognition (2D): with the introduction o f mobile video-conferencing.

• Keystroke-dynamics: with the popularity of mobile texting (SMS).

• Service Profiling: for security, rather than targeted advertising

(3-

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Sui\ey respondents

Figure 4-12 : S u n ey respondent s acceptance of continuous authentication

108

C h a p t e r 4 ; B i o m e t r i c s a n d M o b i l e D e v i c e s

4.5.4 Storing biometrics' templates

For all authentication techniques, including the PIN, a template needs to be stored as a reference, so as to enable the comparison with new authentication input data. The final objective of the survey was to establish users' opinions on where they would prefer their biometric template(s) to be stored; either in the handset and the responsibility of the subscriber, or in the network and the responsibility o f the network operator. In Section

2.3.7, the advantages and disadvantages of terminal vs. network-centric security profiles were discussed in detail, with the conclusion that a network-centric solution ultimately offered the more elegant and powerful solution.

Where a preference was expressed, survey respondents clearly favoured the profile being stored in the handset, with 50% o f respondents selecting this option. By contrast,

33% favoured the network and 17% had no preference. The discussion in Section 2.3.7 highlights that this issue is in fact far more complex than simply a matter o f privacy, but systematically affects issues such as, personal mobility and corporate liability. It would be wise, therefore, to acknowledge that as respondents were not explicitly made aware of all the issues, that perhaps a part of this result is biased by respondent's ignorance o f the holistic view and the benefits a network-centric solution can in fact ofTer.

0% 10% 20% 30% 40% 50% 60% 70% 80% 9 0 % 100%

Survey respondents

Figure 4-13 : Surrey respondent's preference for biomelric-tcmplale storage

109

Chapter 4 : Biometrics and Mobile Devices

4.5.5 Conclusion

This chapter presented an introduction to the area of biometrics and biometric security, with a bias towards the authentication system within current 2"** generation (GSM) mobile telephony handsets.

Much research has already gone into developing biometric techniques into practical systems, and many are already employed as alternative authentication methods within the desktop PC environment. For example, 9% of respondents to the 2001 CSI/FBI

Computer Crime and Security Survey claimed to use biometric security technologies

(CSI 2001). In the year 2000, Sagem were one o f the first commercial companies to incorporate biometric authentication into a mobile handset; a fingerprint scanner within the back panel of the Sagem MC959 (SAGEM 2000), this technique being more recently incorporated into NTT DoCoMos, F505i (NTT DoCoMo 2004) handset in Japan. Although many biometric approaches would have traditionally required the incorporation of dedicated capture hardware, the move towards wideband 3"* generation handsets and services is enabling operators to compliment the existing

PlN-based system, with a more powerful continuously monitored authentication system, through leverage of the new advanced services enabling hardware. For massmarket devices component cost is a major consideration, handset prices are already heavily subsidised by network operators in the current business model in order to keep the start-up cost down for the consumer, at the expense o f buying into a contract.

It is the consumers in todays market that dictate the success or failure o f a product, so some accommodation for their attitudes and opinions is not only wise, but fundamental.

110

Chapter 4 : Biometrics and Mobile Devices

The user survey continued fi^om Chapter 3 addressed consumer views on the topic o f advanced authentication and biometrics, with strong support for the more popular and familiar biometric techniques, and good overall support for biometrics in general.

Since none o f the biometric techniques discussed can provide non-intrusive authentication under all possible scenarios, it would seem logical that a hybrid multimodal authentication system presents ultimately the best solution, drawing on a number o f non-intrusive techniques as the first line o f security, with perhaps the PIM

(or some other knowledge-based methods) providing traditional PoE security and a fallback line of defence, i f required.

In the next chapter, an innovative authentication technique appropriate to mobile application is introduced, which in addition to leveraging existing mobile hardware, presents a completely novel hybrid approach to biometric authentication, utilising both the physiological composition of a user's head along with the behavioural characteristics o f the speakers voice to realise a unique biometric sample. The technique is known as the Head Authentication Technique.

I l l

Chapter 5 : Conception of the Head Authentication Technique

Chapter 5

Conception of the Head Authentication Technique

112

Chapter 5 : Conception of the Head Authentication Technique

5 Conception of the Head Authentication

Technique

Security deficiencies within the current mobile authentication methodology highlighted in previous Chapters, are not themselves a product of the grovrth in mobile communications; they have always been present, it is the grovrth in data services enabled by developments in mobile communications infrastructure, which has resulted in the imbalance in security commensurate with the services they are now expected to protect.

This chapter introduces a novel biometric technique conceived to redress this imbalance. Building on the biometric approach proposed in Chapter 4, and the advanced authentication findings (Section 4,5), of the security survey covered in Chapter 3, the proposed technique levers existing mobile HCI behaviour to enable a unique multimodal approach where selected physiological and behavioural characteristics work in symbiosis. The technique is known as the Head Authentication Technique.

5.1 Introduction

The Head Authentication Technique (HAT) was conceived out o f the established need

(Section 2,3) for an effective and reliable authentication system, capable of continuously verifying the claimed identity o f a user accessing the advanced voice activated services of a wideband mobile network', usually through use o f a compact mobile handset. The main requirements, fi-om both an academic and commercial perspective (Orange PCS), were for a novel authentication approach that could deliver the following four key security advancements;

' The PhD requirement, as defined by the researches industrial sponsor, specifically targeted the data services enabled by 3"* generation wideband mobile networks: Orange P C S (Link Orange).

113

Chapter 5 : Conception of the Head Authentication Technique

• Improved user-identity verification, through use o f more unique and personal authentication templates.

• Non-intrusive authentication; authentication transparent in use to the network user, enabling an authentication cycle to be initiated at will by either an application, a security sub-system or the network operator.

• Continuous authentication; overcoming, for example, circumvention o f the traditional PoE authentication request by simply not turning the device off.

• Capable of leveraging existing mobile hardware, and recasting it into additional security roles, such as facial recognition through use of mobile video conferencing hardware.

To further elaborate on these requirements: improved user-identity verification can only realistically be achieved through use of more personal user authentication data. The discipline of biometrics naturally lends itself to this task, providing various proven techniques (Section 4,3) designed and refmed to distil unique personal physiological and/or behavioural characteristics from a human subject. Biometrics also offers the added benefit of a selection o f current techniques capable of passive implementation, not requiring the conscious interaction of the subject, conveniently providing a path to the second research requirement of a non-intrusive authentication system. Non-intrusive authentication is itself a pre-requisite of a iisable continuous authentication system, thus mutually addressing the third research requirement. The fourth requirement for a solution suitable for application specifically within a mobile device, preferably utilizing the established tools of that context, was fundamental in defining the scope of the research, and although tempering many otherwise promising authentication solutions, did ultimately realise the original and novel approach o f HAT.

114

Chapter 5 : Conception of the Head Authentication Technique

Once it was established that biometrics theoretically offered the best research area fi-om which to draw a solution, as an intellectual exercise preceding any development work on a novel biometric approach, all known biometric techniques' were reviewed in depth

(Section 4.4), with a view to potentially leveraging attractive and/or relevant features into a mobile context. During a number o f brain-storming sessions many new and original ideas were considered outside of their original design context, such as keystroke dynamics on a mobile handset keypad using only ones thumbs (acknowledging the phenomenal growth in SMS), or the more controversial (though not entirely novel) idea of human

Radio Frequency IDentification (RFID) 'SliVI' chip implants (BBC News 2004); similar in principle to the established procedure of electronic animal tagging (Link: Biomark). By taking the idea of applying established biometric approaches out of context to the extreme, selected biometric techniques were considered completely outside of their traditional operational envelopes. If applied in unconventional ways, certain biometrics theoretically offered a novel lease o f life, such as voice-recognition where biometric samples are captured at a user's ear, rather than traditionally at the mouth. It was fi^om these sessions that a set of head authentication approaches based on sound (covered in

Section 5.3.2.2), was conceived and submitted for patent approval (see Appendix I): one of these approaches was developed through proof-of-concept into HAT.

5.2 The Human Ear and Auditory Analysis Techniques

The Head Authentication Technique utilises the ear as part o f a multi-modal biometric approach. Although the HAT process itself is original, identifying a person by some unique characteristic of their ears alone is not, and an example o f this is discussed after a description of the human ear and its natural acoustic partner, the voicebox.

' Including: established commercial (eg. Fingerprint, Hand geometry), developmental (eg. 3 D facial recognition. Gait recognition), and experimental (eg. Ear geometry) techniques.

115

Chapter 5 : Conception of the Head Authentication Technique

5.2.1 Hearing and Anatomy of the Human E a r

The human ear is a bi-functional organ, containing structure for both the primary sense o f hearing, and the bodies balance organs. The structure o f the human ear extends up to

60mm into the average adult head and is connected to the brain by the eighth cranial nerve (the vestibulocochlear nerve), carrying nerve impulses for both o f the aforementioned functions. A young and healthy ear has an operational frequency range o f approximately 20Hz to 20,000Hz' and a dynamic range o f about 100 decibels (see

Figure 5-7). With reference to Figure 5-1, the human vocal range is restricted to the frequencies 80Hz to 7000Hz, with the natural spoken voice covering the narrower band,

80Hz to 300Hz (Baken & O r l i k o f f 1999): trained operatic (singing) voices cover the extended frequency range 80Hz to 1400Hz (Link: Vocalist).

Dog

Human (Old)

Human (Young)

Soprano

Contralto

Tenor

Baritone

Bass

Spoken Voice

Vocal Range

10

Auditory

Ranges

100

Operatic Voices

Frequency in Hertz

Figure 5-1 : Frequency ranges of the human vocal and auditory systems

Physiologically, the ear can be divided into three basic parts, defined by their function:

• Outer-ear: Collection and channelling o f sounds into protected middle-ear.

• Middle-ear: Translation and amplification o f sound waves into vibrations.

• Inner-Ear: Filtering and transmission o f individual frequency data to the brain.

Over time the ear's upper frequency limit naturally degrades, reaching around 1 SKHz by age 60 years.

116

Pinno

Chapter 5 : Conception of the Head Authentication Technique

Vestibuloooddear

Nerve

Audrtcvy

(Ear-drum)

Outer Ear

Middle Ear Irmer Ear

Figure 5-2 : The anatomy of the Human Ear

The actual function o f hearing is caused by sound pressure waves striking the pinna, or external structure o f the outer-ear (see also Section 5.2.2), where they are channelled into the auditory canal and down to the tympanic membrane, commonly referred to as the ear-drum. The ear-drum forms an air interface between the outer-ear and the semi-sealed air-filled cavity o f the middle-ear. The middle-ear contains a triplet o f small bones (unique to mammals) called the ossicles, referred to in Latin as the Malleus, the Incus, and the Stapes; sometimes called the hammer, the A n v i l and the Stirrup, o w i n g to their shapes. The Malleus is attached directly to the ear-drum, and the triplet forms a mechanical linkage evolved to a m p l i f y the pressure wave at the ear-drum by a factor o f around 22 times (in a healthy ear), converting it f r o m a mechanical wave into vibrations f o r transmission into the cochlea. The cochlea is part o f the inner-ear and comprises a fluid filled spiral canal separated b y a membrane called the basilar membrane which contains tens o f thousands o f small hairs divided

' Adapted from an original image located on the *New York State Disabilities Awareness' website.

117

Chapter 5 : Conception of the Head Authentication Technique into four rows o f inner and outer hairs. The outer hair cells ( O H C ) receive input from the brain influencing their motility and the sensitivity o f the cochlea to d i f f e r i n g amplitudes o f sound. The OHCs are also the source o f the auditory response anomalies known as otoacoustic emissions (see Section 5.2.3.1). The inner hair cells

( I H C ) provide the primary neural output o f the cochlea. The hairs are a l l o f slightly different lengths and individually have natural sensitivity to specific frequencies.

When the frequency o f the compression wave in the cochleal f l u i d matches that o f an

IHC, the cell induces a unique electrical impulse in the auditory nerve; collectively, these impulses are interpreted by the brain as sound.

5.2.1.1 The Eustachian tube

The Eustachian tube performs the vital role o f maintaining the compliance o f the eardrum, by balancing the pressure in the air-cavity o f the middle-ear with the outside air pressure: it also forms the most direct link between basic H A T s two sample capture points.: the mouth and the ear. The tube directly connects the middle-ear to the upper nasal cavity, and contains a selective valve which opens and closes to balance the intemal and external air-pressure; this can sometimes be felt as the familiar 'popping' sensation when large changes in air-pressure are experienced in a short period o f time.

Leading up to the effect, the subject w i l l also usually notice a reduction in hearing efficiency caused by the pressure imbalance reducing the compliance o f the ear-drum and the efficiency o f the middle-ear apparatus. A similar effect can be experienced when the Eustachian tube becomes blocked due to infection, such as a cold, and is unable to equalise the pressure: the unnatural (unbalanced) middle-ear pressure at these times can also, in extreme cases, lead to dizziness and headaches.

l i s

Chapter 5 : Conception of the Head Authentication Technique

5.2.2 Ear-prints and 'earology'

Almost a century before fingerprints were first used as a mode o f identification, Johami

Caspar Lavater ( l 7 4 1 - l 8 0 l ) ( L i n k : Lavater), Theologian and physiognomist, had been working on the Mndividuahzation in the design o f the human ear', a practice which came to be known as 'earology'. In the 1960's Alfi-ed lannarelli, a deputy sheriff in the

United States, tried to turn the concept o f ear-identification into a recognised science, devising an ear-print classification system and writing the first book dedicated solely to the subject, "Ear Identification" (lannarelli 1964). Although lannarellis's w o r k and earprints in general have never been widely accepted by the scientific community, recent cases within the criminal justice system have brought the subject o f ear-prints and earprint classification to the fore.

In October 1991, in the first case o f its type in the United States, ear-print evidence was used to convict David Kunze o f aggravated murder, burglary and robbery (Morgan

1999). A t the Court o f Appeals, the conviction was later overturned after essential earprint evidence, previously deemed admissible by the judge, was subsequently ruled

"unsafe". The change was primarily due to forensics expert witness testimony describing the ear-print technique as "not generally accepted" as a form o f forensics due to the discipline being i n its infancy (CoA 1999). The case did however highlight the first appearance o f ear-print evidence in a court o f law.

In a similar burglary and murder case in the U K in 1998, Mark Dallagher was convicted o f unlawftilly killing an elderiy lady after the prosecution showed that ear-prints on a newly washed window could only have been left by the accused as he listened for movement inside the house ( B B C News 1998). The case set a precedent and f o l l o w i n g the conviction, the British police force, through association with the National Training

119

Chapter 5 : Conception of the Head Authentication Technique

Centre for Scientific Support to Crime Investigation (NTC-SSl)(Link: N T C ) , pioneered a national database o f ear-prints to provide evidential support linking suspects to crime scenes, in a similar procedure to fingerprints ( B B C News 1999). Since the database was started, police have invesfigated over 100 cases o f ear-prints at crime scenes.

The importance o f these developments in relation to the research is the formal recognition o f the unique nature o f the outer-ear, or pinna (Figure 5-2), which forms part o f the physiological authentication chain effecting the biometric template produced by the Head Authentication Technique.

5.2.3 Auditory Evoked Responses & Otoacoustic Emissions

In the Introduction, H A T was presented as an authentication system borne out o f the novel application o f selected established biometric disciplines in unconventional ways.

Possibly the closest recognised field to the proposed research approach, is the clinical auditory diagnosis technique o f Otoacoustic Emissions (OAE), part o f the broader discipline o f Auditory Evoked Responses ( A E R ) .

A n Auditory Evoked Response can be described as activity within the auditory system,

(consisting o f the ear, the auditory nerve and the brain), that is produced or excited by acoustic stimuli. Major AER techniques like Auditory Brainstem Response ( A B R ) and

Electro-cochleography (ECochG) rely on a 'brain response' to a specific stimulafing sound to produce their output. Although they do not require explicit subject interaction, from an overall research perspective the dependence o f these techniques upon medical procedures unsuitable for translation into a distributed mobile environment, ruled out further research into the procedures: specifically their dependence on multiple skincontact electrodes strategically positioned on the subjects forehead.

120

Chapter 5 : Conception of the Head Authentication Technique

OAEs depend upon similar non-interactive stimuli to generic the AERs but differ in one major area, their stimuli delivery and data collection procedure depends on a single transducer device positioned in the subject's outer-ear. A s this is the natural position o f a mobile handset when being used for a traditional voice call, the procedure warranted further investigation within the context o f the research.

The investigation into OAEs was conducted w i t h the dual research objectives o f investigating the techniques potential for re-engineering and deployment within a security orientated role or as a potential enabling technology for a novel biometric authentication approach. To achieve these objectives, the investigation was performed on three levels:

• A familiarisation with OAEs operational medium, the human ear (Section 5.2.1).

• A n investigation into OAEs in their various forms, and the enabling technology.

• A practical evaluation o f OAEs, through tests at a suitably equipped local hospital in order to experience and assess OAEs real-world potential f r o m a user's perspective. This was performed at the Ear, Nose and Throat ( E N T ) department o f Derriford Hospital, Plymouth, U K .

5.2.3.1 Introduction to OAEs

Discovered in 1978, by Dr. David Kemp (Hall 2000, pp.9-14), Otoacoustic Emissions are a relatively new field o f audiology. The emissions are a spontaneous and naturally occurring bio-mechanical process caused by the compression and rarefactions o f air in the ear canal ( o f a person with normal hearing ability), by inner-ear stimulation o f the ear-drum (Figure 5-2). The difference between OAEs and the normal reactions o f the ear-drum to the functions o f breathing, speaking and the beating o f a heart, are that

121

Chapter 5 : Conception of the Head Authentication Technique

OAEs originate f r o m the rows o f outer hair cells ( O H C ) in the cochlea o f the inner-ear

(Section 5.2.1). Travelling sound waves entering the cochlea which are not entirely absorbed by the inner and outer hair cells build up and eventually can no longer be completely contained within the cochlea. This process causes the OHCs i n the cochlea to scatter energy back to act upon the middle-ear apparatus, where it is relayed to the ear-drum producing the reactive sounds w i t h i n the ear canal k n o w n as O A E s .

The medical discipline o f OAEs is the retrieval and analysis o f these natural responses to artificially shaped acoustic stimuli, and are used to compliment the traditional and well-established audiogram in the diagnosis o f auditory problems. Although OAEs are produced solely by the outer hair cells o f the cochlea, the technique can also reveal the condition o f the ear-drum and middle-ear apparatus, by producing recognisable responses for specific auditory problems, including:

• congenital hearing loss;

• abnormal middle-ear ftinction;

• dysfunction o f the nerve cells in the cochlea.

In common with biometric techniques for authentication (Section 4.2.2), normal OAEs vary over time. The primary factors influencing O A E variance and performance are:

• Age.

• Gender.

• Body temperature.

• State o f arousal.

• General condition o f the ear apparatus.

• Additional medical conditions and/or medication.

122

Chapter 5 : Conception of the Head Authentication Technique

5.2.3.2 Capturing OAEs

In order to record the OAEs, a probe containing an earphone and microphone, is fitted into the ear canal o f the outer-ear. As the emissions would otherwise dissipate in the fi-eely moving air o f the ear-canal, the probe must make an air-tight seal w i t h the outerear, isolating the small trapped volume o f the ear canal and producing internal pressures up to an audible 30dBs. The probe, which is connected to an O A E analyser (currently o f similar size to a laptop computer), delivers the auditory stimulus and the response to the stimulus is measured by a microphone in the probe tip. As the OAEs derive from the originating stimulus, they are synchronised and contain the same frequencies, only delayed by a few milliseconds, due to the slower travelling wave in the cochleal f l u i d : in addition, subjects' left and right ears exhibit a high degree o f correlation.

5.2.3.3 O A E Stimuli

Although the inner-ear w i l l apply the same effective transfer function to all acoustic stimuli, otoacoustic emissions can be divided into two broad categories; spontaneous emissions and artificially evoked emissions, where:

• Spontaneous Otoacoustic Emissions ( S O A E ) are the naturally occurring emissions f r o m the normal everyday uncontrolled stimulation o f the acoustic worid. These emissions, caused perhaps by a car driving past, are rarely used for analysis purposes, and thus are not pursued further within the research.

• Evoked Otoacoustic Emissions ( E O A E ) are the emissions occurring as a direct result o f a tightly controlled artificial stimulus. Evoked emissions are grouped according to their type o f acoustic stimulus, which can be varied in frequency, intensity, spectral shape and duration according to the requirements o f the analysis and the condition (response) o f the subject's ear.

123

Chapter 5 : Conception of the Head Authentication Technique

There are generally three accepted forms o f evoked OAEs, divided by stimuli:

• Transient Evoked Otoacoustic Emissions ( T E O A E ) are generated by a series o f short duration tone-bursts, heard by the subject as clicks. Each click is a combination o f overlapping frequencies designed to stimulate those hair-cells i n the cochlea sensifive to the respective frequency. O w i n g to the relatively poor signal-to-noise rafio o f TEOAEs, accuracy is highly dependent on the averaging o f a suitably large set o f test data, and the upper test frequency is limited to

4000Hz. The average time needed to perform the otoacoustic analysis using this technique is 1-2 minutes (Grason-Stadler ca.2000).

• C h i r p Evoked Otoacoustic Emissions ( C U E O A E ) are an evolution o f

T E O A E s protocols, where the stimulus is engineered to provide an improved system signal-to-noise ratio. The ' c h i r p ' , which consists o f a short frequency sweep, produces similar emissions to the ' c l i c k ' ( o f TEOAEs), but contain a lot more energy for the same amplitude (Newmann 1997), reducing analysis times to less than 1 minute (Grason-Stadler 2000).

• Distortion Product Otoacoustic Emissions ( D P O A E ) are emissions generated by a series o f close ratio primary tone pairs (where

F R = F 2 / F I = 1

:1.2), presented in an ascending or descending frequency pattern. When the pure tone pairs arrive at the cochlea, they stimulate their respective groups o f hair cells, setting up vibrations in the hair cells located between the two groups. These additional vibrations generate a third tone, known as the distortion product or intermodulation product. DPOAEs exhibits a far better signal-to-noise ratio than

TEOAEs, are therefore more efficient at producing reliable results and can test frequencies up to 8000Hz. The average time needed to perform an otoacoustic analysis using this technique is 30 seconds (Grason-Stadler 2000).

124

Chapter 5 : Conception of the Head Authentication Technique

5.2.3.4 A Practical Evaluation of OAEs for an Authentication Role

In March 2002 arrangements were made f o r the author to experience a series o f otoacoustic tests first hand; to be performed at the Ear, Nose and Throat ( E N T ) department o f the local hospital: Derriford Hospital, Plymouth, U K . The aim o f the tests were to access OAEs practical potential for reassignment from an auditory diagnosfics role to a user authentication role, both f r o m a technological viewpoint and from a public acceptance viewpoint. With the authentication objective firmly in m i n d , the test environment was also conducive with conceiving alternate research ideas, utilising O A E techniques as donor technology.

As stated in Section 5.2.3.1, otoacoustic emissions rely on a healthy auditory chain from the ear-drum to the hair cells in the cochlea o f the inner-ear. It is therefore standard procedure to first ascertain the nonnal working function o f both the middle-ear and inner-ear via altemate established test procedures, in this case the tympanogram and the audiogram respectively. A l l auditory tests took place in a closed sound proof room, with an ambient noise level less than lOdBs. Tests were conducted in the f o l l o w i n g order:

• Tympanogram for ear-drum and middle-ear function.

• Audiogram for IHC (hearing) and inner-ear fiinction.

• O A E tests for O H C and fijil auditory chain function.

5.2.3.4a Tympanogram

The Tympanogram is used to detect disorders o f the tympanic-membrane or ear-drum and the triplet o f small bones comprising the middle-ear (Figure 5-2). The test involves inserting a tight fitting probe into each ear, then pressurising and rarefying the air within the ear-canal in order to test the mobility o f the middle-ear apparatus, detecting disorders such as a perforated ear-drum, detached ear-drum or middle-ear fluid ingress.

125

Chapter 5 : Conception of the Head Authentication Technique

B S I 3 3

Middle-Ear Analyzer

T V M P S C R E E N I N G

ml

1 . 5

T E S T 1

Ytm 2 2 6 Hz L

. 5

- 4 0 0 - 2 0 0 0 + 2 0 0 d a P a

<• 6 0 0 / 2 0 0 d a P a / s

E A R C A N A L V O L U M E : 1 . 4 d a P a m l

TYMP i : 2 5 0 . 3

G R A D I E N T : 0 . 4

R E F L E X : I 1 0 0 0 Hz V E S

Figure 5-3 : Clinical Tests - Tympanogram

Figure 5-3 shows the tympanogram for the right-ear. The result shows a typical response for a normal ear, symmetrical around room pressure and indicating that the:

• eustachian tube is clear and the middle-ear is correctly at outside air-pressure;

• ear-drum is responding appropriately to pressure waves input in the ear-canal;

• ear-drum is correctly seated at the juncture between the outer and middle-ear, forming a compliant pressure seal with the outside air-pressure;

• small bones o f the middle-ear are mutually connected and moving normally.

5.2.3.4b Audiogram

The audiogram is the traditional hearing test and is used to reveal the condition o f the inner hair cells ( I H C ) o f the cochlea (Section 5.2.1), after determining normal middleear behaviour. The test can be performed via either bone-conduction or air-conduction, the latter being the more prevalent where the subject wears a set o f good quality 'full

126

Chapter 5 : Conception of the Head Authentication Technique cup' headphones. The test consists o f a frequency sweep o f discrete pre-selected pure tones into each ear at random time intervals in the frequency range 250Hz to 8000Hz; the approximate frequency range o f the voice human box. The subject either acknowledges receipt o f each tone via pressing a button on a handheld unit, or not i f the tone went unheard. The random nature o f the inter-tone time interval excludes guesses.

DCARTMENT OF AUDtOUXTT

mil ./.

AO* n i C H T

C a t H a

L E F T

_ y

\ —

;

• •

1

1

t

-

1

• fREOUCNCVPtt

TYMPANOOMM

EtrCvutVtaL ftmura da /k

Convtbncvlm

•ladiofii

Roflcx l(n) l U b

MR CONDUCTION

a C MASKED

a C UNMASKED

Ll

FU ^ U

X

A A

no

K O I K I K

FAEQULMCr {HI)

MASIUNO DETAILS:

Figure 5-4 : Clinical Tesls - Audiogram

Ca 177

V / M O 0 6 7 ?

The audiogram result is shown in Figure 5-4, and indicates all frequencies between

250Hz and 8000Hz were detected successftilly at less than a test amphtude o f lOdBs, with only a slight reduction in sensitivity in the right ear at around 500Hz. Results up to

20dBs are considered normal, making this an excellent result, indicating healthy cochlea frinction: the IHCs are frmctioning across the frill test frequencies spectrum showing no signs o f auditory abuse or premature aging, transmitting the appropriate impulses into the auditory nerve which are being received and correctly interpreted by the brain.

127

Chapter 5 : Conception of the Head Authentication Technique

5.2.3.4c Otoacoustic Emissions

Having establishing normal function o f the middle-ear and IHCs o f the inner-ear via the tympanogram and audiogram respectively, the O A E s test can be performed on the outer hair cells (OHC) o f the cochlea. The testing required the insertion into the ear canal o f a suitably selected bung in order to form an air-tight seal with the outer-ear enabling pressurisation o f the ear canal. The test equipment available to the E N T department at the time was an 1L088 O A E analyser (one o f the first and most popular O A E analysers) utilising two simple air tubes passing through openings in the bung and into the O A E analyser, retaining the transmission and reception circuits within the analyser. Being an early device, the analyser utilised the original technique o f T E O A E s detailed previously, averaging over time a discrete frequency sweep from 500Hz to just over

4000Hz, with transient click stimuU o f 1ms duration at a pressure o f 3 Pascals.

S t i m i l u s

' 0.5nPa

(28dB) ve

I L 0 8 8 0 A E

(Analyser

U4.2eB&|E

Patient; Phil

Ear..right Case: 123

Bate.... 01/03/2602

p

&

1

4Bpesponse

6

28

SKR—IW0ISEL£VEL23.5« k l E C T I 0 » f t T 4 7 . 3 U

DbleNL mn 3.0

FOBS? Analysis

StiM,£Qho>Noise

fo!SY»< 1

m OIFF

•9.7a

m?mz

2.3il

M l - o 2 . « 3J 4.0 Ki^

96 95 90 96 94 X

15 14101412 9

|STIHULU587dM^

QuickScreen

12«

MM

••. - - • - •— _•-

Figure 5-5 : Clinical Tests - Otoacoustic Emissions

t\£SJ

TIKE in U?EC

Sfi¥E DiSECTCHY fl:

FiaED= 1/199

R E V I E W DIRECTORY

icEB

OST?. SOUHK

\9203010I

Figure 5-5 shows the result o f the O A E test. B y inspection, the 'Response Waveform' indicates the clear presence o f OAEs in response to the click 'Stimulus', indicating healthy cochlea OHCs and middle-ear function. Test duration was 1 minute 14 seconds.

128

Chapter 5 : Conception of the Head Authentication Technique

5.2.3.4d Clinical Tests Conclusion

In association with the resident audiologist, the clinical tests proved a h i g h l y valuable exercise with regard to the research. The OAEs tests highlighted a number o f important points which, in their current f o r m , precluded T E O A E s from meeting the research requirements outlined in Section 5.1. In order o f severity the precluding points were:

• A l l O A E techniques rely upon the insertion o f a hermetically sealed probe into the subject's ear canal.

• The resultant unnatural and uncomfortable pressurisation o f the subject's ear

• A normal test duration cycle in excess o f one minute.

• The need for a quiet environment for the collection o f usable O A E data in an acceptable time; around 1 minute for a normal clinical diagnosis.

The outcome did however j u s t i f y the exercise, as the tests spawned the concepts which shaped the future direction o f the research. The Head Authentication Technique was developed from the following ideas borne out o f the O A E clinical tests:

• Biometric templates derived from acoustic stimulation o f bio-matter.

• The use o f the voicebox as an internal stimulus; in the range 50Hz to 8000Hz.

• The capture o f biometric sample data at a subject ear.

• The bio-matter between a subject's voicebox, their mouth and their ear(s) providing the source o f variance in the stimulus.

The next section o f the thesis explores these concepts in more detail, and introduces the ftjndamental principles for the head authentication technique, including the intellectual property which came to be included in the patent protecting the research.

129

Chapter 5 : Conception of the Head Authentication Technique

5.3 The Human Head and Acoustic Head-Recognition

The head is the most visually individual and distinctive aspect o f the human body, providing the primary form o f post-natal' person-to-person identification. Collectively, it contains many unique biometric markers, which humans are capable o f assimilating instantly and continuously, comparing the visual data ( f r o m persons in *line o f sight') with a memory o f templates stored i n the brain. Many o f the current biometric approaches also harness the authentication potential o f the human head:

• Behavioural techniques, by definition, are dependant on the brain, with any respective physiological traits having only a minor influence^.

• Physiological techniques based on some property o f the head include: face recognition, face-thermography, iris-scan, retina-scan, ear-print (Section 4.3,1).

The Head Authentication Technique takes a completely original and novel approach to the subject o f authentication. With the exception o f face-thermography, current head sourced biometric approaches are based on individual visual aspects o f the head, a natural progression o f the primary form o f human identification. H A T however, uses

sound rather than light to authenticate a user; producing a biometric template based on the spectral variance introduced by the human head on an acoustic stimulus, not an artificially generated stimulus such as OAEs use, but the richly complex stimulus o f the human voice. H A T simultaneously captures and compares two separate samples o f the sounds produced by the larynx (henceforth referred to by its common name, the

'voicebox') situated in the throat, recorded at two separate locations o n the subjects head: the mouth (when talking) and the outer ear. it then compares the average amplitudes at multiple frequency points to produce a biometric 'absorption' template.

The principles supporting this approach are detailed in the f o l l o w i n g subsections.

' Up to the age of 2 months, infants identify their parents primarily using the senses of smell and sound.

' The physiological effects on a behavioural biometric will be increased if physiological defects exist.

130

Chapter 5 : Conception of the Head Authentication Technique

5.3.1 Anatomy of the human head

The biometric authentication principle utilised by H A T are dependent upon the way sound propagates through the human head. H A T ' s biometric template is essentially a record o f spectral variance on a band-limited acoustic stimulus introduced at the base o f the head, and measured at the head's two natural sound interfaces w i t h the outside world: the mouth and the (outer) ear. To understand what is happening to the sound waves as they propagate through the head, it is necessary to understand the biological composition o f the head.

Eustachian Tubo

Nasal CAvlty

Tongue

Voice-box

Figure 5-6 : MRI vertical bisection of a human head

One o f the best ways to dynamically look inside a healthy living head for research purposes is using Magnetic Resonance Imaging ( M R I ) ' . M R I is a technique for creating cross-sectional images, or slices, o f opaque organs inside o f living organisms (Homak

2006). Figure 5-6, shows an M R I vertical bisection o f a human head.

' MRls correct title is, Nuclear Magnetic Resonance Imaging (NMRJ). It was found however that, within medical practice, the tenn 'nuclear' encouraged a negative client image and is therefore usually dropped.

131

Chapter 5 : Conception of the Head Authentication Technique

The head forms the upper part of the human body. The front (ventrum) contains the face, with organs enabling four o f the five senses and associated physiological biometrics (Section 4.3.1): the head is also the repository of the brain enabling all behavioural biometrics (Section 4.3.3). The bones which encase the majority o f the human head, o f which there are in excess o f 20 plates, are collectively called the skull, and separately the mandible or jawbone; in addition to enabling eating and chewing, the jawbone is fiindamental to the formation o f speech. The majority o f the skull is filled with the brain, one o f the largest and the most important organs in the human body. The brain is important to HAT, not directly for its mental capacity but, as with the other elements of the head, for its physical characteristics and the resultant effect on the propagation of the sound waves which describe the HAT template.

5.3.1.1 Propagation of sound waves in the head

Sound is the propagation of pressure waves through any compressible medium. Within the complex heterogeneous structures o f the head, sound waves are accelerated, decelerated, reflected, refracted and attenuated; dependent upon the physical characteristics o f the individual elements o f transition. The principal properties affecting the behaviour o f the waves in the head elements are:

• Volume.

• Mass.

• Density.

• Temperature.

• StiffhessA^iscosity.

• Humidity (in air).

• Frequency o f the wave.

132

Chapter 5 : Conception of the Head Authentication Technique

The first three of these elements, volume, mass and density, are closely related and are described by the following equation:

m

Where:

p is the density of the medium (in Kg/m^)

m is the total mass of the object (in Kg)

V is the total volume of the object (in m^)

The speed of sound propagation through media is dependent on the physical state of the matter (solid, liquid, gas), but is fundamentally a property of density: plus stiffness in a solid, viscosity in a fluid and temperature and humidity in air. For a dispersive medium like the head, the speed of sound is generally described by the equation:

C =

Where:

C is the speed of sound (in m/s)

C is a coefficient of: stiffness in a solid; viscosity in a fluid

p is the density of the medium (in Kg/m^)

By inspection, the speed of sound increases with the stiffness or viscosity o f the material, and decreases with the density. Although an in depth discussion on the speed o f sound in media is beyond this text, and comprehensibly covered elsewhere', an awareness of the principles governing the speed and propagation o f sound in various states of matter helps the reader appreciate the underiying principles o f HAT.

' E.g. Speed of sound: Wikipedia online encyclopaedia @ http://en.wikipedia.org/wiki/Speed of sound

133

Chapter 5 : Conception of the Head Authentication Technique

Following on from the previous discussion. Table 5-1 (Cala et al. 198!) shows the relative densities and associated effect on the speed o f sound for a selection o f the biological media which compose the human head.

Component '

Air

Fat

Water

Brain

Soft tissue (muscle)

Blood

Density ;

(Hounsfield units')

Speed of sound

(m/[email protected] 15°C)

-1000 340

-50 1450

1480 (fresh)

0

+34 1541

1540

+40

+25

1570

Bone (skull)

+1000 4080

Table 5-1: Relative densities of the biological components of the human head

The research work that culminated in HAT also realised a number of notional derivatives which, although not pursued as part of HAT, are part o f the intellectual property associated with the work, and as such are covered in the research patents (see

Appendix I). The alternative techniques are based upon essentially the same principles of induced variances in acoustic stimuli, but using artificially created stimuli.

5.3.2 Acoustic biometrics of the human head for user authentication

Early investigations into acoustic head authentication realised a number o f different conceptual approaches. The adopted technique, which came to be known as the Head

Authentication Technique^ was the result o f preliminary evaluations o f the various techniques, and represents a distillation of the best ideas into a single approach.

' The Hounsfield unit, named after Sir Godfrey Hounsfietd, is a measure of density relative to water, and more commonly used in medical circles than Kg/m^ The human body is between 55% and 60% water.

134

Chapter 5 : Conception of the Head Authentication Technique

5.3.2.1 Acoustic Stimuli

It was realised early on that for any acoustic technique to be truly transparent to an end user, any sounds introduced into the head had to be, at best, completely undetectable and at worst, effectively non-intrusive in order to maintain an acceptable Quality of

Service (QoS). This premise resulted in three possible approaches.

5.3.2.1a Out-of-band stimuli

Out-of-band stimuli are sounds that exist outside of the natural audible frequency and/or dynamic range of the human ear. A healthy ear has a broad, essentially linear', dynamic range extending from below 20dbs (a whisper) up to 140dBs (a gunshot); illustrated in

Figure 5-7. It is impractical to attempt to cite an acoustic stimulus outside o f this range.

V

3

CL

E

<

160

140

120

100 ^

80

Source: www.dangerousdecibels.org 140

60

85 90

105

110

120 ^ —

40

40

?0

0

20

^Bper Rain Taking C i ^ Trafc Hairdryef Rock Chainsaw Personal Pneumafc Gunshot

Concert stereo Hammer

Figure 5-7 : Intensity of common sounds encountered by the human ear

In frequency tenns, although it is possible to produce suitable infrasonic or ultrasonic frequencies; the question once again is whether it would be practical. There are a number of potentially contentious issues surrounding this approach for the hardware supplier, the network operator and the user. Respectively, these issues are:

• Hardware Cost: What would be the additional hardware cost ( i f any), for transducers and microphones capable o f working at the extended frequencies at either end of the audible spectrum?

' The dynamic range of the human ear is non-linear outside ot the range 40dbs to 1 IQdbs.

135

Chapter 5 : Conception of the Head Authentication Technique

• User Acceptance: What would be the commercial impact of an operator introducing a technique that could be perceived by the general public as a possible health risk? Even i f it were scientifically proven, through trials, that introducing ultrasonic pulses into the head was safe, one only has to cite the ongoing 'Can mobile phone radiation cause cancer?' debate (BBC News 2005) to realise that it is just as important for users' to perceive a technology as being safe as it is for the designers and operators to prove it is such.

• Health Risks: What would be the actual impact upon user's health ( i f any), o f exposing them to extended periods of infi-asonic or ultrasonic energy? How long would the clinical safety trials take before the approach could be certified as safe?

5.3.2,1b In-band Stimuli

In-band stimuli are sounds that can exist within the operational fi-equency and/or dynamic range of the human ear (Figure 5-1) yet remain effectively non-intrusive. This can be achieved in wither of two ways:

• Low Intensity: Although it is possible to produce conceivable non-intrusive low intensity stimuli (<20dBs), the practical use of these sounds is minimal. Low intensity sound carries minimal energy and would need to be administered over long periods of time in relative silence to have a chance o f propagating effectively through the head. This approach was therefore ruled out on a practical level.

• Short duration: In considering short duration high energy pulses, it is important to recall that amplitude and time are inversely proportional to energy: as pulse duration is reduced, in order to maintain the same energy level, the intensity of the pulse must increase proportionally or, once again, the pulse would not have sufficient energy to propagate effectively through the head. These pulses would sound similar to OAE style clicks and would be highly detectable by the user and therefore negatively impact on the systems QoS over a period o f time.

136

Chapter 5 : Conception of the Head Authentication Technique

5.3.2.1c Naturally Occurring Stimuli

Natural stimuli are those sounds produced naturally by the body itself, and in terms of the research refer to the sounds made by the voicebox. I f the voicebox is used as the stimulus, it positively addresses many of the concerns cited for the other approaches:

• Talking is a natural process and cannot be considered intrusive to a user (of a voice-activated mobile service) when harnessed as an acoustic stimulus.

• Being non-intrusive (when used in normal conversation or for voice-activated mobile services) the voice carries a large amount of energy, in the order of

10,000 times more than low intensity sounds o f less than 20dBs, containing sufficient energy to propagate throughout the head.

• Sounds from the voicebox are naturally harmless and are perceived as such.

• Current mobile acoustic hardware (microphones, transducers) are designed to efficiently handle the human voice, and as such can potentially be levered as part of the authentication process.

5.3.2.2 Authentication Approaches

Once the decision was made to use the body's two natural acoustic interfaces of the mouth and (outer) ear as the capture and/or stimulus input locations, it was necessary to ftirther select one of four possible input/output permutations of the technique for the proposed research solution. A l l four approaches effectively harness the same acoustic variations o f a stimulus, as a result of the composition of the human head. The final decision was therefore also subject to the suitability of each solution to the proposed application of mobile communications. Each of the different approaches is included within the intellectual property of the patents (see Appendix I), and ftirther described in the subsections that follow.

137

Chapter 5 : Conception of the Head Authentication Technique

5.3.2,2a Artificial stimulus: Ear-in, Ear-out

Not dissimilar in outward appearance to OAEs (Section 5.2.3.1), where a stimulus is introduced into the outer ear and then dynamically monitored at either ear, and compared to the original reference waveform to determine a consistent quantifiable variance. The concept is illustrated in Figure 5-8. Artificial stimuli have the advantage of proactive triggering, in contrast to reactive triggering of naturally occurring stimuli.

Figure 5-8 : Acoustic authentication using artificial stimulus: Ear-in, Ear-out

5.3.2.2b Artificial stimulus: Ear-in, Mouth-out

Although it may be possible to non-intrusively introduce stimuli into the outer-ear, this approach relies on the user opening their mouth in order to capture the propagating waves at a mouth-microphone. Figure 5-9 illustrates the principal. By definition, a nonintrusive technique cannot prompt a user to perform an action like opening their mouth, therefore this approach removes artificial stimuli's main advantage over natural stimuli, proactive triggering of the authentication process. This makes the approach inefficient and impracfical for continuous monitoring: the alternative o f the user opening their mouth on a signal fi-om the authenticating system would make the system intrusive and inappropriate for the research.

138

Chapter 5 : Conception of the Head Authentication Technique

Figure 5-9 : Acoustic authentication using artificial stimulus: Eor-in, Mouth-out

5.3.2.2c Artificial stimulus: Mouth-in, Ear-out

This approach, illustrated in Figure 5-10, has the advantage o f being more robust than the previous approach as the mouth (in isolation) has no means o f detecting sound, the stimulus can therefore contain more energy without being intrusive. However, the approach still suffers the same arguments as the previous approach, where the user must consciously open their mouth in order for authentication to be performed. This approach therefore has to be considered intrusive and inappropriate for the research.

Figure 5-10 : Acoustic authentication using artificial stimulus: Mouth-in, Ear-out

139

Chapter 5 : Conception of the Head Authentication Technique

5.3.2.2d Natural stimulus (Voicebox): Ear-out, Mouth-out (HAT)

Early experiments to prove the concept of acoustic head authentication used artificially created pure tones (sine waves). These were introduced at the mouth and collected at the

(outer) ear, in order to verify the existence of any acoustic variance due to the head against a clean reference. It was with the knowledge of the various arguments discussed in

Section 5.3.2.1 however, that the best long-term solution for the research was to pursue the approach of natural stimuli utilising the complex sounds produced by the human voicebox. The decision eliminated any choice of application permutations as the approach naturally defined its own operational parameters; the stimulus propagating up from the voicebox, with monitoring at the subjects mouth and ear, as shown in Figure 5-11.

Voicebox

Figure 5-11 : Natural voicebox stimulus approach to acoustic head authentication

The human voicebox (larynx) is located in the front of the neck and contains the vocal cords, a pair o f membranes stretched across the wind-pipe (trachea), which vibrate when air from the lungs is expelled over them modulating the air-flow and producing distinctive sounds (phonation) at the mouth. The vocal cords have a frequency range of

80Hz to 7000Hz, with the natural spoken male voice covering the range 80Hz to 200Hz, the female voice I60Hz to 300Hz (Baken & Orlikoff 1999); trained 'operatic' voices cover the range 80Hz to 1400Hz, illustrated in Figure 5-12.

140

Chapter 5 ; Conception of the Head Authentication Technique

Full Vocal Range

Soprano

Contralto

Tenor

Baritone

Bass

Operatic Voices

Female Voice

Male Voice

10

Spoken Voice

100

Frequency (Hz)

1000

Figure 5-12 : The frequency ranges of the human voice (voicebox)

10000

Utilising the voicebox as a natural stimulus for acoustic head authentication offers a number of significant advantages over deliberate and artificial stimulation; these are:

• The voicebox presents naturally occurring and harmless acoustic stimulation to the head. HAT is essentially utilising an untapped resource.

• Voicebox stimulation is not only safe, but cannot be perceived as anything other than safe by users; the propagating wave energy being present in the head every time we speak, whether harnessed or not.

• The acoustic spectrum of an individual's voicebox is ditTerent for every user, increasing system security. As the HAT process is a function of the head and

NOT of the stimulus, this variable stimulus is an asset and not a complication.

• The voice easily contains sufficient energy to propagate throughout the head, without the need to mask the stimulus in any way.

• Mobile hardware is naturally configured for operation at vocal frequencies.

In balance, voicebox stimulation does however suffer one obvious limitation:

• The user must be vocalising for authentication to be f>erformed. HAT does not therefore naturally lend itself to authentication during use of purely data services.

141

Chapter 5 : Conception of the Head Authentication Technique

5.4 Conclusion

This chapter defined the research requirements for a novel authentication technique designed to redress the imbalance of mobile security commensurate with the data and services the security is designed to protect.

This chapter summarised the investigative and decision process that led to the identification of a novel biometric option based on a natural multi-modal approach, where selected physiological and behavioural characteristics work in symbiosis. Having considered all the arguments for and against the various permutations of acoustic headauthentication, the final option chosen for development utilises naturally occurring vocal stimuli in a unique ear-out, mouth-out monitoring arrangement. The technique came to be known as the Head Authentication Technique (HAT).

In conceptual terms, HAT addresses all o f the researches requirements, offering the following key security advancements:

• Improved user-identity verification.

• Non-intrusive authentication, transparent in use to the network user.

• Continuous authentication, not just PoE.

• Capable of leveraging existing mobile hardware into additional security roles.

The HAT technique was proven in preliminary tests to realise unique quantifiable authentication data. In the next Chapter, the HAT process is broken down into discrete stages, which are described in detail, along with some rationalisation o f the key developmental decisions which led to the final HAT architecture.

142

Chapter 6 : Realisation of the Head Authentication Technique

Chapter 6

Realisation of the Head Authentication Technique

143

Chapter 6 ; Realisation of the Head Authentication Technique

6 Realisation of the Head Authentication

Technique

The Head Authentication Technique is a novel biometric technique developed specifically for application in mobile devices and conceived out of an investigation into numerous original advanced authentication ideas discussed in Chapter 5.

This chapter discusses the Head Authentication Technique in depth; introducing and explaining each discrete stage of the HAT authentication process. The chapter also discusses the developmental process which led to the final HAT architecture, along with an alternative architecture, and explains the reasoning behind some o f the key research direction decisions.

6.1 Introduction

HAT is a multi-modal biometric technique capable of continuously and transparently verifying the claimed identity o f a user accessing the advanced' data services of a wideband mobile network. This novel technique harnesses the natural symbiotic relationship of the 'behavioural characteristics' of the human voice stimulating the

'physiological anatomy' of the head. The resultant activity is monitored at separate locations on the head and a hybrid biometric template extrapolated fi-om multiple spotfi-equency spectra analyses beKveen the data streams.

The key to the HAT authentication process is the unique way in which the human head is classified through natural audio stimulation. The research realised two distinct methods of processing the separate audio data streams:

When compared to the data services of a traditional 2 generation mobile network.

144

Chapter 6 : Realisation of the Head Authentication Technique

• The Absorption method utilises variations in spectral amplitude between discrete spectra of the audio data stream introduced by the propagation path.

• The Correlation method utilises temporal delays between discrete spectra o f the audio data stream introduced by the propagation path.

Although each of these two methods is discussed in the following sections, it was the absorption method that ultimately proved to offer the better solution, and it was this method which was developed into H A T and refined within the H A T demonstration tool.

A discussion of the correlation method nonetheless is justified, as it defends the decision to develop the absorption method, offers supporting evidence for some of the findings in the absorption discussion, and suggests a possible area for future work.

6.2 The Head Authentication Absorption Method

The absorption method of head authentication employed by H A T is a novel way of extracting a unique biometric template from a user's head, through use o f a single source stimulus, and multiple audio data streams captured fi-om discrete locations on a user's head. The process is broken down into five distinct stages o f operation:

1. Capture multiple voice stimulated PCM audio data streams. Basic H A T ' utilises two extemal capture points: the Mouth and the Ear,

2. Filter each data stream discretely at multiple pre-selected frequencies using a high roll-off, narrowband FIR filter. Basic H A T adopts twenty-five spot-frequencies.

3. Absorption calculation; the difference in RMS (Root-Mean-Square) energy between captured waveforms at each spot-frequency. Basic H A T compares discrete mouth and ear frequency pairs.

' 'Basic HAT' in this context defines the minimum operational requirements of the H A T tool. HAT does however have the potential of increasing both the number of sample capture points and the effective system resolution (number of spot frequencies); see future work in Section 8.3.

145

Chapter 6 : Realisation of the Head Authentication Technique

4. Analysis o f the RMS absorption difference output, by feeding the resultant data array into a pre-trained (for authentication) neural-network. The training data for the HAT neural-network consisted o f one o f the data sets collected during the

HAT field trials in Chapter 7.

5. Classification of the neural-network result by comparison with a preset authentication threshold. The HAT authentication threshold was determined using a second data set collected during the H A T field trials in Chapter 7.

These five stages of the absorption method are also shown schematically in Figure 6-1.

Stage 1 Stage 2 Stage 3 stage 4

Stage 5

Mouth

Mouth

tttt t

• 3 -

Neural-Net Threshold

Ear

Ear

Capture Filter

Absorption | Analysis Classification

Figure 6-1 ; The five discrete stages of the HAT (absorption) auihenlication process

The HAT software tool (see Section 7.2.2.2) additionally safeguards users against false rejections (Section 4.2.3) by applying a soft lock-out, where the user has to fail a predefined number of authentication cycles before being rejected by the system. This is only made possible by the continuous and non-intrusive nature o f the head authentication process employed by HAT.

146

Chapter 6 : Realisation of the Head Authentication Technique

6.2.1 Stage-1 Capture H A T Sample Data

As introduced in Chapter 5, HAT takes advantage o f different acoustic responses to natural vocal stimuli, produced by the voicebox, at different locations on the human head, due to the propagation effects of longitudinal waves in bio-matter (Section 5,3.1). The two most easily accessible acoustic locations to monitor the propagation effects inside the head, due to the voicebox stimulus located in the neck, are at the mouth and the outer-ear;

HAT captures its samples from these two locations as illustrated in Figure 6-2.

Isolation

Cup

Ear

Microphone

Mouth

( M i c f o p h o n e voicebox

Figure 6-2 : The HAT Headset microphones configuration

Development of the first HAT headset placed the ear microphone inside o f an isolation cup (Figure 6-2), minimising:

• side-tone' cross-contamination;

• microphone misalignment with the ear canal;

• extraneous noise;

• headset discomfort for the trial users.

' Side-tone is the sound heard at the ear due to sound uttered at the mouth. Although usually active in nature, in this case, side-tone refers to unwanted propagation between mouth and ear via the air-path.

147

Chapter 6 : Realisation of the Head Authentication Technique

r

Stage-1

Capture Mouth waveform start

Capture Ear waveform

3

Stage-2

Figure 6-3 : HAT Stages flowchart - Stage-1 (Capture waveforms)

The flowchart in Figure 6-3 summaries the HAT Stage-1 capture process schematically.

This flowchart is referred to as the HAT Stages Flowchart and will be expanded upon in subsequent HAT stage descriptions until it shows the complete H A T absorption methodology in Stage-5.

6.2.1.1 H A T Microphones

To maximise the chance of capturing quantifiable differences in the audio sample pairs,

HAT utilises two identical high-quality voice microphones. It is fundamental to the

HAT process to capture predominantly the head-based propagation waves, and as the microphones are positioned relatively close to each other, they are configured in such a way as to minimise cross contamination effects:

• Ear Microphone Configuration

The ear microphone is identical to the mouth microphone. It is placed inside an isolation ear-cup in order to minimise air-path (mouth-to-ear) acoustic cross contamination and positioned on the pinna (Section 5.2.1) o f the outer ear using a headset similar in design to a normal computer-based headset (see Section

7.2.1). The isolation cup has the added benefit of minimising extraneous sound contaminating the low-amplitude ear sample.

148

Chapter 6 : Realisation of the Head Authentication Technique

• Mouth Microphone Configuration

The mouth microphone is positioned in front of the mouth i n a similar configuration to a normal computer-based voice microphone (see the HAT headset in Section 7.2.1). The microphone captures a reference sample, being located nearest to the acoustic stimulus, which is later used to compare with the altered ear captured sample to determine the propagation variance.

6.2.1.2 Captured Soundfile Format

HAT captured soundfiles conform to a standard digital P C M ' format, and are stored as uncompressed Microsoft Windows wave files^, a subset of the broader independent

Resource Interchange File Format (RTFF) (see Appendix D). This makes the files easy to manipulate on a PC within the following standard commercial development software:

• Mathworks Matlab v6.1

Used for all HAT development work, before coding HAT stages into Visual

Basic to form the HAT demonstration tool. Due to Matlabs excellent built-in neural-network toolbox, for convenience stage-4 analysis remained in Matlab.

• Microsoft Visual Basic v6.0

Used for development of the HAT demonstration tool, including generic

Microsoft Windows Graphical User Interface (GUI). After the H A T process was finalised, all stages except Stage-4 were ported across to Visual Basic®.

The size and quality o f HAT captured waveforms are governed by the standard PCM specifications: Number of channels, Sample size (2^ where X > l ) and Sampling rate (in

Hertz). The values o f these parameters were individually determined during the development stages of the research and are described here:

Pulse Code Modulation is a sampling technique for digitising analogue signals, especially audio signals.

^ Microsoft® Windows® wave files are identified by the extension '.wav'.

149

Chapter 6 : Realisation of the Head Authentication Technique

o H A T Channels

Function: Number of capture channels.

HAT Value: 2

Development: 2 channels are the minimum requirement the H A T comparison process to be performed. Basic H A T utilises the two channels:

Mouth and Ear. o H A T Sample size

Function: Number of bits-per-sample.

HAT Value: 16-bit

Development: bits-per-sample determines the number o f quantisation levels-persample (sometimes called the resolution), and the dynamic range of the captured sound (Table 6-1).

Blts-per:sanrip|e : Quantisation L e v e l s

D y n a m i c R a n g e '

(bps)

4^ 16 24dBs

8

16^

24^

32^

256

65.536

1.677.216

4,294,967,296

48dBs

96dBs

124dBs

193dBs

Bold = HAT Selection

Table 6-1: Quantisation levels and dynamic-range based on biis-per-sample

It can be seen from the typical capture shown in Section 6.2.1.3, that the low-amplitude ear waveform is particularly sensitive to signal resolution; therefore HAT maintains a sample size of 16-bit.

' Not in general use, included for comparison purposes only.

^ Domestic CD audio standard.

Domestic CD audio mastering and DVD-Audio Standard.

150

Chapter 6 : Realisation of the Head Authentication Technique

• HAT Sampling rate

Function: Number of samples-per-second.

HAT Value: 11025Hz (11025 stereo sample pairs-per-second)

Development: Initial tests of the HAT process adopted a frequency bandwidth of

50Hz to 16000Hz, approximately the bandwidth o f a healthy human ear (Section 5.2.1). During subsequent development, this was refined to lOOHz to 8000Hz; and finally lOOHz to 4000Hz, when it was found that frequencies above 4000Hz contained minimal absorption information. This is illustrated in the example plot shown in Figure 6-4 (lOOHz < bw < 8000Hz), where useful absorption information has tailed o f f above 4000Hz. The effect on sampling rate was a reduction from an initial 44100Hz to

11025Hz. This topic is covered in greater depth in Section 6.2.6.

CO m

25

20

15

10

5

0

50

45

40

35

User: u03_viv

Data type: Fixed

Sampling: 22050Hz

Bandwidth: <80Q0Hz

Noise floor: --40db

30

-6db

viv_1_01 viy_1_02 viv_1_03 viv_1_04 viv_1_05 viv_1_06 viv_1_07 viv_1_08

\rtv_1_09 viv 1 10

-12db

•J

Absorption rolls o f f ® 4000Hz

-20db

-26db

Spot Frequencies (Hz)

Figure 6-4 : Compound frequency absorption curves of the numbers'0'to'9'

HAT trial participant *u03_viv' (lOOHz < bw < 8000Hz)

151

C h a p t e r 6 : Realisation of the H e a d Authentication T e c h n i q u e

6.2.1.3 The Captured Soundfile Waveform

An example of a typical HAT captured wavefilc pair is shown in Figure 6-5: the upper trace represents the prominant reference Mouth waveform; the lower trace the

difference Ear waveform. Notice particularly, HATs effect on Ear ampltiude.

Noise Floor

Mouth W a v e f o r m

1

E a r W a v e f o r m

Figure 6-5 : A Typical HAT wavetlle pair

In Figure 6-6, the noise floor in Figure 6-5 has been vertically zoomed to illustrate typical ambient noise levels experienced in the HAT trials discussed in Section 7.3. The values are around -40db for the Mouth, and around -48db for the Ear; the additional damping effect due to the isolation cup covering the ear, illustrated in Figure 6-2.

-40rih

- 4 H ( l h -

Mouth W a v e f o

r m

E a r W a v e f o r m

Figure 6-6 : Typical noise floor(s) of a HAT wavefile pair.

52

Chapter 6 : Realisation of the Head Authentication Technique

6.2.2 Stage-2 Filter HAT Sample Data

The basic authentication metric utilised by H A T is the mouth-to-ear pass-band RMS absorption figures of multiple narrowband frequency spectra, at pre-selected spotfrequencies, within the vocal range of the human voice (Section 5.2.1).

HAT Stage-2 filtering involves the cyclic application o f a narrowband high roll-off digital bandpass filter to mouth-ear pairs o f captured waveforms. Starting at a lowest frequency of lOOHz, a lOOHz bandwidth filter (see Section 6.2.2.1) is discretely applied twenty-five times, at pre-selected spot-frequencies, up to a highest frequency o f 4000Hz

(see Section 6.2.6.1) with additional Stage-3 Absorption processing being performed as an integral part of each filter cycle. The number and spectral locations o f the spotfrequencies were determined empirically, and are shown in Figure 6-7.

Spot Frequency Index

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

n

LULU

/ / / / / / / / / / /

Spot Frequencies (Hz)

Figure 6-7 : HAT Stage-2 Filter spot-frequencies

By inspection of the filtered frequency spectrum, there are a number o f important observations which can be made:

153

Chapter 6 : Realisation of the Head Authentication Technique

• Spot-fi-equencies are mirrored in the range lOOHz to lOOOHz, crossing over at a figure of -60db, maximising system resolution within the natural spoken fi-equency spectrum of the human voicebox (Figure 5-12).

• The actual number o f spot-fi-equencies was partly governed by the hardware processing capabilities of the HAT system, as each spot-fi-equency feeds directly into a discrete input mode in the HAT Stage-4 Neural-network. The number of spot-fi-equencies also govems the number of (hidden) layer neurons in the neural-network (see Section 6.2.4.1). It was found empirically that a figure o f twenty-five spot-ft"equencies (and neural-network neurons) maximised the available processing resources, realising good neural-network user classification, whilst maintaining acceptable authentication cycle times of a few seconds.

• The stopgaps between spot-frequencies above lOOOHz, when analysed, were found to offer minimal additional information to that already provided by the lOOHz filter passbands; filter bandwidth uniformity was therefore maintained across the full HAT spectrum.

• Although use of a Fast Fourier Transform (FFT) was considered for Stage-2 filtering, the HAT methodology currently in place (specifically the discrete stepping filter) draws parallels with the fi-equency component voice banding (of formant and carrier), found in Vocoder' voice synthesisers (Fellbaum 2005).

The flowchart in Figure 6-8 is the systematic continuation of the HAT Stages Flowchart introduced in HAT Stage-1 Capture (Figure 6-3), and places HAT Stage-2 Filtering in context with the previous stage.

A vocoder is a voice synthesiser, often used to reproduce a human voice with a metallic and monotonous sound. An early example is the song 'We are the Robots' (1977), by the Genman band Kxaftwerk.

154

r

Stage-1

r

Preset filter

I spot frequencies

Chapter 6 : Realisation of the Head Authentication Technique c

start

Capture Mouth waveform

Capture Ear waveform

Initialise filter frequency counter

Set filter spot frequency

Stage-2

Filter Mouth waveform

Filter Ear wavefon-n

Stage-3

Figure 6-8 : HAT Stages flowchart - Stage-2 (Filter waveforms)

Note that the flowchait only shows one cycle o f the filtering process, a single iteration o f the HAT template creation process, the completed filter/absorption loop is illustrated in the description for Stage-3 RMS Absorption (Section 6.2.3).

6.2.2.1 Finite Impulse Response H A T Filter

The requirement for the HAT Stage-2 filter was for a design that would minimise the risk of spectral distortion, extracting only the desired signal spectrum. The digital filter design chosen was a Finite Impulse Response (FIR) filter with symmetrical coefficients and incorporating a Hamming window. The choice o f symmetrical FIR filter with an odd number of coefficients was used so that the group delay o f all frequencies passing through the filter would be an integer and be defined by the equation:

filter coejjicien is - I

Group delay =

155

Chapter 6 : Realisation of the Head Authentication Technique

A Hamming window was used so that out-of-band rejection would be greater than

-40dB (or less than 1%). Without the Hamming window there could be undesirable

(Gibbs) ringing at the edges of the filter passband. The filter was developed initially in

Matlab, before being ported into Visual Basic and the HAT Demonstration Tool (see

Section 7.2). The filter development code has been included in Table 6-2.

f x i n c t i o n [ c o e f f ] = b p f ( f a , f b , n c )

%BPF B a n d p a s s - F i l t e r p o l y n o m i a l c o e f f i c i e n t g e n e r a t o r (Hamming)

% B P F ( f a , f b , n c )

% f a - l o w e r c o r n e r f r e c j u e n c y

% f b - u p p e r c o r n e r f r e q u e n c y

% n c - n - c o u n t p o l y n o m i a l c o e f f i c i e n t s ; group d e l a y { n c - l ) / 2

%

% E x a m p l e : c o e f f = b p f ( 5 0 0 , 6 0 0 , 5 0 1 ) ;

%

%Author : PMR

% F i l e : b p f . m ( v . 2 )

%Local v a r i a b l e s :

% c o e f f - f i l t e r p o l y n o m i a l ( c o e f f ) i c i e n t s

% f a - l o w e r c o m e r f r e q u e n c y o f f i l t e r

% f b - u p p e r c o r n e r f r e q u e n c y o f f i l t e r

% l o - ( l o ) w e r c o r n e r f r e q u e n c y o f f i l t e r

% n - ( n ) - c o u n t c o e f f i c i e n t s r a n g e

% n c - ( n ) - c o u n t p o l y n o m i a l ( c ) o e f f i c i e n t s

% up - ( u p ) p e r c o r n e r f r e q u e n c y o f f i l t e r n = ( - ( n c - l ) / 2 l o = m i n ( f a , f b ) u p = m a x ( f a , f b )

( n c - l ) / 2 ) ; %define n - c o u n t r a n g e

%check l o w e r c o r n e r f r e q u e n c y

%check u p p e r c o r n e r f r e q u e n c y

%- c o r e f u n c t i o n

% d e f a u l t hamming window f u n c t i o n hamming_window = ( 0 . 5 4 - 0 . 4 6 * c o s ( 2 * p i * n . / n c - p i ) ) ;

% c a l c u l a t e n - c o u n t f i l t e r c o e f f i c i e n t s c o e f f = h a m m i n g _ w i n d o w . * ( 2 * u p * s i n c ( 2 * u p * n ) - 2 * l o * s i n c ( 2 * l o * n ) ) ;

Table 6-2: Matlab Code for ihe HAT Stage-2 Filter

When deriving the performance of the digital filter, an important consideration was the processing payload of the filter cycle(s). Although it is possible to produce a HAT software filter with an almost ideal fi-equency response, an example o f which is shown

156

Chapter 6 : Realisation of the Head Authentication Technique in Figure 6-9 (OdB passband, greater than -60dB stopband), the processing payload is high; especially with the filter polynomial count of 6001 illustrated. As discussed previously in Chapter 2 (Section 2.3.7), all processing within a mobile device will have a negative effect on the recharge cycle time of the unit's power-pack. As basic HAT

Stage-2 filtering is performed twenty-five times on two discrete waveforms, it was especially important to reduce processing to a minimum whilst maintaining overall system integrity; this was achieved through experimentation.

20

L o w e r cutofr. 3 9 5 0 H z : Upper cutoff: 4 Q 5 0 H Z ; rvcount: 6001

1 1 1

r J

1

I • •

1

1 1

0

-6

1 :

:

I •

-20 i

i

j- \

§ - 3 0 ai

: : 1

^ - 5 0

; 1

: : :

-60

Ilf

ill 1 II

100

37 i 1 i

\i

i i !

50 3 6 0 0 3 8 5 0 3 9 0 0 3 9 5 0 4 0 0 0 4 0 5 0 4 1 0 0 4 1 5 0 4 2 0 0 4 2 5 0

F r e q u e n c y ( H z )

Figure 6-9 : Frequency response of an ideal HAT Stage-2 Filter (n = 6001)

Examining the other end of the performance curve, the filter fi-equency response curve shown in Figure 6-10 shows a very fast, low processing requirement, digital filter; with only 101 polynomial coefficients (n = 101). However, notice at least 6dBs of attenuation at the passband centre fi-equency o f 4000Hz and the extremely poor roll-off.

For the purposes o f HAT, this particular filter was found to introduce unacceptable cross-contamination within the adjacent spot-fi'equency passbands data.

157

Chapter 6 : Realisation of the Head Authentication Technique

20

0

-6

- 2 0

1

-30

I*

-50

-60

L o w e r cutoff: 3 9 5 0 H z ; U p p e r cutoff: 4 0 5 0 H z ; n-count: 101

r I

1 1

-6dB Attenuation

100

3750 3 8 0 0 3 8 5 0 3 9 0 0 3 9 5 0 4 0 0 0 4 0 5 0 4 1 0 0 4 1 5 0 4 2 0 0 4 2 5 0

F r e q u e n c y ( H z )

Figure 6-10 : Frequency response of an inadequate HAT Stage-2 Filter (n = 101)

By increasing the digital filters polynomial n-count above 500, see Figure 6-11, it can be seen that the filters frequency response improves dramatically, with:

• OdBs attenuation at centre frequency (HAT spot-frequency) of passband.

• High roll-off with 6dBs of attenuation at the filter comer frequencies.

• Better than 50dBs attenuation (< 0.1 %) in the filter stopband.

L o w e r cutoff: 3 9 5 0 H z ; U p p e r cutoff: 4 0 5 0 H z ; n-count: 501

1 1 1

OdB Attenuation

20

0

-6

-20

-30

-40

-50

-60

- 1 0 0

3 7 5 0 3800 3850 3900 3950 4 0 0 0 4 0 5 0 4 1 0 0 4 1 5 0 4 2 0 0 4 2 5 0

F r e q u e n c y ( H z )

Figure 6-11 : Frequency response of an improved HAT Stage-2 Filter (n = 501)

158

Chapter 6 : Realisation of the Head Authentication Technique

Although the filter in Figure 6-11 was an improvement, it was determined through extensive experimentation, that the optimum filter performance balance for the system

as a whole was achieved with a digital filter whose ft-equency response is shown in

Figure 6-12 (n = 1301). It was discovered that although many filter designs produced what initially appeared to be good Stage-3 Absorption results, the Stage-4 Analysis neural-network could not reliably extract a signature fi-om the sample data. It was discovered that the performance of HAT Stage-2 Filtering and HAT Stage-4 Neuralnetwork analysis were in fact highly mutually dependent, and the design o f the filter was heavily dependant on the design and subsequent performance o f the neural-network in HAT Stage-4 Analysis (see Section 6.2.4). g

-30

1 -^o

1*

- 5 0

:

; i

i

1

L o w e r cutoff; 9 5 0 H z ; U p p e r cutoff: 1 0 5 0 H z ; n-count: ^ 301

1

/

:

- 1 0 0

7'

F r e q u e n c y ( H z )

Figure 6-12; Frequency response of the final HAT Stage-2 Filter (n = 1301)

HAT Filter Design Specifications

• FIR digital filter incorporating a Hamming Window (n = 1301).

• lOOHz bandwidth, with OdB passband attenuation

• High roll-off with 6dBs attenuation at comer ft-equencies.

• 60dBs attenuation (< 0.01 %) in stopband.

159

Chapter 6 : Realisation of the Head Authentication Technique

6.2.3 Stage-3 Absorption between Filtered Frequency Pairs

RMS absorption o f frequencies within the human-head is essentially the novel aspect of basic HATs interpretation of head authentication. Although sample data must be: captured, filtered and subsequently analysed, classified and a suitable response issued, it is the RMS absorption figures of the multiple narrowband frequency spectra which determine and define the HAT biometric template.

HAT Stage-3 Absorption attempts to quantify any variance in RMS amplitude between a captured audio sample at a user's mouth, and a simultaneously captured audio sample at the user's ear, at pre-determined spot-frequencies. Any absorption is a result of the propagation effects o f the 'ear-wave' through the intervening bio-matter (Section 5.3.1) in contrast to the more direct path o f the 'mouth-wave'. The HAT absorption figure represents the preservation of the RMS value o f a lOOHz snapshot o f the 'ear-wave', at a pre-determined spot-frequency, compared to the value o f the paired 'mouth-wave'.

Example: An absorption figure of 40% at a particular spot-frequency represents a 60% reduction in the RMS amplitude of the lOOHz bandwidth ear-wave spectrum, compared to the reference 'mouth-wave' spectrum, at that frequency point.

As mentioned in Section 6.2.1.3, an absorption calculation is perfomied between the filtered mouth/ear spectra within each cycle o f the twenty-five cycle HAT Stage-2 Filter process. This is shown schematically in Figure 6-13, Stage-3 o f the HAT Stages

Flowchart. The Stage-3 flowchart also includes detail of the Stage-2/Stage-3 finite filter/absorption loop.

160

Chapter 6 : Realisation of the Head Authentication Technique

r

Stage-1

>,

Preset filter spot frequencies

Stage-3 start

Capture Mouth waveform

7Z

Capture Ear waveform

3

Initialise filter frequency counter

Set filter spot frequency

Filter Mouth waveform

Filter Ear wavefomn

RMS Difference Mouth and Ear filtered responses

Increment filter spot frequency counter

HAT User

Template

Is Filter frequency greater than 4000Hz

Stage-4

Figure 6-13 : HAT Stages flowchart - Stage-3 (Absorption calculation)

By following the Flowchart in Figure 6-13, it can be seen how HAT Stage-2 filtering and H A T Stage-3 Absorption cycle together to accumulate the H A T absorption template, within the 'HAT User Template' container. Upon completion o f a HAT user template (twenty-file cycles), flow is passed to HAT Stage-4 Analysis for processing within a neural-network; either for Stage-4 network training (of a new user) or Stage-4 authentication (of an existing user), before passing to final Stage-5 Classification and response discussed in Section 6.2.5.

161

Chapter 6 : Realisation of the Head Authentication Technique

6.2.4 Stage-4 Neural-Network Analysis of Absorption Frequency Pairs

Each time a (basic) HAT authentication cycle is performed, HAT Stage-3 Absorption

(or Stage-3 Correlation for the correlation method, see Section 6.3) produces a curve defined by a set of twenty-five non-integer variables; one for each of the HAT spotfrequencies. To analyse this set o f biometric markers and extract the unique HAT user template, a neural-network was employed.

The choice to use a neural-network was based on a number of factors. A computer's ability to analyse the constantly varying data produced by a biometric system, even when it comes from the same user, traditionally lies in its computational speed (Table 6-3).

Combined with custom analytical software, a computer can perform what in essence is a brute force attack on the data, to attempt to authenticate a user against a stored template.

Good at.

Not good at

Fast Arithmetic

Handling noisy data

Following programme code precisely Massive parallelism

Fault tolerance

Adapting to changing circumstances

Source; Centre for Cognitive and Computational Neuroscience (Link: C C C N )

Table 6-3: Computers traditional strengths and weaknesses

Neural-network differs in that they adopt a generic learning process when analysing sets o f data. They are not programmed, in a traditional sense, but given examples o f right and wrong behaviour and then allowed to configure themselves to learn the difference for future encounters. Although neural-networks are still computational engines they can appear to exhibit pseudo intelligence when processing data where:

• an algorithmic solution cannot be formulated;

• lots of examples of behaviour are available;

• we need to pick out the structure fi-om existing data.

162

Stage-1

Preset filter spot frequencies

Stage-2

Chapter 6 : Realisation of the Head Authentication Technique c

start

3

Capture Mouth waveform

Capture Ear waveform

<

Initialise filter frequency counter

Set filter spot frequency

Filter Mouth wraveform

Filter Ear waveform

RMS Difference Mouth and Ear filtered responses

Stage-3

HAT User

Template

J

Increment filter spot frequency counter uenc

4000Hz

r

stage-4

Neurel-Network Analysis

Training

Authentication

Stage-5

HAT User

Network

Figure 6-14 : HAT Stages flowchan - Slage-4 (Neural-network analysis)

The Stage-4 evolution of the HAT Stages flowchart is shown in Figure 6-14. To register a

new user, a new neural-network is trained using their HAT template in opposition to all existing user templates. I f authenticating an existing user, their HAT template will be processed within all existing user neural-networks, and the most positive results assumed.

163

Chapter 6 : Realisation of the Head Authentication Technique

6.2.4.1 A N e u r a l - N e n ^ o r k f o r H A T

The neural-network design used by HAT was determined through extensive network trials designed to optimise performance against speed of execution. The final design was a feed-forward single-layer neural-network consisting of twenty-five inputs, one for each of the HAT template sjx)t-ft^equencies, twenty-five neurons, and a single output defined by a hyperbolic tangent-sigmoid transfer function' (An introduction to neural-networks and their transfer fianctions is included in Appendix E). A schematic of the 25-25-1 neuralnetwork is shown in Figure 6-15, the enlargement illustrating the complex web of connections for each neuron providing the network with its inherent analytical power.

Input

(Spot Frequencies in Hz)

100

H i d d e n L a y e r

( 2 5 - I n p u t Neurons)

O u t p u t

(Hyperbolic T a n g e n t Sigmoid)

1400

1800

Figure 6-15 : The single layer, twenty-five neuron neural-network adopted by HAT

Each individual neuron of the single hidden-layer contains twenty-five inputs and one output; this is illustrated in the single neuron example in Figure 6-16.

The tansig transfer function is a logsig transfer function symmetrical about the X-axis (sec Appendix E).

164

Chapter 6 : Realisation of the Head Authentication Technique

n

Figure 6-16 : A twenty-five input HAT neuron

The HAT neuron incorporates a symmetrical tan-sigmoid transfer flinction, which scales the neuron output into the range -1 a 1, where a is defined by the function:

a -

The final neural-network configuration, illustrated in Figure 6-15, was refined through extensive experimentation, in order to realise the best balance o f performance against process cycle time: a key variable within this balance was the networks training error rate. Although it is feasible to specify error rates in excess of 1 in 1000 (le-4), the processing time can easily exceed acceptable limits, as shown in the next example.

Performance is 9 . 9 9 ^ e - 0 O 5 , Goal is 0,0001

10"

10-

10"

0 500

1000 1500 2000

2492 Epochs

Figure 6-17 : Training a new user's HAT neural-network for 1 in 10,000 errors

165

Chapter 6 : Realisation of the Head Authentication Technique

Example: The processing time of the HAT neural-network for a new user, within a userbase' of only four users, at an error rate of 1 in 10,000 (le-4), is in excess of 2500 epochs^

(Figure 6-17). This equates to around 30 seconds processing time on a current (2005) desktop PC, with a CPU typically drawing in excess of 50 watts; by comparison mobile handset CPUs generally draw less than 1 watt (AMD 2005). It is acknowledged that the power/performance profile of desktop and mobile CPUs is constantly being improved.

HAT therefore defines a performance error goal during training o f 1 in 1000 (le-3). With a user group of around twenty users, and the available hardware, this was found to offer the best performance/processing-time balance, with a full training cycle consistently taking around 400 epochs (Figure 6-18), less than 20 seconds.

Performance is 0.QCD997987. Goal is Q.OOl

10"

10

10

10

0 50 100 150 200 250 300 350 400

405 Epochs

Figure 6-18 : Training a new user*s HAT neural-network for 1 in 1000 errors

Although a new user only has to train their personal neural-network once at registration, all biometric templates require refining over time due to the changing character of their owner (Section 4.2.2). System accuracy also benefits from training a user's template(s) against as many of the systems user-base templates as is practicable, identifying goo^f and

bad training data (behaviour): HAT trains all users against all other users in the user-base.

' The complete set of registered system users: for HAT, this is the set of twenty trial users in Section 7.3.

^ An epoch is a neural-network processing cycle.

166

Chapter 6 : Realisation of the Head Authentication Technique

6.2.5 Stage-5 User Classirication and System Response

The final stage of the HAT authentication process is the classification o f the neuralnetwork output data. The authentication stage involves the comparison o f the HAT

Stage-4 output against a pre-determined authentication threshold.

It is an aspect of the HAT authentication technique that the threshold(s) defined by HAT for user authentication are unique to each registered user, and are dependent upon:

• the consistency of individual users' templates (data sets);

• the variance in users' templates across the entire user-base;

• the performance error of individual users' HAT Stage-4 neural-networks.

An individual user's authentication threshold is calculated during HAT Stage-4 Analysis by feeding examples of known good and bad data into the neural-network, monitoring the resultant outputs, and setting a value which minimises FMR and FNMR (Section 4.2.3).

TTie variance in user-base templates, generic threshold values and match error rates are mutually exclusive and defined by the relationship shown in Figure 6-19.

(Low)

User-Base Template Variance

(High)

Figure 6-19: The mutually exclusive relationship between HAT authentication thresholds and match error rates vs. user-base template variance

167

Chapter 6 : Realisation of the Head Authentication Technique

r

Stage-1

>.

Preset filter spot fnsquencies

Stage-2

Stage-3

"A

Capture Mouth waveform

Capture Ear waveform

Initialise filter frequency counter

Set filter spot frequency

Filter Mouth Filter Ear waveform waveform

I

RMS Difference Mouth and Ear filtered responses

Increment filter spot frequency counter

HAT User

Template

J

NO

Is Filter frequency greater than 4000Hz

r

Neural-Network Analysis

Stage-4

Training

HAT User

Network

Authentication

User Classification

Stage-5

C

End

3

Figure 6-20 : Complete HAT Stages nowchart - Stage-5 (User Classification)

J

HAT Stage-5 User Classification is the final stage in the HAT authentication process and is placed in context within the HAT stages flowchart illustrated in Figure 6-20: this flowchart now describes the complete HAT process.

168

Chapter 6 : Realisation of the Head Authentication Technique

6.2.6 The HAT Template

The HAT absorption' template is defined by the unique shape contained within mouthto-ear absorption curves o f an individual user, and is governed by:

• the number and specifications o f spot-fi-equencies^ discussed in H A T Stage-2;

• the consistency of individual users' mouth-to-ear absorption responses.

Each of the twenty-five spot-frequencies (Section 6.2.1.3) is used to determine a discrete bio-metric, which collectively define a user's HAT template. Each spot-fi-equency mouthto-ear (MEa) absorption metric is described by the following formulae:

Mouth 1

...where the Mouth and Ear values are defined as the RMS value o f the relevant spotfi-equency passband (Figure 6-12). The root-mean-square (RMS) interpretation is required to accommodate for the signed quantisation levels^ o f 16-bit wave files. The resultant

MEa value is preserved as a percentage, rather than a difference value, to allow for amplitude fluctuations in the individual spot-fi-equency stimuli, hi Figure 6-21 and Figure

6-22, two examples of Mouth and Ear input stimuli are shown along with their associated

HAT absorption template, for the individual numbers '0' and '3' respectively. These plots are extended in Figure 6-23 and Figure 6-24, to include fiall sets o f fixed (number ' 1') and variable (numbers '0' to '9') stimuli respectively on a single axis. By inspection o f this pair o f graphs, the fixed stimuli control set exhibits very little spread, compared to the greater spread of the variable data set. However in both cases, and allowing for the varying input stimuli, the HAT template(s) show consistent shape.

' Although absorption is not the only factor effecting mouth-to-ear variance, it is the predominant modifier, and hence the method was named as such.

^ HAT Stage-2 *spot frequencies' are referred to in some analyses plots as 'centre frequencies'.

^ Quantisation levels of 16-bit wave file samples are in the range: -32768 to +32767.

169

Chapter 6 : Realisation of the Head Authentication Technique

10

10

10

10^

l o V

10

Mth (rms)

Ear (rms)

MEa (%)

User: u01_phi

Data: #0 (zero)

Sampling: 11025Hz

Bandwidth: <4000Hz

Noise floor ~^0db

10

10'

Spot Frequencies (Hz)

Figure 6-21 : Mouth, Ear input and HAT template output curves of the number *0'

HAT trial user 'uOI_phi' (lOOHz < bw < 4OOOH2)

10-V

Mth (rms)

Ear (rms)

MEa (%)

User. u01_phi

Data: #3

Sampling: 11025Hz

Bandwidth: <4000Hz

Noise floor - -40db

Spot Frequencies (Hz)

Figure 6-22: Mouth, Ear input and HAT template output curves of the number '3'

HAT trial user *u01 _phi' (lOOHz < bw < 4000Hz)

170

Chapter 6 : Realisation of the Head Authentication Technique

10'

10

10%

10

10

-2

Mth(rms)

Ear (nms)

MEa (%)

User: u01_phi

Data type: #1 - Fixed

Sampling: 11025Hz

Bandwidth: <4000Hz

V

10'

Spot Frequencies (Hz)

Figure 6-23 : Compound Mouth, Ear input and HAT template output curves of the number' T. HAT trial user 'u01_phi' (lOOHz < bw < 4000Hz)

/

10^

10

10

Mth (nms)

Ear (rms)

MEa (%)

User u01_phi

Datatype: Variable

Sampling: 11025Hz

Bandwidth: <4000Hz

Noise floor - -40db

Spot Frequencies (Hz)

Figure 6-24: Compound Mouth, Ear input and HAT template output curves of the numbers *0' to *9\ HAT trial user *u01_phi' (lOOHz < bw < 4000Hz)

171

Chapter 6 : Realisation of the Head Authentication Technique

By comparing the HAT templates in the previous example, with those of another user from a series of trials (see Section 7.3), Figure 6-25 through to Figure 6-28 show that for both a fixed stimuli control set (using just the number ' 1 a n d for the numbers '0' to '9' trial participants' individual response curves exhibit a clear collective pattern match or correlation with themselves; even though the numbers are phonetically quite different.

The key observations are summarised as:

• the consistent shape of the individual users' sets o f discrete curves;

• the unique shape o f the individual user's collective response:

6.2.6.1 The 4000Hz Cut-off

In Section 6.2.1.2 (Figure 6-4), the 4000Hz information roll off was introduced. Through experimentation, this was found to be the upper limit of unique head authentication data.

By further inspection of the wideband (lOOHz < bw < 8000Hz) plots shown in Figure

6-25 through to Figure 6-28, this trend can be observed above the 4000Hz spot-frequency.

It was also found during HAT development that an alternate cross-correlation head authentication methodology (see Section 6.3) exhibited the same information break down above 4000Hz. Following the Nyquist^ sampling principle, with the highest HAT Stage-2 spot-frequency set optimally at 4000Hz, a system sampling rate of at least 8000Hz was required: the nearest standard sampling rate"* to this was 11025Hz. This optimisation of the system sampling rate offered the following advantages:

• smallest efficient sample sizes (in bytes);

• removal of unnecessary (unproductive) system resolution (above 4000Hz);

• reduced HAT analysis time, resulting in reduced system authentication cycle time;

• reduced processing requirements, resulting in reduced system power requirements.

The captured sample filenames are displayed in the individual plot legends, and adopt the following syntax: <name (3 characters)>_<capture set (1 character)>_<spoken text (2 characters)>

^ The Nyquist rate is the minimum sampling rate required to recover all Fourier components of a periodic waveform. It is calculated as at least twice the highest frequency component of the capture waveform.

^ A factor of 44.1 KHz, the domestic C D sampling rate and a standard Windows® supported rate.

172

Chapter 6 : Realisation of the Head Authentication Technique

50

45

4 0 -

User. u01_phi

Data type: Fixed

Sampling: 22050Hz

Bandwidth: <8000Hz

Noise floor: - -406b

35

30^

25

20

15^

10

5 ^

0 phi_1_01 phi_1_02 phi_1_03 phi_1_04 phi_1_05 phi_1_06 ' ^ phi_1_07 phi_1_08 : phi 1 09 , , p h i l C l O ^ - ' ^ ^ ^

Spot Frequencies (Hz)

5 0 -

- -

User: uOI _phi

45

Data type: Variable

Sampling: 22050Hz

Bandwidth: <8000Hz

Noise floor --40db

35

3 0 g

(D

UJ

25^

20^

Figure 6-25: Compound frequency absorption curves of the number ' 1' (x 10) -

HAT uial user 'u01_phi' (lOOHz < bw < 8000Hz)

• • \

ph

Ph ph ph ph phi phi ph: phi ph

•edb

0_01

1_01

2_01

3_01

4_01

5_01

6_01

7_01

8_01

9 01 -12<ib

15^

10^

//.

-

5i^

/

0

.

;. _—

-

I

- I

I

-20d/>

•26db

Spot Frequencies (Hz)

Figure 6-26: Compound frequency absorption curves of the numbers '0' lo '9' -

HAT trial user *uOI_phi* (lOOHz < bw < 8000Hz)

173

Chapter 6 : Realisation of the Head Authentication Technique

5 0 - _ ^ _ _ . . _ .6cib

45

40

User u02_nit

Data type: Fixed

Sampling: 22050Hz

Bandwidth: <8000Hz

Noise floor - -40db nit_1_01 nit_1_02 nit_1_03 nit_1_04 nit_1_05

35 nit_1_06

30 nit_1_07 nit_1_08 nit 1 10

25

n i l

1 i n

-12db

20

15^ . . . , ' , .

10 ^ -20db

5 - ^ .- • : ;' : ' • -• : ' • • . -26db

0

V -3 V J X ^ ^ t-l-'>^ <^ (

\ / f > j ^ Oj* O} ^

Spot Frequencies (Hz)

Figure 6-27: Compound frequency absorption curves of the number * I' (x 10) -

HAT trial user *u02 nit' (1 OOHz < bw < 8000Hz)

(D

UJ

25

20

15

10

5^^/

0

/

50

User: u02_nrt

45 Data type: Variable

Sampling: 22050Hz

Bandwidth: <8000Hz

Noise floor ~ -40db

35

30 nit_0_01 nit_1_01 nit_2_01 nit_3_01 nit_4_01 nit_5_01 nit_6_01 nit_7_01 nit_8_01 nit 9 01

•6db

-12db

•20db

•26db

Spot Frequencies (Hz)

Figure 6-28: Compound frequency absorption curves of the numbers *0' to '9'

HAT trial user 'u02_nit' (lOOHz < bw < 8000Hz)

174

Chapter 6 : Realisation of the Head Authentication Technique phi s1 phi s 2 phi s 3 phi s 4 phi s o

•20db

Centre Frequencies (Hz)

Figure 6-29: Five mean frequency absorption curves of the numbers '0' to *9'

HAT trial user 'uOl j ) h i ' (lOOHz < bw < 8000Hz) nit s1 nit s 2 nit s 3

-12db

Centre Frequencies (Hz)

Figure 6-30: Three mean frequency absorption curv es of the numbers '0' to *9' -

HAT trial user •u02 nit" (lOOHz < bw < 8000Hz)

175

Chapter 6 Realisation of the Head Authentication Technique

When the same two users were subjected to multiple testing sessions over a number of days, statistical mean response curves were calculated for each session, and the results are displayed collectively in Figure 6-29 and Figure 6-30 respectively. These results, along with the results for other trial participants in Section 7.3.4, present a strong case in support of the consistent and unique shape of individual user's HAT responses. It is these unique mean biometric absorption spectra which form the HAT templates.

6.2.6.2 Statistical Analysis of a H A T Template

As part of HAT template analysis, statistical calculations on sets of absorption curves were also performed, calculating mean, median and standard-deviation at each spotfrequency; an example of a statistical analysis plot is shown in Figure 6-31.

Ulti.iP.iss .iiuilysis (MIOUTH to (E)AR

27 100%

27 100%

27 lOO't

27 100%

10u-«

100% mean bp mean e n v e l o p e st:d x 2 . 0 spot Frequencies (Hz)

Figure 6-31 : Statistical analysis curves for a HAT capture waveform set

By comparison with the example, it was found that for the majority of cases, the mean curve (in blue) and the median curve (in green) followed almost identical paths.

176

Chapter 6 : Realisation of the Head Authentication Technique

Two sets of standard deviation curves were also calculated and plotted, a complete capture set (in cyan), and a band-pass' (bp) processed set (in magenta), producing an effective user's authentication envelope. Recall that standard deviation^ (o) is proportional to variance (a^) and indicates how tightly a set o f sample data is clustered around its mean, where:

• 68% of samples lie within 1 standard-deviation o f the mean (|i-a —*• ji+a);

• 95% of samples lie within 2 standard-deviations o f the mean (|i-2G —• |i+2o);

• 99.7% of samples lie within 3 standard-deviations o f the mean (ii-3a —> |i+3o).

This operational envelope was later used to help determine system response thresholds to authentication sample data, discussed in HAT Stage-5 Thresholds (Section 6.2.5).

By inspection of the plot legend in Figure 6-31, the number of samples within two standard-deviations of the mean is shown; as both a number (column_l) and as a percentage (column_2). Bandpass values are also shown in column_3 and column_4 respectively. The higher the percentage, in each case, the tighter and more consistent the capture set, and the more unique the user's HAT signature. By observation, this example shows a very good response, with 70% of full sample sets falling within 90% of the defined envelope, and an even better 90% of bandpass processed samples. In relation to the HAT system, these figures translate into reduced false match (FMR) and false non-match (FNMR) error rates (Section 4.2.3) experienced by the user.

' In this context, band-pass refers to a set of data with singular sample outliers removed.

^ A full explanation of statistical terms and analyses is beyond the scope of this text, and is covered extensively in literature and on the Internet (Link: Statistics).

177

Chapter 6 : Realisation of the Head Authentication Technique

6.3 The Head Authentication Correlation Method

The correlation method^ of head authentication is an alternative novel way o f extracting a unique biometric template from multiple audio data streams captured from points on a user's head. The technique utilises temporal (or phase) variations between discrete narrowband spectra within the audio data stream introduced by the propagation path.

The process can be broken down into five distinct stages of operation, in a similar way to the absorption method discussed previously in Section 6.2. Although Stage-1 Capture now includes some pre-processing, it is Stage-3 which essentially differs: y. Capture multiple voice stimulated PCM audio data streams. Basic HAT^ utilises two external capture points: the Mouth and the Ear. Normalise Ear waveform.

2, Filter each data stream discretely at multiple pre-selected frequencies using a high roll-off, narrowband FIR filter. Basic HAT utilises twenty-five spot-frequencies.

3. Correlation calculates the temporal variation between captured waveforms at each spot-frequency. Basic HAT compares discrete frequency pairs of Mouth and Ear.

4. Analysis of the RMS difference output, by feeding the resultant data array into a pre-trained neural-network. The training data for the HAT neural-network consisted of one of the data sets collected during the HAT field trials in Chapter 7.

5. Classification of the neural-network result by comparison with a pres^ authentication threshold. The HAT authentication threshold was determined during network training.

This section discusses the changes Stage-1 pre-processing and Stage-3 Correlation introduce into the HAT authentication methodology, drawing parallels where appropriate with the absorption methodology. The alternate five stages of the correlation method are shown schematically in Figure 6-32.

' Not generally referred to as the 'HAT correlation method* as it was not a part of the final HAT process.

^ 'Basic HAT' describes the minimum operational requirements of the HAT process. The technique does however have the potential for increasing the systems resolution; see future work in Section 8.3.

178

Chapter 6 : Realisation of the Head Authentication Technique

Stage 1 Stage 2

Stage 3

stage 4

Stage 5

Mouth

Mouth f . f 2 f . f 4 . . . f .

X

Neural-Net Threshold

Capture Filter

Correlation Analysis Classification

Figure 6-32 : The five discrete stages of the correlation authentication process

6.3.1 Stage-3 C o r r e l a t i o n of Filtered F r e q u e n c y Pairs

To determine the amount of temporal shitt introduced into the ear-wave after propagation through the head, the airrelation method sequentially cross-correlates all individual samples from each waveform. This is achieved by effectively sliding the two waveforms past each other, end to end, one sample at a time, perfomiing a correlation at each stage (Figure 6-33).

Correlator

Mouth W a v e f o r m

Ear Waveform

Figure 6-33 : Cross-correlation of Mouth and I^ar waveforms

Recall that given a pair of related measures for a set of items, the correlation coefficient provides a measure of the degree to which the paired measures linearly co-vary. The correlation coefficient is usually a value between zero and one, where zero represents no detectable correlation between the two items and one represents no detectable difference.

79

Chapter 6 : Realisation of the Head Authentication Technique

By comparing the cross-correlation value of the mouth and ear waveforms at each stage, it is possible to determine the point at which the waveforms align, and hence determine the slippage (in samples) between the two waves. Examples of waveform offset can be seen in the correlation plots (X-Correlation) within Figure 6-38 to Figure 6-45 inclusive. By dividing the sample offset by the sampling rate it is possible to calculate the amount of slippage in actual time (Example: 50 samples = 4.5milliseconds @ 11025Hz).

r

Stage-1

( Preset filter

I spot frequencies

Stage-2

start

Capture Mouth waveform

Capture Ear waveform

Normalise Ear

Wavefonn

Initialise filter frequency counter

Stage-3

Set fitter spot frequency

Filter Mouth waveform

Filter Ear wavefoim

Cross-correlate Mouth and Ear filtered responses

Increment filter spot frequency counter

HAT User

Tenplate

Is Filter frequency greater than 4000Hz

NO

S t a g e - 4

Figure 6-34 : Modified H A F Stages tlowchart - Stage-3. showing additional correlation method Stage-1 Normalisation and Stage 3 Correlation.

180

Chapter 6 : Realisation of the Head Authentication Technique

The modified HAT Stages Flowchart illustrated in Figure 6-34 shows Stage-3

Correlation in place of the HAT Stage-3 Absorption process. Stage-4 Analysis is not affected by the change, as the neural-network does not distinguish between an absorption value between "0* and M ' (0 - 100%) and a correlation coetTicient between

*0' and "T. The flowchart also includes an additional normalisation process within the

Stage-1 Capture; this is discussed in the next section.

6.3.1.1 Normalisation of the Ear Sample W a v e f o r m

For HAT to effectively identify the temporal shift introduced by the audio propagation path between voicebox and mouth and voiccbox and ear through cross-correlation, it was found that the process benefited from amplitude normalisation of the ear sample to the mouth sample. Captured HAT ear samples naturally suffer, on average, 12dBs o f attenuation by comparison with the mouth sample, illustrated in Figure 6-35.

Mouth Waveform

Ear Waveform

Figure 6-35 : Captured H A T waveform pair (Mouth & Ear) of the number ' 2 '

Sample normalisation is considered a part of the Stage-1 Capture process and is performed in preparation for the latter filtering and cross-correlation stages.

Normalisation of the ear sample is based on a peak value analysis o f the mouth sample; the processed waveform from the previous example is illustrated in Figure 6-36.

181

Chapter 6 : Realisation of the Head Authentication Technique

Mouth Waveform

Ear Waveform

P e a ^ Normalised

Figure 6-36 : Nomialised H A T waveform pair (Mouth & Ear) of the number ' 2 '

6.3.1.2 The 400011/Cut-ofr

It was found that the correlation analysis method also suffered the same reduction in performance above around 4000Hz, as the HAT absorption method discussed in Section

6.2.6.1. In fact, not only did cross-correlation perfonnance reduce at 4000Hz, it was found that the correlation process failed, w ith no discemable correlation detectable. This is clearly illustrated in the set of compound analyses plots (presented in lOOOHz increments) shown in Figure 6-38 to Figure 6-45 inclusive. The plots indicate:

Captured

Mouth sample

Captured

Ear sample

Filter response

Spot-frequency

Filtered

Mouth sample

Filtered

Ear sample

X-Correlatlon

Sample offset

Figure 6-37 : Legend of correlation Figure 6-38 to Figure 6-45 inclusive

By inspection, mouth-to-car cross-correlation

(X-Correlation)

shows clear correlation at all fi-equencies up to 4000Hz, indicated by the clear central peak rising out of the noncorrelation noise floor (Legend: Figure 6-37). Above 4000Hz (Figure 6-42), it can be seen correlation is lost and the resultant plot consists entirely of uncorrclated noise.

182

Chapter 6 : Realisation of the Head Authentication Technique

0 5

-05

- —

1 t

MOUTH (Captured)

1

I

1

0

1 2 3 4 5 6

0 5

-05

EAR (Captured) r *

1 2 3 4 5

ao

0

-6

-100

Filter (950-1050Hz)(n1301)

1 1 1

1 1 1

1 1

• — 1— — 1---

S

-20

1

1

-40

-50

3

-eo

Spot-frequency

_,

A

\ 1

V ~ •

1 \ .

900 1000 1100 samp*e 0 Frequency (Hz) sample » ^

X 10

X-Correlabon (EAR x MCXJTM)

MOUTH (Filtered)

EAR (Filtered)

RMS 0 008368

0 002460

*JEx 29 40% sample »

X 10

Figure 6-38 : I I A T Analysis - Capture, Filter and Correlation (a lOOOHz

Correlation

MOUTH (Captured)

EAR (Captured)

Filter (1950-2050HzXn1301)

— -\-

7

F

MOUTH (Filtered) sample «

EAR Filtered)

1900 2000 2100

Frequency (Hz)

X-CorT«lalion (EAR x MOUTH)

0 028 Q 69041

« 0 01 r

0 000572

63 81%

2 3 4 sample #

X 10 samples samples

Figure 6-39 : H A T Analysis - Capture. Filter and Correlation 2 0 0 0 l l z

X 10

83

Chapter 6 : Realisation of the Head Authentication Technique

MOUTH (Captured) EAR (CaptufBd)

Filter (2950-3050HzKn1301) samrte »

MOUTH (Frftered)

X 10

0 5

I

0

-05

2 3 4 5 6 samp(e a x i o '

EAR (Fittered)

0 015

2900 3000 3100

Frequency (Hz)

X-Corrolabon (EAR x MOUTH)

0.016 Q 69299

Slp-62SWT1PI8(S)

J 0 005

RMS: 0 000804

3 4 sample 0

X 10

0 000368

sample ff

tJEa 45 78%

-0 015

-0 02 samples

Figure 6-40 : H A T Analysis - Capture, Filter and Correlation (« 3()00Hz

X 10

MOUTH (Cap(urBd) EAR (Captured) Filter (3950^050Hz)(n1301)

O 5

0 5 .

0 5

I °

•05 sample •

MOUTH (Frftered)

X 10

0 5

1 2 3 4 5 sample *

X 10

EAR (Filtered)

-100

3900 4000 4100

Frequency (Hz)

H(f!brr«lation (EAR x MOUTH)

0 001 & 69336

PMS: 0 000423 KEa 100% rWS: 0-000065 MEk: 12.89%

-05

1 2 3 4 5 6 sample «

10

-05

1 2 3 4 5 6 sample tf

X 10 samples

Figure 6-41 : H A T Analysis - Capture. Filter and Correlation (a 4 0 0 0 H z

X 10

84

Chapter 6 : Realisation of the Head Authentication Technique

MOUTH (Captured) sample »

MOUTH tFJtered)

X 10

0 5

EAR (Captured)

20

Firtar (4950-5050HzXm301)

-6 ,

I

20 1

1

-40

I

-50

-0 5

0 5

1 2 3 4 5 6

-100

Mmple tt

X 10

EAR (Filtered)

4900 5000 5100

Frequency (Hz)

X )((pbrTelation (EAR x MOUTH)

0 000 6 68999

Sip * 2 3 P • • W * ! )

I

0

w e : 0.000102

sample #

RMS 0 000019 1911%

-0 5

1 2 3 4 5 6

X 10* ' ^ P ' ^ • samples

Figure 6-42 : H A T Analysis - Capture, Filter and Correlation (a 5000Hz

No correlation

above 4000Hz

K

10

MOUTH (Captured) EAR (Captured)

Filter (5950-6050HzKn1301)

0 5

-05

0 5

1 2 3 4 5 6 sample •

X 10

MOUTH if

1 2 3 4 5 6

-100 sample « ^

5900 6000 6100

Frequency (Hz)

EAR (Filtered) X ^^rT»l»tion (EAR x MOUTH)

1^)

-0 5

FMS 0.000076

2 3 4 5 sample 0

X 10

RMS 0 000018

sample «

23&4%

X 10 samptes

Figure 6-43 : H A T Analysis - Capture, Filter and Correlation (a 6000IIz

K

10

Chapter 6 : Realisation of the Head Authentication Technique

0 5

MOUTH (Captured)

EAR (Captured)

1

T

r

Filter (6950-7050Hz)(n1301)

0 5

i 0

-05

samrte «

MOUTH (Filtered)

X 10

0 5

1 2 3 4 5 6

-100

6900 7000 7100

Frequency (Hz)

EAR (Fihered)

X )(rffcrrelation (EAR x MOUTH)

nJS: 0.00010S

1 ^ 100%

-05

1 2 3 4 5 6 sample » ^

F«£ OOCXXJU

2 3 4 sample It

X 10

samples

Figure 6-44 : H A T Analysis - Capture, Filter and Correlation (a- 700011/

X 10

MOUTH (Captured)

EAR (Captured)

I

Filter (795O-805OHzXn13O1) sampte W

MOUTH (Filtered) sample i

EAR (Filtered)

X 10

7900 8000 8100

FrBquerx:y (Hz)

X i^^ktmlmtion (EAR x MOUTH)

F%G 0 000124

F * B 0 000017

sample « sample* samples

Figure 6-45 : H A T Analysis - Capture, Filler and Correlation (a 8000Hz

86

Chapter 6 : Realisation of the Head Authentication Technique

6.3.2 Correlation Analysis

The correlation template is the unique shape (pattern) contained within the ear-to-mouth correlation offsets (time slippage) of an individual user, and is controlled by:

• the system spot-frequencies discussed in HAT Stage-2;

• the shape and consistency of individual user's mouth-to-ear correlation offset response, as a number in samples, at each spot-frequency.

The theory behind the approach was to utilise the principles discussed in Section 5.3,1, where the speed of propagating sound waves in matter are dependent on the frequency of the propagating waves and the ftmdamental properties o f the medium. Combined with the unique audio spectrum of the user's voicebox, the heterogeneous bio-matter o f their head

(Figure 5-6) uniquely shapes spot-frequency timings as illustrated in Figure 6-46.

1500

1000

0)

CO

(A

500 phi_0_01 phi_1_01 phi_2_01 phi_3_01 phi_4_01 phi_5_01 phi_6_01 phi_7_01 phi_8_01 phi_9_01

User: u01_phi

Data type: Variable

Sampling: 22050Hz

Bandwidth: <8000Hz

Noise floor ~-40db

-500

-1000

•1500

Spot Frequencies (Hz)

Figure 6-46: Compound timing variation curves of the numbers '0' to *9" -

H A T trial user 'uOI_phi' (lOOHz < bw < 8000Hz)

187

Chapter 6 : Realisation of the Head Authentication Technique

By inspection of the plots Figure 6-46 and Figure 6-47, although there was some evidence of capture set correlation, using the same users and numerical stimuli as previously in

Figure 6-26 and Figure 6-28, there was less evidence of unique individual user behaviour when compared to the (mouth-ear) absorption method. In addition, individual curves exhibited less consistent behaviour (compared to absorption plot curves), resulting in higher standard-deviation figures and broader statistical variance.

2000 - - ' nlt_0_01 nit_1_01

1500

1000

_ 500 nit_2_01 rit_3_01 nit_4_01 nit_5_01 nit_6_01 rit_7_01 nit_8_01 nit 9 01

User: u02_nit

Data type: Variable

Sampling: 22050Hz

Bandwidth: <8000Hz

Noise floor. - -40db

01 to

0 v .

-500-

I

1000-

•1500

-2000

Spot Frequencies (Hz)

Figure 6-47: Compound timing variation curves of the numbers '0' to *9' -

H A T trial user 'u02_nit* (lOOHz < bw < 8OOOH2)

As a consequence of the negative aspects exhibited by this approach and the more promising results of the absorption analysis approach, correlation analysis was subsequendy discarded as the first choice HAT analysis technique and not pursued beyond comparative evaluation with the chosen absorption method.

HAT exclusively adopts the absorption analysis method, with correlation analysis not considered further within the thesis beyond a mention in Section 8.3 on future work.

188

Chapter 6 : Realisation of the Head Authentication Technique

6.4 Conclusion

Following on from the conceptual discussions defining the HAT development pathways, this chapter introduced and discussed in depth the methodology behind the final HAT authentication process, along with a complete systematic breakdown of the five stages that define HATs interpretation o f a head authentication system:

• Capture of biometric audio waveform pairs from a user,

• Filter o f audio waveform pairs at discrete spot-frequencies.

• Absorption comparison of discrete waveform spectra defining a H A T template.

• Analysis of the HAT absorption template within a neural-network.

• Classification of the neural-network output through threshold comparison.

The chapter identified and explained the ftindamental differences between the two main biometric analyses techniques borne out o f the HAT development process: the absorption technique, and the correlation technique. After discussing the advantages and disadvantages of both techniques, the better performing absorption technique was selected in preference to the correlation technique and forms one of the two novel aspects of the research, namely:

• The HAT method of biometric capture.

• The HAT absorption method of biometric analysis.

The next chapter focuses on an extended proof of concept of the H A T absorption technique through a series of trials involving a diverse group o f volunteers: to enable the trials, a HAT demonstration tool was conceived and developed. Along with a description and walkthrough of the HAT demonstration tool, the HAT trials results are presented and discussed in detail.

189

Chapter 7 : Evaluation of the Head Authentication Technique

Chapter 7

Evaluation of the Head Authentication Technique

90

Chapter 7 : Evaluation of the Head Authentication Technique

7 Evaluation of the Head Authentication

Technique

As there is no precedent for the novel head authentication ideas introduced in Chapter 5 or the resuhant HAT authentication methodology presented in Chapter 6, it is an essential part of the research to demonstrate proof o f concept. This chapter presents an extended proof of concept of the Head Authentication Technique through use of a H A T demonstration tool, enabling a set of controlled trials.

The chapter is divided into two sections: an introduction and overview o f the custom designed HAT demonstration tool and its usage; and an outline of the H A T field trials utilising the demonstration tool, involving a discussion on the field trial results. The chapter concludes by introducing the research conclusions on the HAT authentication process, which are discussed in depth in Chapter 8.

7.1 Introduction

In order to prove the Head Authentication Technique outside of its artificially controlled and ideal research environment, a robust HAT demonstration tool was developed to enable a set of field trials for the technique. The HAT demonstration tool was in fact an evolution of an experimental research platform originally conceived to test the viability of a number of original ideas, many of which did not make it beyond conception. Once the fundamental principles of head authentication were established (Section 5.3), two variations on the basic technique emerged that showed consistent promise throughout initial testing, these were the absorption method, discussed in Sections 6.2, and the correlation method, discussed in Section 6.3. These two HAT Stage-3 Analysis methods

191

Chapter 7 : Evaluation of the Head Authentication Technique were developed in parallel for the majority o f the research, and a preferred method only selected in the final stages o f the demonstration tool development!. The single method eventually selected for the HAT demonstration tool was the absorption method, which was not only providing more consistent results, but also proving easier to process within evolving software analysis tools.

By the time the HAT trials were performed, the demonstration tool had developed far beyond a highly specialised experimental research platform requiring intimate knowledge o f the research, into a user friendly tool incorporating an audio headset managed by a generically styled Microsoft Windows application (Section 7.2.2.2). The

HAT demonstration tool requires no specialised knowledge o f the PhD research, and only minimal understanding o f the authentication methodology and processing performed by the tool; in fact, the tool includes a simple wizard to guide users through the registration and authentication processes.

The HAT trials were performed over two sessions, separated by a period of at least 24 hours, in an attempt to acknowledge some aging o f the biometric templates. Twenty trial volunteers were selected to represent a diversity of:

• sex: in Chapter 5 Figure 5-12 it is illustrated how the male and female vocal ranges can differ by up to I OOHz;

• age: (ranging fi-om 24 to 64 years), in Chapter 5 Figure 5-1 it is illustrated how the human auditory range varies with age;

• nationality: to demonstrate that the HAT process is language independent, utilising variations in sound, not comprehension, for its biometric markers.

' Although combining the absorption and time-slip methods was considered, further experimentation into multimodal biometrics was considered beyond the scope of the project; see fiiture work in Section 8.3.

192

Chapter 7 : Evaluation of the Head Authentication Technique

7.2 The HAT Demonstration Tool

The HAT demonstration tool is a non-intrusive authentication platform developed to demonstrate and evaluate the principles of the Head Authentication Technique. The tool combines a specially configured hardware headset, henceforth called the H A T Headset, with a proprietary Microsoft Windows software application, henceforth the HAT

Application. The tool was developed out of an experimental test-bed for the many head authentication ideas proposed at the beginning of the research and discussed in Chapter 5.

The tool was later modified for general use in a series of HAT trials.

7.2.1 The H A T Headset

An integral part of the HAT demonstration tool is the custom designed headset which collects the audio waveform sample pairs for processing by the software element of the tool. Although similar in appearance to a standard lightweight computer headset, critically the HAT headset replaces the ear transducer with a suitable high quality lavalier' microphone, as shown in Figure 7-1.

Replacement

Microphone

Figure 7-1 : The replacement ear microphone of the H A T Headset

A lavalier (tie-clip) microphone was selected for its compact size and optimised voice characteristics.

193

Chapter 7 : Evaluation of the Head Authentication Technique

As a HAT authentication template is dependent upon the calculated variance between mouth- and car-captured waveforms (basic HAT), it was also decided to replace the mouth microphone with a matching high quality voice microphone to ensure that the hardware itself did not contribute any variance o f its own into the HAT template.

The HAT headset replacement microphones were high quality elcctret' lavalier microphones (Figure 7-2), selected for their:

• excellent frequency response; covering the full vocal range;

• high sensitivity; for use with the low amplitude car waveform;

• diminutive size; for use in a headset without adding additional bulk or weight.

Lavalier

Microphone

Figure 7-2 : A H A T headset high-quality clectret lavalier microphone

The technical specifications of the HAT lavalier microphones are shown in Table 7-1

Type:

Polar response:

Frequency response:

Impedance:

Sensitivity:

Lead/plug:

Electret

Omni

50 to 16KHZ

600 ohms

-64dB

6m/6.35mm jack^

Table 7-1: Technical specifications of the H A T headset microphones

' Electret microphones are an F E T driven vanaiion on the classic condenser microphone.

' The microphone is powered by an L R 4 4 power cell contained withm the jack-plug.

194

Chapter 7 : Evaluation of the Head Authentication Technique

As the replacement lavalier microphones of the HAT headset are not standard computer peripherals, they do not naturally interface with a typical computer setup. Combining this issue with need for good quality amplification to match the p>erformance of the microphones, a small booster amplifier was purchased which could interface directly with the line input o f a computer soundcard', illustrated in Figure 7-3.

HAT Headset

Laced microphone cables

Booster

Amplifier

3.5mm

Jack plug

Mouths Ear

Figure 7-3 : The hardware composing the H A T Headset

Although the HAT headset uses identical microphones for the capture of both the mouth and ear waveforms, the operational principles behind microphones and transducers are not fundamentally different and it is not inconceivable to imagine a development o f the headset using a suitably modified ear transducer for capture of the ear wave, enabling the ear-piece to also remain active as a speaker. Although this would introduce a variation in the resultant mouth to ear hardware responses, and timing o f authentication cycles would depend on fast switching of the ear transducer from transmit to receive at appropriate intervals, both of these issues could be compensated for in software.

The H A T development P C utilised a high quality Creative SoundBlaster Audigy-2 soundcard.

195

Chapter 7 ; Evaluation of the Head Authentication Technique

7.2.2 The H A T Application

The HAT Application is the software element of the HAT Demonstration Tool. It is a

Microsoft Windows application developed initially as part of an experimental research platform to explore the potential of the various approaches to head authentication discussed in Chapter 5, and later modified as a part o f the HAT demonstration tool to manage the registration and authentication of users in a HAT based authentication system.

The HAT Application is an evolution of a number of individual HAT developmental software tools discussed in Section 7.2.2.1. It has the ability to demonstrate empirically all of the stages o f the HAT process, either discretely or in sequence as part of a full

HAT processing cycle. Underneath the user friendly graphical interface optimised for use in the HAT trials, discussed in Section 7.3, is a powerftil HAT research tool capable o f displaying graphical outputs of each individual stage o f the HAT process.

7.2.2,1 Foundations of the HAT Application

It was realised early on in the research that although the majority o f the analytical work could be modelled within established research tools such as Mathsoft Matlab, all o f the head authentication concepts under investigation required similar biometric capture procedures. To establish a common capture procedure and automate the capture process, a software tool was developed to interface with the HAT Headset, efficiently capturing and storing multiple biometric samples from volunteers; this first tool was called a

'Collector'. In common with all subsequent HAT software developments, the first

Collector was developed in Microsoft Visual Basic owing to the programming languages speed of development. An example of an early software collector was termed the 'Correlation Authentication Rig' (CoAuR): a view o f this applications main operational window (v.ClO) is shown in Figure 7-4.

196

CoAuR Collector

Fte Tools Help

Working Directory

_ J H ead Authenhcati

J V B source files

-SColectof

CcAuR CIO d \Documents and Setti

UterName lEnteryour name.

Chapter 7 : Evaluation of the Head Authentication Technique

Levek

CoAuR

• V ' H

Setup

D e b u g vCIO

P.MRodwel2003

Figure 7-4 : Correlation Authentication Rig - Collector

Exit

As the basic head authentication principles were established (Section 6.1), and the two chosen analytical methodologies (absorption and correlation) emerged, a further software tool was developed to link with Matlab and automate many of the time consuming steps of the analysis process; this tool was called an 'Analyser'. Although

Microsoft Visual C was considered for development of the Analyser due its improved execution speed (compared to Visual Basic), this advantage was unrealisable as the complex analytical HAT Stages were retained within Mathsoft Matlab.

The matching CoAuR analyser (v.A8) for use with the Collector in the previous example is shown in Figure 7-5. By inspection of the Analyser interface, note that:

• the analyser example is a correlation (time-slippage) analyser (Section 6.3);

• the sampling rate is 44100Hz, later refined to 11025Hz (Section 6.2.6);

• car-waveform normalisation is active and set to 95% (Section 6.3.1.1);

• the experimental bandpass filter being applied to spot-fi-equencies (Section 6.2.1.3).

197

Chapter 7 : Evaluation of the Head Authentication Technique

CoAuR - Analyser

File Tools Help

Working Directofy

I ^ d [My Documents] j j

- j | My Documents

3

^ U o P

OpenWavefite

Phi

0 01

wav

Wavefie Stat»$*ics

PCM Wavefie OK

Channels 2(Slefeo)

Bits per sample I B t X s

Sampling Rate 44100 Hz tt Samples 68.355

RunTime 1 55 sec

-SHeadAuthentcati

ZJ Active Wavefile

|clADocuments and Setti Ptii_0_01 wov

Normalise (Ampiihide) r7 OnADff

Time Slip

• i J

" 1

Corielation Index (Reference)

0.0 v A 8

Intermedate Ftes r N i m r F i Log r Drff

<^§ 95 J l C

J2J kHz

19

Buffers r

Sees

0 0 0 0

Correlation Index (Processed)

0.0

13% A B

I

'S'P M Rodwe« 2003

CoAuR

Load

P r o c e s s

r r r r

Ex

Figure 7-5 : Correlation Authenlicalion Rig - Analyser

As the research progressed and refined the chosen head authentication technique into what became known as the HAT process, the software tool(s) were developed in parallel, eventually being merged into a single application, the HAT Application, an example of which (v.C13.5) is shown in Figure 7-6.

By inspection of this revised layout, it can be seen that the tool now includes both the collector (renamed Train') and the analyser (renamed 'Identify*) functionality of the previous tools. Later development of the HAT Application focused on optimising the GUI for minimal technical impact in preparation for the HAT trials (Section 7.3); removing discrete buttons to a toolbar and internal adjustments to menu triggered child-trames.

By comparing these developmental examples (CoAuR Collector in Figure 7-4; CoAuR

Analyser in Figure 7-5; HAT Application in Figure 7-6) with the HAT Application window in Figure 7-7, the provenance of the HAT Application is clearly demonstrated.

198

Chapter 7 : Evaluation of the Head Authentication Technique

Head A u t h e n t i c a t i o n Tool [ M a m ]

= e Toots Hdp

Identfy..

Ctrl+I

CtH-fT

WavefleOpOani

SetupHard-Aare... Cti\-^

Speaficabons... Ctri+S

Reset HAT Ctrl+R

CtH*V

|e:\Regulars\Heaid Auth

U«5t

Ijohn Doe

Sex

C Female

a Male

~ 3

c 20

c

20-34

Language r Olhef

35-49

r

50-64

>65

Vef$ionn3 5buid102

P M Ro(V#el ^2004

Figure 7-6 : Early example of the HAT Application

5€tup

Review

Identify

Train

11

\

Exit

7.2.2.2 Navigating the H A T Application Interface

For the novice user, the HAT Application essentially performs two functions:

• Registration of new users (Section 7.2.2.3).

Registration involves Capture, Analysis and training o f a new neural-network to add the to the system user base.

• Authentication of existing users (Section 7.2.2.4).

Authentication involves Capture, Analysis and processing within an existing neural-network in ordcT to verify the claimed identity o f the current user.

The annotated HAT Application window is shown in Figure 7-7, during a HAT Stage-1

Capture cycle. In addition to the fairly self explanatory layout, the application interface adopts familiar Microsoft Windows conventions through use o f menus, toolbars, progress-bars etc., taking advantage o f user's established learnt behaviour from other

Windows applications.

1 9 9

Chapter 7 : Evaluation of the Head Authentication Technique

^ MAT D e m o n s t r a t i o n Tool - Adrian

Fie Tools Help

D 0 ^ stop

Wo»kingDifectory

l ^ f : [PENDRIVE]

R e c o r d i n g . | ^

User Name

WHMdAuthenlication

1 22 Matlab source Het

^:^Pegulars^>^eadAu.he^

Captue: VB Process: ML

®

Versiona5 2build304

Idenbfy j — Train — j = =

i O

r

100 ( - ^ ^ • 1 0 0

O

75

• 5 0

• 2 5

• 0

P M R o d i ^ «>20D4

Figure 7-7 : The HAT Application main interface during a HAT Capture cycle

Q The live' main window toolbar provides easy access to all of HATs primary functions, without the need to enter the tools menus; illustrated below.

'.<3 Hp r j

Identify Capture Network Review Set MDI

X

Exit

• Identify: Authenticate the current user.

• Capture: Register a new user.

• Net>\ ork: Build a new neural-network (automatic as part of Capture)

• Stop: Stop the current process.

• Review: Review ALL of the HAT Application settings in one screen.

• Set M D I : Adjust the capture hardware settings (PC soundcard).

• Exit Exit the HAT Application.

Ihc availability of individual HAT toolbar elements is dynamically controlled by the active process.

200

Chapter 7 : Evaluation of the Head Authentication Technique

© The path to the HAT working directory containing the HAT Application executable and additional HAT resources: HAT.ini etc.

O The HAT activity indicator constantly reports the operational state of the tool.

© A user can either manually enter a new user name for registration, or conveniently select their name from the static pull down list o f included H A T trial participants.

© A small selection o f the active user's demographic data; also saved as 'user_id.txt' for each user. The 'language' option is the captured language not the user nationality.

© The tools central display window is used to prompt the user with example text to speak during a capture cycle, or random text during an authentication cycle.

© The HAT capture progress-bar (green) indicates the progress of a H A T Stage-1

Capture (Section 6.2.1), working in tandem with the timing-bar © .

© The HAT waveform validation progress-bar (yellow) indicates the progress of the amplitude validation cycle performed on each new waveform.

© The HAT filter progress-bar (light-blue) indicates the timing o f the HAT Stage-2

Filter (Section 6.2.1.3), HAT Stage-3 Absorption (Section 6.2.3) processing loop,

© The HAT analysis progress-bar (dark blue) indicates the progress o f the HAT

Stage-4 Analysis (Section 6.2.4) using the HAT neural-network (Section 6.2.4.1).

© The timing-bar is used to prompt the user when to speak during Capture or

Identify cycles: 'green' indicates when to speak and 'red' when to wait.

© The current operation progress-bar indicates the progress of the complete active operation: for example, the five stages o f an authentication cycle (Section 6.2).

O The identity confidence-bar is used to indicate HATs confidence in the claimed identity o f the active user in four steps: 0, 25%, 50, 75% & 100%. Each step increment indicates either a passed or failed authentication cycle.

© The auxiliary progress-bar is used to indicate the progress o f en-mass operations; for example, HAT Stage-4 Analysis of A L L the HAT trial participants

201

Chapter 7 : Evaluation of the Head Authentication Technique

In addition to the visual improvements to the application interface, all o f the applications important internal settings can be adjusted through use of the extensive tabbed Options screens accessed via the Tools menu. The four primary settings tabs are shown in Figure

7-8 (a complete list is shown in the HAT manual in Appendix F) and cover:

• Wavefile format: Channels, Sampling rate and bps (Section 6.2.1.2).

• Wavcfile validation: Minimum and maximum capture amplitudes and tolerance.

• Spectral analysis: Spot-frequency, filter coefficients, bandwidth (Section 6.2.2.1).

• Neural-network: Default analysis set, target error rate, epochs (Section 6.2.4.1).

« H A T O p t i O M

Neud Network | View | Advanced

[ WaveHe ~1( Vrfdalion j SpectidAna^

I PCM Wavcf ilc Formot p

r

8 ^

r

2 (Stereo)

« HAT Opbons

Neual Network | Vmt \ Advanced

Wavefife ' V ^ n n I Specbal Ana^m

Wovefilc Validation \hi

Vafcdahon

r

A l

r on

Detection

"lo"

X

ThreihoJdj

VdriAmpitudeS:

JiJ J

V A i Tolerance*

J L I J

ClpAinpMude%

JLl

CSpp»ig TolerarKe X

4

4

95

•I

1

CancH

SpotFti

100

200

300

400

500

GOO

700

800

900

1000

Neural Network | View

Wavefte I Vafcdation

I Advanced

Spectral Analysis ^iJ

PtVwTMl Co^ttcientt

N • |1001 Tefim

F»e> B v>dw«jth

I

100

Hz

Show Siy«h*e»

r FMod C Varwsble

Wavefte I ViMefaw | Spectial Ana^w

NetfdNelwioik j View | AxJvanced

Neural-Network K/l

Set Tra»i Set

Set I

T

r Sal I

T

r Al ldent#y Set Type

r Fmad ^ Vanabto <^

TtarMng

Pert Goal I 0 001 Epoch, j 5000

Cancel

Odauk

OK

1 ^ I

Figure 7-8 : HAT Application tabbed options frames

202

Chapter 7 : Evaluation of the Head Authentication Technique

A complete set of help screens is also available within the HAT Application via the

Help menu (see the example in Figure 7-9), covering the most important aspects o f the

HAT process, including full step-by-step instructions on the usage o f the HAT

Application during each stage of the registration or authentication process.

li? HAT Help

Hide BacJi

PrinI Options

Contents 1 iQdex |

HAT Oveiview

T |-(i)HAT AppfeubanWrdow j j-ErtieHATcKoce**

! —[£)lrtelectual Property

^ IJ2l HAT Setup

\~ Q System HeqiaemenU

HAT.rt

i- [B] Options

S-

•-(i]HAT Oevefepmert log

Q7| Ushg HAT to... i U pCvture&Ana^e i - |]Netwcxk&Theiho)d

^ ^ Mau OpeiAtiora a ti3 S(4»port

HAT Introduction

The HAT Application is the software element of the HAT demonstration toot. The tool harnesses a novel biometric capture and analysis process to enable the non-intrusive and continuous authentication of users of modern communications systems.

HATs development is part of a P h D into Novel Authentication

Systems for Next Generation Mobile Devices, in association with Oranoe. and the University of Plymouth. Network R e s e a r c h

Qrpup

The HAT Application GUI Is written in Microsoft Visual

Basic v6.0

Core functionality, including: Spectral Analysis. Neural

Network training and Identification are perfomned via

MathWorks Matlab

Figure 7-9 : HAT Help menu example - HAT Introduction

The HAT Application includes various resources files, designed to minimise the need for recompiling the source code every time settings are changed. The options include:

• HAT.ini: Primary HAT start-up settings (see Appendix F).

• HAT_Spoken.txt: Textual prompts for HAT Stage-1 Capture cycle.

• HAT_CnFq.txt: Pre-selected filter spot-frequencies (Section 6.2.1.3).

• Users.txt: HAT Trial participant's names (see Section 7.3).

203

Chapter 7 : Evaluation of the Head Authentication Technique

7.2.2.3 Registering a New User

In order to be authenticated by the HAT demonstration tool, a user must first register with the system. The registration process involves capturing a selection o f phonetically diverse sounds which, for user convenience, are selected from the familiar set o f alphanumeric characters'. The HAT Application then performs the H A T process

(Section 6.2) to realise the users unique biometric template and neural-network map.

What follows is an explanation of the HAT Application registration process for use by a new user, with reference to the application window in Figure 7-7:

Step 1: Set the HAT Path

Open the HAT Application and select the main HAT directory, containing the HAT executable and resources, in the drive selection window © .

Step 2: Select the Capture Mode

Enter the Tools>Capture Mode menu and select the type o f capture mode required; the default setting is 'Capture and Analyse'. The default setting is also conveniently available via the shortcut CTRL+K, prompting 'Capture Mode - FULL' in the activity bar © .

Step 3: Identify a New User

To identify a new user to the system, enter a usemame within the field © and complete the user demography section © . If a user is recognised by the system their new capture data is augmented with their previous data to strengthen the existing user profile. If a user is not recognised by the system a new account is setup (a new 'Output' directory created).

Although HAT prompts users for alphanumeric characters during registration, recall that the HAT process is not dependent on 'what is said', but 'how it is said' and 'how it is affected* by the head.

204

Chapter 7 : Evaluation of the Head Authentication Technique

Step 4: Review Settings (Optional)

Select the Review i c o n l ^ >n the H A T Application toolbar O and conveniently review the complete applications settings.

HAT Review

Review HAT Settings

Operational Modes

Capture Mode: F u l l

Build Network Mode: F u l l

Usci- Details

User Name:

User Sex:

Capture Language:

User Age group:

Wavcfilc Foimot

Naming Syntax:

Coding Fomiat:

Capture Channels:

Sampling R a t e :

Bits-Per-Sample:

J o h n Doe

M a l e

E n g l i s h

20 - 34

j o h _ # _ # #

PCM

2

1 1 0 2 5 H z

1 6

r/3

OK

i.HAT Review

Review H/\T Settings

Capture Validation

Validation Mode: H a l f

Validation Detection: 10 %

Validation Amplitude: 4 0 %

Min Valid P e a k s : 4 %

Clipping Amplitude: 951

Max Dipping P e a k s : 18

Spectral-Analysis (Filter)

Signature N o d e s :

Polynomial Terms (n):

Bandwidth:

Show Signatures:

2 5

1 0 0 1 l O O H z

V a r i a b l e

Neural-Network

Identify Set(s):

Identiy Set T y p e :

V a r i a b l e

V.

, 6 l

OK i

Figure 7-10 : HAT Application settings review frame (two views)

Step 4: Try a Simulation (Optional)

It is recommended that new users try the user simulation v^ithin the Help>Simulation menu option. The process will help familiarise a new user with the HAT capture process, minimising bodily tension due to psychological apprehension during a genuine capture cycle. The simulation precisely mimics a genuine capture cycle, responding appropriately to the relevant settings within the options screens.

Step 5a: Check the HAT Headset Hardware

Check that the HAT headset hardware is correctly connected (Figure 7-3) and that there are two good power cells' in the microphones jack-plugs.

Each microphone jack-plug requires a single LR44 power cell.

205

C h a p t e r 7 : E v a l u a t i o n of t h e H e a d A u t h e n t i c a t i o n T e c h n i q u e

StepSb: Position the HAT Headset

Position the HAT Headset comfortably on the head ensuring that the ear microphone is positioned centrally over the pinna o f the outer ear (Figure 5-2), in line with the ear canal, and with the mouth microphone positioned vertically central and horizontally offset from the centre of the mouth, to minimise breathing pickup.

Step 6: Capture

Press the Capture* button | | on the HAT toolbar © and follow tlic comprehensive onscreen instructions: the HAT Application will prompt the user to speak up to twenty pseudo-random alphanumeric characters. Having performed a simulation (Step 4) the process should be familiar to the user, minimising any unnecessary body or voice tension.

CapJuie VB Process ML

VefsionC15 2bukJ304

Clipping Amplitude validation Amplitude

Detection Amplitude

C Valid 25 2% - Clipped 0 3%

v a l i d a t i o n R e p o r t

M o u t h W a v e f o r m

E a r W a v e f o r m v a l i d a t i o n C o m p l e t e

L

' 7 f i

I

V a l i d a t e d S a m p l e s

Registration P r o g r e s s

PMRodwel*2004

Figure 7-11 : HAT Application - Stage-1 Capture and validation plot

206

Chapter 7 : Evaluation of the Head Authentication Technique

After each individual capture, the application will validate the samples according to the settings in the validation options tab (Figure 7-8) to guarantee their suitability for use by the HAT Application before entering the time-consuming HAT analysis stages. This is also a useful feedback mechanism, indicating to the (new) user 'when' and 'how loud' to speak for optimum tool performance. Upon completion of the waveform validation cycle the application presents the user with a graphical output similar to the one shown in

Figure 7-11. By inspection of the figure, it can be seen that for the example shown:

• All of the spoken samples exceed the detection value (see the breakout box).

• 25.2% of the samples are validated within tolerance (the requirement was 4%).

• 0.3% of the samples experienced clipped (the requirement was <1%).

Upon completion of the HAT Stage-1 Capture process, the tool will automatically enter the HAT Stage-2 Filter (Section 6.2.2), HAT Stage-3 Absorption (Section 6.2.3) processing loop and calculate the unique HAT absorption template for the data set.

S HAT DemonttrMton Tool Adrian

Took Hdp

aop

Working D»eclci»y f [PENDRIVEj

He*dAuthen»ca»ion

_Jlnpur

U Martab jouce f*es

Capture VB Pioce«: ML

% 4<

Vei$ionC15 2b*jld304

Usei Name

3

Absorption Report

Amplitude Axis

I'

r

r

Spot-frequency Axis

^•<-

j

-100

1

•100

Absorption Complete

HAT Stage-4 Analysis

(in progress)

•0

P M RodwelO2004

Figure 7-12 : HAT Application - Stage-3 Absorption plot of a user's waveform pair

207

Chapter 7 : Evaluation of the Head Authentication Technique

The HAT absorption template is then briefly displayed within the HAT Application main window', as illustrated in Figure 7-12^. The H A T template visual was not designed for analytical purposes but solely as a useful real time indicator, for the user, that the capture and analysis hardware and software are functioning correctly (up to and including HAT Stage-3).

The HAT Application will then enter Stage-4 Analysis mode © a n d feed the biometric absorption spectrum matrix into the HAT neural-network (Section 6.2.4.1), along with all of the other registered system users' templates: the new user is identified to the network as 'Good' and everyone else is identified as 'Bad'."*

Finally the new user neural-network map will be used along with additional user data sets'* to determine the network owner's authentication threshold for use in Section 7.2.2.4.

In an ideal scenario the authentication threshold o f the neural-network would be T (one), whereby the network owner always realises a perfect template match and impostors always producing '0' (zero). The reality is somewhat different however. Recall the previous discussion on biometric markers in Section 4.2.2 'Factors Affecting Biometric

Systems' and in order to minimise the FMR and FNMR (Section 4.2.3), the authentication threshold will actually exist somewhere in the range: 0 < Threshold 1.

The HAT registration process takes approximately 3 minutes for the capture and another

5 minutes for the analysis (within a user base of twenty users).

' The visibility of the HAT template display can be set within the HAT options 'View' tab.

^ The displayed HAT template is for illustration purposes only: each HAT template is acrually unique.

^ HAT Stage-4 Analysis is poned to Matlab, acknowledged by the inclusion of the Matlab iconES.

^ The HAT demonstration tool requires a minimum of two data sets (or capture runs) for authentication.

208

Chapter 7 : Evaluation of the Head Authentication Technique

7.2.2.4 Authenticating an Existing I st r

Once a user has been registered with the demonstration tool it is possible for HAT to provide a means of continuous identity verification for that user in the future.

What follows is an explanation of the HAT Application authentication process for use by a registered user, with reference to the application window in Figure 7-7:

Step 1: Set the H A T Path

Open the HAT Application and select the working directory, containing the application executable and resources, in the drive selection window Q

Step 2: identify V ourself

The HAT demonstration tool currently operates as an authentication system (Section

4.2.4), in contrast to an identification system. The user must therefore first provide a claimed identity for the demonstration tool to verify. Identifying oneself to the HAT

Application is a straightforward case of entering the same uscmame as was originally used for registration, within the field ® and completing the user demography section © .

J _ J X J

Reviev* Set MDI Ext

pill ^

Aung

Bogdan

Cela

Donna

Fenuj

Ibrahim

Nathan

1 •

Figure 7-13 : HAT Application - Registered HAT trial user s pull-down list

209

Chapter 7 : Evaluation of the Head Authentication Technique

If the registered user was part o f the trials to be discussed in Section 7.3, then their name will already be contained within the convenient pull down list contained under the down-arrow in the usemame field ® , illustrated in Figure 7-13.

Step 3: Review Settings (Optional)

Select the Review icon in the HAT Application toolbar Q and conveniently review the complete applications settings as illustrated in the example in Figure 7-10.

Step 4: Try a Simulation (Optional)

New users may wish to try the authentication simulation under the Help>Simulation menu option. In a similar way to the capture simulation, the identify' simulation precisely mimics a genuine authentication cycle, responding appropriately to the relevant settings within the options screens.

Step 5a: Check the HAT Headset Hardware

Check that the HAT headset hardware is correctly connected (Figure 7-3) and that there are two good power cells^ in the microphones jack-plugs.

StepSb: Position the HAT Headset

Position the HAT Headset comfortably on the head ensuring that the ear microphone is positioned centrally over the pinna of the outer ear (Figure 5-2), in line with the ear canal, and with the mouth microphone positioned vertically central and horizontally offset from the centre of the mouth; to minimise breathing pickup.

' The naming of the authentication process 'identify* does not imply the process is identification. The identify process remains strictly identity verification; the authentication of a claimed identity.

^ Each microphone jack-plug requires a single LR44 power cell.

210

Chapter 7 : Evaluation of the Head Authentication Technique

Step 6: Identify

Press the 'Capture' button on the HAT toolbar Q and follow the comprehensive onscreen instructions: the HAT Application will prompt the user to speak up a random alphanumeric character. Having already registered with the system (and performed a simulation) the process will be familiar to the user.

After each individual capture, the application will validate the samples according to the settings in the validation options tab (Figure 7-8), following the same process that is used for registration, producing a similar output to the one illustrated in Figure 7-11.

The application will then cycle through the HAT Stage-2 Filter (Section 6.2.2), Stage-3

Absorption (Section 6.2.3) process loop generating the HAT template (Figure 7-12).

^ HAT D e m o n s t r a t i o n Tool - Phil

RIe Took Help

Stop

Wofkng Dveciory

3 d: IMyDoajmentsj j j

• J M y Documents

_JUoP

HeadAuthenhca i

£,

1 ^

Matiob N e u r d Analysis n

7 4 H

Usei Name

r

Best Match

Green: Authenticated

Red: Impostor

3

Captue VB Process; ML

Identtfy

r

Tiain | —

O r

• l U U

• 75

• 5 0

• 25

• 0 • 0

PM Rodwel«>2004

V e i s i o n a 5 2buid304

I

All HAT processing stages complete

Figure 7-14 : HAT Application - Stage-4 (neural-network) Analysis plot

211

Chapter 7 : Evaluation of the Head Authentication Technique

The HAT template is presented to the stored neural-network of the claimed user and the output compared with the authentication threshold associated with their private network, producing the graphical output shown in Figure 7-14. Tlie plot shows the result of feeding the current user's template into each registered user's neural-network (from the HAT trials); the tallest bar indicating the best match. In this example, the tallest bar is coloured green, indicating that the current user was also the best match and passed threshold authentication (with the value indicated). As authentication was successfijl, the HAT

* Identify' confidence-bar O is incremented by 25%. I f the value had been less than the authentication threshold, then the identify confidence-bar would have decreased by 25%.

7.2.2.4a The H A T 'Identify' Confidence-bar

The identify' Q confidence-bar, illustrated in Figure 7-15, was included into the HAT

Application as a soft authentication response mechanism. It is acknowledged that when performing biometric authentication, there is always an element of inherent uncertainty associated with every biometric sample; the confidence-bar was implemented to reduce the efTects on the system FMR and FNMR. In essence, a single authentication failure within a continuous authentication system is of minor consequence and the confidencebar reflects this, bufTering such singular errors. As the confidence-bar is initialised at

50%, or mildly confident, it would take two initial authentication failures for the system to flag a warning, as would be expected when in practice authentication successes of a correctly configured system should outnumber authentication failures.

100

75

•100

Confidence (S) 50%

PM RadMel*20O4

Figure 7-15 : H A T Application - Identity confidence-bar

212

Chapter 7 : Evaluation of the Head Authentication Technique

7.3 The H A T Trials

The development of the H A T process, including the initial proof-of-concept and early experimental work evaluating the absorption and correlation analysis methods, were based on various biometric templates captured from a small sample group of five volunteers. Once the viability of HAT had been established within this control group, a set of trials were proposed involving a set o f twenty volunteers (four times the original sample group) to investigate the techniques potential within a wider population; these were called the HAT trials.

The HAT trials can be broken down into four distinct stages of operation, which are identified below and discussed in the following sub-sections:

• Preparation: Preparation for the trials, including establishing the trials format and readying the HAT demonstration tool for general use.

• Selection: Selection o f the trial volunteers.

• Conduct: Conduct the trials.

• Analysis: Analysis o f the HAT trials results.

7.3.1 Preparation for the Trials

Preparation for the trials involved first establishing their format. It was decided to select a sample group of twenty volunteers: a number large enough to pose a suitable challenge to the HAT process and realise a usefiil set o f qualitative results beyond the small developmental control group, and yet not too large as to require a long period o f time or overload the design of the current HAT demonstration tool (including practical issues such as the robustness of the only modified HAT Headset and the inherent technical capacity of the HAT Application' not originally designed for large scale use).

' The H A T Application (v. 15) compares A L L registered users during H A T Siage-4 Analysis. Although this is acceptable for twenty users, it would eventually become impractical as the user base increased.

213

Chapter 7 : Evaluation of the Head Authentication Technique

Modifications to the HAT demonstration tool included both the hardware headset and the software application. The headset required strengthening for extended use, including lacing of microphone cables and the purchase of robust signal cables and plugs for the

40+ trial sessions without fear of compromising the trial process due to faulty hardware.

The HAT Application is covered in depth in the previous section (Section 7.2.2), including the extensive redesign and modifications the HAT Application underwent for use in the trials; accounting for around 3 months additional development time on top of the applications 6 month development cycle.

7.3.2 Selection of the Trial Volunteers

The HAT trial group was selected to represent as diverse a group o f people as could realistically be represented by twenty volunteers, and included diversity of:

• Sex: in Chapter 5 Figure 5-12 it is illustrated how the male and female vocal ranges can differ by up to lOOHz.

• Age: ranging from 24 to 64 years; in Chapter 5 Figure 5-1 it is illustrated how the human auditory range varies with age.

• Nationality: predominantly English speakers, though including some foreign nationals to demonstrate how the HAT process is language independent, utilising variations in sound, not comprehension, for its biometric markers.

The volunteers were pooled from a variety of disciplines from within the hosting

University (including students and lecturers), and external to the University (including: professional and non-professional workers) to represent a fair cross section of society.

All non-English trial participants spoke English as a second language, and for consistency all participant registration was conducted in English for the two primary sessions; and in a native tongue for a third session. For a complete list of participant and trial session statistics, see the HAT trials timetable in Appendix G.

214

Chapter 7 : Evaluation of the Head Authentication Technique

7.3.3 Conducting the Trials

The trials were conducted over two sessions: the first session being used to register the user's HAT Stage-4 neural-networks, and the second session to test the neural-networks and calculate the HAT Stage-5 (authentication) Thresholds. The sessions were separated by a period o f at least 24 hours, to accommodate any short term aging of the biometric template. Like all biometric authentication systems HAT is susceptible to the variability's o f the host's daily life: their age, mood, diet etc. can all have an effect on the composition of the bio-matter in the user's head (Section 4.2.2)'.

The individual trial sessions were passively supervised within a controlled environment, where participants were insulated from excessive extraneous noise (Section 6.2.1.3) and unwarranted interruptions. After a brief introduction to the HAT Headset and

Application, including a simulated registration run (Section 7.2,2.3: Step-4), participants commenced the user-managed HAT registration process, taking approximately 3 minutes to complete. As the HAT Applications default Stage-4 Analysis is configured to use all twenty trial participant's biometric templates to construct the individual user's neural-networks, the trial sessions were conducted with the application in Capture Only^ mode: H A T Stage-4 Analysis was performed en-mass^ upon completion o f trial session

1, and Stage-5 Thresholds calculated en-mass upon completion of trial session 2.

7.3.4 H A T Trials Results

A selection of the trial results are presented graphically in the following sub-sections, from two distinct stages of the HAT process: Stage-3 Absorption (Section 6.2.3) producing the

HAT template(s); Stage-4 Analysis (Section 6.2.4) producing the neural-network(s).

' The long term management of the H A T templates is the responsibiUty of a biometric security framework.

^ H A T demonstration tool: Tools>Capture Mode>Capture Only.

^ H A T demonstration tool *Mass Operations' fiinction, see Appendix F .

215

Chapter 7 : Evaluation of the Head Authentication Technique

7.3.4.1 H A T Stage-3 Absorption templates

The HAT Stage-3 Absorption template is the product o f the mean calculation of ten audio waveforms (the numbers 0 to 9), captured during registration, at the twenty-five discrete HAT Stage-2 Filter spot-fi-equencies (Section 6.2.1.3).

From the volunteer group of twenty participants, a selection o f six HAT templates are shown in Figure 7-16 to Figure 7-21 inclusive; captured directly fi-om the embedded

'Absorption Curve Analysis' tool within the HAT Application'. With reference to the thesis section covering the composition of the HAT template (Section 6.2.6), it can be seen that the trial participants' individual response curves showed a clear collective pattern match or correlation with each other; Figure 7-17 is a good example o f this exhibiting very little variance between curves. Even when observing a relatively poor example by comparison (Figure 7-20), the consistent shape o f the participant's curves are still cleariy visible; it is only the variance which has changed, not the unique collective shape. By ftirther comparing the graphs between individual trial participants, it can be seen that each user's collective set of curves follows a unique shape, emphasized indicated by the mean curve (the HAT template) shown in red^.

In comparison to a generic authentication model, the graphs in Figure 7-16 to Figure 7-21 demonstrate HATs ability to fiilfil the following fundamental authentication principles:

• Biometric samples captured fi-om an individual user are consistent in nature; o HAT Absorption patterns of curves ft^om the same user follow a common shape.

• Biometric samples captured fi-om multiple users are inconsistent in nature; o HAT Absorption patterns of curves between users follow a different shape.

' The ^Absorption Curve Analysis' tool is activated by entering a registered user into the 'User name* field or selecting a trial participant from the 'User name* pull down menu, and pressing the blue cog O .

^ Standard deviation curves option has been omitted from the graphs to emphasize the H A T template.

2 1 6

Chapter 7 : Evaluation of the Head Authentication Technique

Absorption Analysis

/Absorption C u r v e Analysis

Show Mean T Show i S l * ^ d Deviabon

Figure 7-16 : H A T Template of trial participant - uOl Phi

« Absorption Analysis

/Absorption C u r v e Analysis

Vivienne

1

P t

1

0

n

A b s o i l

\

\

J

1

I l i f f j 1 (

\ \

1 .

.

. 1 .

.

. 1

.

.

. 1

Fieqjency

V Show Mean Show t Standard Deviation

OK

Figure 7-17 : H A T Template of trial participant - u03 V i v

217

Chapter 7 : Evaluation of the Head Authentication Technique

Absorption Analysis

/Absorption C u r v e Analysis

Aung

Frequency

W Show Mean F jShPiw: ± Stondaid Dev»a<>on 0^

! igure 7-18 : H A T Template of trial participant - u()4 Ang

Absorptkin Analysis

A b s o r p t i o n C u r v e Analysis

Z a k i

Frequency

V Show Me«i r Show i Stvtdvd Oeviabon

Figure 7-19 : H A T Template of tnal participant - u06 Zak

218

Chapter 7 : Evaluation of the Head Authentication Technique

Absorption Analysis

A b s o r p t i o n C u r v e /Analysis f^(^

S t e v e

Frequency

W ^ h w r MMII r Show ± Slandafd Devialon

• • • • I • • • I

OK

Figure 7-20 : H A T Template of trial participant - u09_Stv

Absorption Analysis

^ ^ / A b s o r p t i o n C u r v e >4nulysis

P a u l

A b s

0

p

1

0

n

J

. . . 1 . . . 1 . . . 1 . . . 1 .

,

. . . . . !

Frequency

^ iShow Mean T Show ± Standard Deviation

OK

Figure 7-21 : H A T Template of trial participant - ulO Pau

219

Chapter 7 : Evaluation of the Head Authentication Technique

7.3.4.2 H A T Stage-4 (Neural-network) Analysis

To evaluate HATs performance as an authentication system, a user's neural-network was chosen from the trial participants' user base, and subjected to interrogation by a random selection of HAT templates from four other participants o f the trials. The neural-networks under investigation were generated using Session 1 data sets, with the data set owner being identified as 'good' and A L L other trial participant's data sets

(x20) as 'bad'. The HAT templates used to interrogate the chosen neural-network were generated using Session 2 data from the trials.

The authentication tests were performed in Matlab, using the proprietary neuralnetwork toolbox, and the graphical results are presented as stem plots in Figure 7-23 to

Figure 7-32 inclusive. The plots are presented in vertical pairs, where:

• The upper plot is the neural-network response to feeding the original network

Session 1 training data back into the network it was used to train. This gives an indication as to the training performance and authentication potential o f the network. This plot wants to be as close to the ideal response, shown in Figure

7-22, as possible. Any significant deviation from the ideal response indicates inadequate training, and conversely could be improved with additional training data. In relation to a biometrics system, biometric templates are normally refined over time and not usually dependent on just one sample set; The H A T trials can therefore be considered as representative o f a worse case scenario.

• The lower plot represents the neural-network response to interrogation by a random selection of HAT templates from four other participants o f the HAT trials. This plot also wants to be as near to the ideal response as possible (in reality, as near to the training response as possible).

220

Chapter 7 : Evaluation of the Head Authentication Technique

Nemo! iietwoik ti.iiiieil f o i iisei: Usei 1

' ' ' I ' ' ' ' I ' ' ' ' I ' ' ' ' I '

0.8

0.2

hOGOGOOOOOCOOOGOOOOGO

User 2 | User 3 j User 1 | User 4 | User 5 |

Figure 7-22 : Neural-network testing: Ideal response

Figure 7-22 shows the ideal analysis response plot, composed of the responses o f four simulated masquerading users" HAT templates' (Users: 2, 3, 4, 5) of the network under test', enclosing the responses o f the templates' o f the network owner (User 1) positioned centrally. In the ideal scenario illustrated, the network owner receives 100% recognition of their templates (y-axis = 1), and all other users receive 0% recognition (y-axis = 0).

The five trial participant's neural-network examples under analysis were specifically selected to represent a cross-section of threshold performance, ranging fi-om excellent

(users with highly distinctive HAT templates exhibiting low FMR and FNMR error rates) to below average (users with less distinctive templates and potentially unacceptable FMR and FNMR error rates). The final example includes two sets o f data ft-om trial session 3 (non-English participant native language), in Arabic and Malay.

' Generated using H A T trials Session 2 data sets, for the numbers 1 through 10.

' Generated using H A T Uials Session 1 data sets, for the numbers 1 through 10.

221

Chapter 7 : Evaluation of the Head Authentication Technique

7.3.4.2a Example 1: User ul8_And (Threshold > 0.9)

The example in Figure 7-23 and Figure 7-24 are for HAT trial user 'ul8_And'. By inspection o f the training data responses in Figure 7-23, the example initially appears to require further training. However, the HAT Identify plot shown in Figure 7-24 produces an excellent response, offering an authentication threshold well in excess of 0.9 for

100% (FNMR=0%) of the owners challenge samples, with none of the opposition users'

HAT templates approaching this figure (FMR=0%).

7.3.4.2b Example 2: User u09_Stv (Threshold > 0.7)

The example in Figure 7-25 and Figure 7-24 are for HAT trial user 'u09_Stv'.

Although in the training responses in Figure 7-25, one training sample notably drops to a value o f 0.8, the remaining training samples maintain an average in excess o f 0.9.

The HAT identify plot shown in Figure 7-24 produces a result with 90% o f the owners challenge samples offering an authentication threshold in excess o f 0.7

(FNMR=10%), with only one sample form user 'ulO_Pau' presenting a potential problem for the network (FMR = 0.025%).

7.3.4.2c Example 3: User ulO_Pau (Threshold = 0.4)

The example in Figure 7-27 and Figure 7-27 are for HAT trial user 'ulO_Pau'. User

'UIO_Pau's neural-network presented one of the best sets o f training response data, with all training samples well in excess o f 0.8 and an average of 0.9. However, this performance was not maintained during HAT Identification, where 90% o f the owners challenge samples offered an authentication threshold of only 0.4 (FNMR=10%). In the systems defence however, even at this reduced threshold only one of the opposition trial users' HAT templates, from user 'u08_Adr', challenged this threshold (FMR=0.025%).

222

Chapter 7 : Evaluation of the Head Authentication Technique

Neiii.ll iietwoik ti.iiiie<l foi iisei: 11I8 Ami

r ' ' ' ' T ' ' ' ' T ' ' ' ' T

- -4

0 6

0 4

0 2

loooooooo^jjOooooooo^^^o

1 . . . .

I . . . . 1 ul4_Shu I u12_Nat | u18_A/id | u08_Adr j u20_Cja |

Figure 7-23 ; Ncural-nclwork testing of user: u l 8 And (Training Session 1)

Ne111.1l iietwoik ii.iiiie<l foi iisei: 11I8 And

I ' ' ' ' I ' ' ' ' I ' ' ' ' I

0 8

0 4

0 2

Oh

9 9

? ?

o, ,0

?

I ul4_Shu I ul2_Nat | u18_And | u08_Adr | u20_Cja |

Figure 7-24 : Ncural-nclwork icslmg of user: u l 8 And (Idcnlify Session 2)

Chapter 7 : Evaluation of the Head Authentication Technique

Nem.il iierwoik ti.iined foi iisei: II09_STV

0 6

0 4

0 2

o

I • • • . 1 . • . • 1 . > . . t . . . . t . • . ' ' > ' • ' 1 ' • • » *

u03_Viv I u10_Pau | u09_Stv | u01_Phi | ij04_Aun |

Figure 7-25 : Neural-network testing of user: u09 Stv (Training Session 1)

Neiii.ll netwoik tiaiiieil foi iisei: ii09 Siv

False M a t c h

False Non-Match u03_Vrv I ulO_Pau I u09_Stv j u01_Phi j u04_Aun |

Figure 7-26 : Neural-network testing of user: u09 Stv (Identify Session 2 )

224

Chapter 7 : Evaluation of the Head Authentication Technique

Neiii.il iiefwoik fi•lined for iisei: iilO P.in

I '

' • ' t

9QP

0 4

0 2

0 8

0 6

0 8

0 6

0 4

0 2

I . . . .

i .

.

.

.

t

u16_Fen | u17_Pet j ulO_Pau | uG8_Adr j u20_Cja j

Figure 7-27 : Neural-network testing of user: ulO Pau (Training Session I )

Neiii.il iiefwoik ti.lined f o i iisei: M10_P<III

I . . . • . • • I . . • .

False Match u16_Fen | u17_Pet | ulO_Pau | u08_Adr | Li20_Cja |

Figure 7-28 : Neural-network testing of user: u 10 Pau (Identify Session 2 )

225

Chapter 7 : Evaluation of the Head Authentication Technique

7,3.4.2d Example 4: User u01_Phi (Threshold ^ 0.2)

The example in Figure 7-29 and Figure 7-30 are for H A T trial user 'u01_Phi'. User

'u01_Phi' appeared at first inspection to offer a potentially robust neural-network, with all training samples exceeding a value of 0.8, illustrated in Figure 7-29. However, during HAT Identify testing, the network produced a below average performance, offering an authentication threshold of only 0.2 for 90% o f the network owners challenge samples (FNMR=10%, FMR=0.075%). With only 60% o f the owners challenge samples exceeding a threshold value of 0.7 (FNMR=40%, FMR=0%), this network presents a clear case for retraining (Figure 7-30) as neither of these scenarios is acceptable in the long term.

7.3.4.2e Example 5: User ul7_Pet (Foreign Language, Threshold 0.5)

The example in Figure 7-31 and Figure 7-32 are for HAT trial user 'ul7_Pet'. In this example it was decided to introduce some foreign language data into the tests to demonstrate the HAT processes transparency to language; the HAT process is not dependent on 'what you say', but 'how you say it'. In the examples, user ' u l l_Abd' presented his training and challenge data in Arabic, and user 'u04_Aun' in Malay: two languages which sound distinctively different to English. The plot showing the results of neural-network training is shown in Figure 7-31, illustrating a good training session with

100% of the training samples exceeding a threshold value of 0.8. The HAT Identify challenge plot, shown in Figure 7-32, shows a good response to both the owners and the opposition users' HAT templates, with 80% of the network owners challenge data exceeding a direshold of 0.7 and 90% exceeding 0.5 (FNMR=10%): none of the opposition users' challenge samples present any threat to the owners network (FiVrR=0%), and this example offers the second best authentication response from the tests.

226

0 8 h

0 6

Chapter 7 . Evaluation of the Head Authentication Technique

Neiifol iietwoik ii.iine<l foi ii$ei: iiOl Phi

Q 99

Q

0 2

' - • - - I - • - - I .

u09_Stv I u10_Pau | uOl.Phi | u03_Viv | u06_Zak |

Figure 7-29 : Neural-network testing of user: uOl Phi (Training Session 1)

Netiial iietwoik tiahied f o i iisei: iiOl Phi

Q

9

0 8

0 6

04

0 2

False Matches

9

<

u09_Stv I u10_Pau j u01_Phi | u03_Viv j u06_Zak |

Figure 7-30 : Neural-network testing of user: uOl Phi (Identity Session 2)

227

Chapter 7 : Evaluation of the Head Authentication Technique

Neiii.il netwoik ti.iiiieil for user ii17 Pet

I • ' ' ' I ' ' ' ' I • ' ' ' I ' ' ' • '

08

0 6

04

0 2 u11 Abd I ulO Pau | u17_Pet | u19_Sim | u04_Aun |

Figure 7-31 : Neural-network testing of user: ul7 Pet (Training Session 1 - Foreign)

Neuiol iiefwoik ti.lined for user: iil7 Pet

0 8

0 6

0 4

02

False Non-Match

T

9 9

I .

. I •

1 u11 Abd I ulO Pau | u17_Pet I u19_Sim | u04_Aun |

Figure 7-32 : Neural-network testing of user: ul7 Pet (Identify Session 2 - Foreign]

228

Chapter 7 : Evaluation of the Head Authentication Technique

7.3.4.3 System Authentication Thresholds and Error Rates

Owing to HATs potential for continuous non-intrusive authentication, individual authentication successes and failures within a HAT protected system are less important than in traditional PoE security systems. It is a user's authentication history or trend which will now be used to determine an appropriate system response to deviations in the approved authentication response profile.

By combining the error rates generated in the examples 7.3.4.2a to7.3.4.2e, it is possible to produce preliminary error rates for the current HAT system as a whole o f FNMR = 6% and FMR = 0.025%, where preliminary draws attention to the following key points:

• The error rates are for the current demonstration tool NOT for the H A T process.

• The user's neural-network was trained using only ONE registration data set.

• The user's authentication threshold was calculated using only ONE set o f user registration challenge data.

• The HAT Application does not intelligently manage its thresholds.

The HAT demonstration tool (vl5.2) calculates its HAT Stage-5 Thresholds based on a preset FNMR of 10% (1 in 10 samples); when trial user's session-2 data is fed into their session-l network. The HAT Application has NOT been programmed to intelligently manage or dynamically refine its user thresholds, as would be expected in a commercial system. Although a basic thresholds calculation algorithm was required within the HAT

Application to facilitate authentication, this task would traditionally fall under the jurisdiction of an overall security management framework.

System thresholds management is included in the section on Future work (Section 8.3).

229

Chapter 7 : Evaluation of the Head Authentication Technique

7.4 Conclusion

Having defined the five discrete stages of the HAT authentication process in Chapter 6, it was necessary to evaluate the technique in a broader context. To realise this goal, a set of HAT trials were conceived involving volunteers including: both sexes, a cross section of age groups, and multiple nationalities. To enable the trials, the HAT demonstration tool was developed out of the research test bed used to prove the original concepts of head authentication in Chapter 5.

Through a series of examples, the individuality o f trial participants' biometric template(s) generated at Stage-3 of the HAT process was proven, where:

• HAT Absorption patterns of curves from the same user follow a common shape.

• HAT Absorption patterns of curves between users follow a different shape.

Through a series of further examples, a selection of the user templates," generated in

HAT Stage-3, were fed into a selection of five HAT Stage-4 authentication networks realising a series of stem plots giving an indication as to the systems authentication capabilities. The results were presented in order o f performance from excellent to poor, realising error rates (for the examples shown) o f FNMR = 6% and FMR = 0.025%.

These error rates are highly dependent on the authentication thresholds set in HAT

Stage-5, and it is expected that a biometric network management framework would ultimately manage these values in order to maintain optimum system performance: the development of such a framework was beyond the scope o f this research.

The next chapter discusses the conclusions o f the research into non-intrusive authentication in greater detail, addressing the key areas o f research limitation and future work for the novel HAT process.

230

231

Chapter 8 : Conclusion

Chapter 8

Conclusion

Chapter 8 : Conclusion

8 Conclusion

It was established in Chapter 2 that security provisions within the current mobile telecommunications networks, are primarily aimed at secure communications through data encryption and terminal authentication via use o f a SIM card. It was discussed how the advanced services enabled by post 2"^ generation wideband mobile networks have developed services far in advance of the security systems originally conceived to protect their forebears. There now exists a requirement for a more secure subscriber-basGd authentication system enabling protection commensurate with the risks and consequences associated with the more sensitive information that these new service networks access.

Having clearly identified the problem the research was conceived to address, a survey was conducted to assess public opinion on current mobile security and their awareness of the security issues raised by the advanced data services of wideband mobile networks. The survey was divided into two sections covering present and future mobile authentication respectively. Chapter 3 covered the first part of this survey and proposed the hypothesis:

The majority of mobile subscribers either do not understand or are lacking well founded opinion on mobile security issues. They are also generally ignorant of the security implications of the advanced sen'ices being offered through the next generation of wideband networks known as 3G.

The survey results presented a contradiction. Although the majority of survey users are happily willing to signup for the advanced services on offer by the wideband network operators, with 85% claiming to be aware of the security risks involved, 70% are still unwilling or unable to activate the most rudimentary security setting on their current mobile devices; the PIN. The survey concluded broadly in support o f the hypothesis, but with the added finding that it is not the principals o f authentication which users are rejecting, but the current application o f those principals; the authentication mechanism(s).

232

Chapter 8 : Conclusion

One of the requirements of the research was for an authentication mechanism, either novel or adapted, which could be realised non-intrusively within a mobile context: the discipline of biometrics naturally lent itself to this requirement. A full review of current biometric authentication techniques was conducted in Chapter 4, including the second part of the consumer survey addressing users' attitudes towards f\iture authentication issues; including biometrics. The survey found that 96% of respondents had no objection to their biometric markers being used as part of a mobile authentication system; this is an excellent result when compared to the 70% of respondents who are essentially unhappy with using the PIN, suggesting users would use a suitable system i f it existed. When asked about their views on continuous authentication, 83% of respondents had no objection to the idea. The groundwork was essentially laid for the development of a continuous, non-intrusive, biometric authentication system.

Through a novel process of reinvention o f selected existing biometric techniques combined with principles drawn from the discipline of Audio Evoked Responses,

Chapter 5 discusses the conception o f the Head Authentication Technique. The chapter includes a series o f trials performed by the ENT department o f the local hospital designed to experience AER (specifically otoacoustic emission) analysis techniques in their native environment as an intellectual grounding for the techniques development.

HAT is a novel, inherently multi-modal, biometric authentication technique where the natural symbiotic relationship of the 'behavioural characteristics' o f the human voice stimulate the 'physiological anatomy' of the head. The HAT research process discussed in Chapter 6 realised two subtly different versions of the head authentication principles: the absorption method and the correlation method. Af^er extensive testing on and between the two methods, the absorption method was selected as the more appropriate method for final development due to its consistently better performance and simpler analysis stages, requiring less processing time.

233

Chapter 8 : Conclusion

The HAT authentication process was rationalised into a five stage operation, defined as:

• Capture of biometric audio waveform pairs from a user.

• Filter of audio waveform pairs at discrete spot-frequencies.

• Absorption comparison o f discrete waveform spectra defining a H A T template.

• Analysis of the HAT absorption template within a neural-network.

• Classification of the neural-network output through threshold comparison.

Having established the principles and stages of the HAT process, the tool was evaluated through a series of trials, discussed in Chapter 7, involving a group of twenty volunteers representing a cross section of sexes, ages and nationalities. To enable the trials, a comprehensive HAT demonstration tool was developed to manage system registration and authentication for the novice user. Analysis of the trials results using a series of group examples realised system error rates of FNMR = 6% and FMR = 0.025%, and confirmed the individuality of HAT templates generated by the HAT process, where:

• HAT Absorption patterns of curves from the same user follow a common shape.

• HAT Absorpfion patterns of curves between users follow a different shape.

The research has met all o f the objectives originally outlined in Chapter 1 and has resulted in the design and development of an advanced authentication technique capable o f continuous non-intrusive application in a vocalised services environment. A number o f papers relating to the research have been presented at national and international conferences, and the research has realised an international patent, in association with

Orange PCS, in the area o f 'determining identity o f a user' on an electronic communication system (#GB2375205, 2001). The novel aspects of the patent include:

• The head authentication method(s) of biometric capture.

• The head authentication method(s) of biometric analysis.

Copies of these materials are included in the appendices.

234

Chapter 8 : Conclusion

8.1 Achievements of the Research

This section provides a list o f the key research achievements made during the course o f the PhD, culminating in the Head Authentication Technique. In order the research has:

1. Performed a review of mobile network technologies, from the 1^ generation analogue telephony systems to the latest 3"* generation wideband digital networks, identifying user authentication security issues relating to post 2G developments.

2. Assessed mobile subscriber's awareness o f the risks o f masquerade attack on current mobile devices, specifically relating to the effectiveness o f the PoE FIN, and their receptiveness to a range of possible alternative advanced authentication principles.

3. Performed an analysis of current biometric principles and techniques, identifying those techniques which could be applied in a mobile context.

4. Conceived a number of novel non-intrusive biometric authentication approaches applicable to the mobile environment, leading to the selection o f a single approach and its realisation in a proof-of-concept prototype. The chosen approach was named the Head Authentication Technique (HAT).

5. Developed the HAT authentication biometric into a five stage process and realised the registration and authentication aspects of the technique within a user accessible demonstration tool. The composite prototype tool included construction of a hardware biometric collector and programming in Win32 of a software management application.

6. Evaluated HAT in a series of trials using a representative user community, providing proof of viability of the technique in practice. The trials demonstrated the unique nature of the biometric templates produced by the HAT process: how biometric templates from the same user exhibit a common pattern, yet templates between users exhibit a different pattern. The trials were also used to demonstrate the authentication performance of the process through a series of masquerade challenge examples: basic enror rates for the HAT demonstration tool were: FNMR = 6% and FMR = 0.025%.

235

Chapter 8 : Conclusion

8.2 Limitations of the Research

Although all of the original objectives for the research set out in Chapter I have been met, time constraints and the operational envelope o f the HAT demonstration tool imposed certain limitations upon the work, which are summarised below:

• HAT authentication can only be performed when a user is verbally interacting with their mobile device. As such, HAT would most usefully form part o f an arsenal o f authentication techniques, covering the full range of mobile interaction scenarios.

• During the development of the HAT process, a small core group o f five volunteers was used to develop the initial proof o f concept up to peer approval for the HAT trials. The trials were conceived to extend the proof o f concept to a wider audience; however, owing to the completely novel aspect o f the technique the trial group was deliberately restricted to twenty volunteers. It is accepted that this number is representative of only a restricted cross-section o f society.

• Although the HAT process was primarily developed for mobile use, it has not been installed or demonstrated within a mobile device. The HAT demonstration tool is however capable of operation within a laptop computer.

• Development of the HAT process included two methods o f template analysis, absorption and correlation: due to time constraints only the absorption method was developed to proof of concept and incorporated into the H A T process (and subsequent demonstration tool). Further development o f the correlation analysis method could yield additional multi-modal system performance benefits.

• Although not a limitation of the HAT process, the HAT demonstration tool was developed for use in trial groups o f twenty users (the HAT trials); larger trials would require receding of certain aspects of the tool: e.g. HAT Stage-4 Analysis.

Despite these limitations, the research programme has made valid contributions to knowledge and provided sufficient proof of concept for the ideas proposed.

236

Chapter 8 : Conclusion

8.3 Future Research Work

The HAT research has introduced a novel hybrid multimodal biometric to the field of electronic user authentication. Although the technique was originally developed for use within the field of mobile communications, future work could extend the techniques scope to include many additional electronic communications devices, such as the PC.

During the development o f the HAT process, certain decisions had to be made to ensure that the research reached completion within a reasonable time. A number o f these decisions lef^ areas for fliture work, which are summarised below:

• Basic HAT Stage-1 Capture collects audio samples from two points on the user's head. Once the HAT technique was proven, the possibility existed of raising the number of capture points to three; including both ears.

• The resolution of the HAT Stage-3 Absorption template (dependent on the number o f Stage-2 spot-fi-equencies), was partly based on the available processing resources available during HAT development. Integration within a custom designed chipset would allow for optimised code and the potential for higher resolution templates without impacting upon authentication cycle times.

• HAT Stage-3 currently only utilises the absoq)tion method to realise the HAT template. The correlation method of difference analysis was not flilly developed owing to the existence of a working alternative; they both could exist in unison.

• HAT Stage-5 Thresholds algorithm used during the H A T trials was passive, and based on the network owners' samples simple numerical advantage over impostors. Future work could dynamically set the threshold level, based on a more precise statistical analysis of authentication successes and failures over time.

• A second round of HAT trials involving a more comprehensive assessment of the technique, involving a larger sample group (50 to 100 users), more registration session data (>2), a more natural 'noisy' mobile environment.

237

Chapter 8 : Conclusion

8.4 Authentication in Next Generation Mobile Systems

The last ten years have bared witness to a revolution in communications technology not seen since Antonio Meucci original invention o f the 'teietrofono' (telephone) in 1849

(Link: Meucci), and the first live trans-Atlantic television transmission in 1962. Up until the mid 1980s, mobile communications for the majority of the general population was a large static box at the side of the road containing a coin operated bakelite telephone. With the introduction of the first analogue mobile handsets in 1983, users' perceptions of mobile communications changed forever. Running parallel with similar growth in the computer market, the introduction of 2™* generation digital technology in 1992 saw the boundaries between mobile handsets and mobile computers merge, with handsets offering traditional computer facilities, and computers becoming ever more mobile. The 3"* generation of mobile communications technology, introduced in 2004, has brought a wealth of new service possibilities to network operators and their subscribers, including: rich-internet, online-banking and m-commerce: to offer these latest personal services, network operators must be able to safely handle the highly sensitive and personal data on which these services depend. Unfortunately, the security in place to protect this personal data fi-om masquerade attack has remained essentially unchanged since the introduction o f the first mobile handsets in 1983, in essence 3"* generation data (banking details, medical details) under the protection of a 1^ generation authentication system designed to prevent somebody making a voice call on your analogue handset.

The successful deployment of next generation mobile networks and their services will become increasingly dependent on the basic authentication assurance o f the networks subscribers. HAT was conceived and developed to address this need offering a viable authentication solution capable of continuously and non-intrusively verifying the identity of any user accessing your data at any time. A biometric solution dependent on 'who you are', not on 'what you know' (or have overheard), or *vvhat you have' (or have stolen).

238

239

References

References

References

References

3GPP, 1999. 3G Security: Security Tlireats and Requirements. Technical Specification

Group Services and System Aspects. 30 TS 21.133 v3.I.O. (Link: 3GPP)

3GPP, 2005. HSDPA; UTRANDescription (TS 25.855). HSDPA Layer 2 and 3 Aspects

(TS 25.856). Multiple-Input Multiple-Output Antenna Processing for HSDPA (TS

25.876). HSDPA - lub/Iur Protocol Aspects (TS 25.877). HSDPA; User Equipment

(UE) radio transmission and reception (FDD) (TS 25.890). Available from:

<http://www.3gpp.org> [Accessed Dec. 2005].

911, 2001. Islamic terrorists destroy the twin-towers of the World Trade Centre in New

York [online]. BBC News, 11th Sept. 2001. Available from: <http://news.bbc.co.uk

/hi/english/stafic/in_depth/americas/200l/day_of_terror> [Accessed Dec. 2002].

A M D , 2005. Tlie AMD Geode [email protected] operates at 500MHz. Anandtech

(Hardware analysis and news). Available from: <http://www.anandtech.com/ taIkarticle.aspx?fiTnResourcerD=24365&fiTnWhere=l> [Accessed Dec. 2005].

Baken, R. J. and OHikoff, R.F., 1999. Clinical Measurement of Speech and Voice. 2"'' ed. Singular Press. ISBN: 1565938690

BBC News, 1998. UK: Ear Print Catches Murderer [online]. BBC News, 15'*^ Dec. 1998.

Available from: <http://news.bbc.co.Uk/I/hi/uk/235721.stm> [Accessed Mar. 2004].

BBC News, 1999. Sci/Tech: Police Play it by Ear [online]. BBC News, 2"** Jan. 1999.

Available: <http://news.bbc,co.uk/l/hi/sci/tech/2467l3.stm> [Accessed Mar. 2004].

BBC News, 2003. 3G goes live in the UK (Hutchison) [online]. BBC News, 3"* Mar.

2003. Available from: <http://news.bbc.co.Uk/l/hi/technology/280876l.stm>

[Accessed Feb. 2005].

BBC News, 2004. Barcelona clubbers get chipped (VIP Baja Beach Club) [online].

BBC News, 29*^ Sept. 2004. Available from: <http://news.bbc.co.uk/2/hi/ technology/3697940.stm> [Accessed Dec. 2005].

BBC News, 2005. Mobile phone cancer link rejected [online]. BBC News, 30th Aug

2005. Available from: <http://news.bbc.co.Uk/l/hi/health/4196762.stm>

[Accessed Nov. 2005].

Bisgaard-Bohr, M . 2002. Purchase Behaviour Profiling (White Paper) [onJine].

Teradata (Europe), Dec. 2002. Available from: <http://www.teradata.eom/t/pdf aspx?a=83673&b=86842> [Accessed Jan. 2004].

Brown, P., McCaig, I., Short, M., Eggleston, A., 2001. Did the £22 billion auction

cripple the Mobile Industry? [online]. PITCOM meeting, 30**" Apr. 2001. Available from: <http://www.mi2g.com/cgi/mi2g/frameset.php?pageid=http%3A//www.mi

2g.com/cgi/mi2g/press/300401.php> [Accessed Feb. 2006].

240

References

Bush, G.W., 2002. Specifics of Secure and Smart Border Action Plan, Jan. 2002 and

Enhanced Border Security and Visa Entry Reform Act, \ May 2002. Signed by

G.W.Bush for The Office of Homeland Security, U.S.Govemment.

Gala, L.A., Thickbrown, G.W., Black, J.L., Collins, D.W., Mastaglia, F.L., 1981. Brain density and cerebrospinal fluid space size: CT of normal volunteers. American

Journal of Neuroradiology, Vol 2, Issue 1, pp.41-47.

Carreira-Perpindn, M.A. and Sanchez-Calle, A., 1995. A Connectionist Approach To

Using Outer-ear Images For Human Recognition and Identification [online].

Depto. de Lenguajes, Sistemas de Informaci6n e Ingenieria de Software, Facultad de Informatica, Technical University of Madrid. Available from: <http://www.dcs

.shef ac.uk/~miguel/papers/ps/ear-abstract.pdf> [Accessed Sept. 2005].

CellularOnline, 2003. Latest Handset &. Base Station Mobile Statistics [online].

CellularOnline, 3Q 2003. Available from: < http://v^w.cellular.co.za/stats/statshandsets.htm> [Accessed Nov. 2003].

CellularOnline, 2004. Mobile content shows revenue promise says Nokia report [online].

CellularOnline, 1^* May 2004. Available from: <http://www.cellular.co.za/news_20

04/may/050l04-mobile_content_shows_revenue_pro.htm> [Accessed Jan. 2004].

GellularOnline, 2006a. The History Of GSM: 1982 to 2001 [online]. CellularOnline.

Available from: <http://www.cellular.co.2a/gsmhistory.htm> [Accessed Feb. 2006].

CellularOnline, 2006b. Latest Mobile, GSM, Global, Handset, Base Station, & Regional

Cellular Statistics [online]. CellularOnline. Available from: <http://www.cellular. co.za/stats/stats-main.htm> [Accessed Jan. 2006].

CellularOnline, 2006c. Secure GSM & CDMA Mobile Phones [online]. CellularOnline.

Available from: < http://www.cellular.co.za/phones/secure/secure-phones.htm>

[Accessed Jan. 2006].

Chopra, G., 2002. £4M Mobile Phone Theft [online]. UK, BBC News. Available from:

<http://news.bbc.co.Uk/l/hi/england/248209l.stm> [accessed IS^^'Nov. 2002].

Clarke, A.C., 1945. Extra-terrestrial Relays. Wireless World, Oct. 1945, pp.305-308.

Available from: <http://www.clarkefoundation,org> [Accessed Mar.2005]

Clarke, N., Fumell, S., Lines, B. and Reynolds, P., 2003. Using Keystroke Analysis as a mechanism for Subscriber Authentication on Mobile Handsets. 1^^ International

Conference on Information Security (SEC2003). 26-28 May, 2003, Athens, Greece.

IFIP Conference Proceedings 250 Kluwer 2003, ISBN 1-4020-7449-2, pp.97-108.

CNN, 2001. HK mobile carriers seek to split 3G tab [online]. CNN (Business), Dec.

2001. Available from: < http://archives.cnn.com/2001/BUSlNESS/asia/12/03/hk.

3g.network.share/> [Accessed Feb. 2006].

CoA, 1999. State of Washington vs David Wayne Kunze. Court of Appeal Division II, State ofWashinton. Available from: FindLaw, 10^ Nov. 1999. <http://caselaw.lp.findlaw. com/scripts/getcase.pl?court=wa&vol=223384&invol=o01> [Accessed Nov. 2005].

241

References

Competition Commission, 2003. Vodafone, 02, Orange and T-Mobile: Reports on references

under section 13 of the Telecommunications Act 1984 on the charges made by Vodafone,

02. Orange and T-Mobile for terminating calls from fixed and mobile networks [online].

Competition Commission Reports, 2003. Available from: <http://www.competitioncommission.org.uk/repjDub/reporls/2003/475 mobilephones.htm> [Accessed Fdb. 2005],

Cope, B.J.B., 1990. Biometric Systems of Access Control, E/ectrotechnology, April/

May, pp.71-74.

Cox, A., 1997. New Services for UMTS. UMTS - Tlte Next Generation of Mobile, 27-29

Oct. 1997, London, UK.

CSl, 2001. Issues and Trends: 2001 CSI/FBI Computer Crime and Security Survey.

Computer Security Issues & Trends (Computer Security Institute), Spring 2001,

Vol.7(l), pp.l-18.

Das, R., 2005. EyeDentification System 7.5 by Eyedentify. In: An Application of

Biometric Technology: Retinal Recognition Series - Part 2 [online]. Technology

Executives Club. Available from: <http://www.technologyexecutivesclub.com/

Articles/security/artRetinalRecognition2.php> [Accessed Jun. 2005].

Daugman, J., 1998. How Iris Recognition Works. Cambridge: University o f Cambridge

Press. Extract: IEEE Trans. CSVT 14(1), 2004, pp.21 - 30. Available ft-om:

<http://www.cl.cam.ac.uk/users/jgdlOOO/irisrecog.pdf> [Accessed Jul. 2005].

ETSI, 1999. Proposed agreement on new requirements on the IMEI, ETSl TC SMG#30

Plenary meeting, Brighton, 9-11 Nov. 1999. Tdoc SMG P-99-776. Available ft-om: <http://www.3gpp.org/ftp/tsg^t/WG2_Capability/TSGT2_07/Docs/T2-

991020%20(IMEI%20agreement).pdf> [Accessed May 2005].

ETSl, 2003. New form factor for smart cards introduced [online]. ETSI, Dec. 2003.

Available from: <http://www.etsi.org/pressroom/previous/2003/2003%5F12%

5Ff!3%5Fsim.htm> [Accessed Apr. 2005].

Fellbaum, K., 2005. Human Speech Production Based on a Linear Predictive Vocoder

[online]. Brandenburg Technical University of Cottbus, Germany. Available fi-om

<http://www.kt.tu-cottbus.de/speech-analysis/> [Accessed Jan. 2006].

Fulton, S.M., 2005. Fujitsu launches palm vein authentication system [online]. TGDaily,

30th Jun. 2005. Available fi-om: <http://www.tgdaily.com/2005/06/30/fujitsu_ launches_palm_vein_authentication_system/index.html> [Accessed Nov. 2005].

Fumell, S.M,, Green, M . , Hope, S., Morrissey, J.P. and Reynolds, P.L., 1996. Non-

Intrusive Security Arrangements to support Terminal and Personal Mobility.

Euromedia 96. 19-21 Dec. 1996, London, pp.167-171.

Geodsof^, 2005. Good and Bad Passwords How-To (An Example List of Common and

Especially Bad Passwords) [online]. Geodsof). Available from: <http://geodsof^. com/howto/password/common.htm> [Accessed Dec. 2005].

Geissler, P., 2000. Vodacom Group Executive Risk Management, GSM Association

Fraud Forum, Feb. 2000.

242

References

Gold, S., 2004. Ninety per Cent of Mobile Devices have no IT Security [online].

SecureSynergy. Available fi-om: <www.securesynergy.com/securitynews/ newsitems/2004/apr-04/020404-08.htm> (Accessed Jan. 2006].

Granger, S., 2001. Social Engineering Fundamentals, Part I: Hacker Tactics [online].

Security Focus. Available from: <http://www.securityfocus.com/infocus/1527>

[Accessed Jan. 2006].

Grason-Stadler, ca.2000. A Complete Guide to Otoacoustic Emissions. Grason-Stadler

Inc. Part No. 1760-0112 - Rev.4.

GSM Association, 2002. CEIR Back in the Spotlight [online]. GSM Worid. Available:

<http://www.gsmworld.com/using/security/index.shtml> [Accessed Apr. 2005].

GSM Association, 2005. GSM Facts and Figures [online]. GSM Wodd. Available fi-om:

<http://www.gsmworld.com/nevvs/statistics/index.shtml> [Accessed Feb. 2005].

GSM 02.09 Version 7.1.1, 1998. Digital cellular telecommunications system (Phase

2+;,- Security aspects. ETSl EN 300 920 V7.1.1 (2000-08)

GSM 03.20 Version 8.0.0, 1999. Digital cellular telecommunications system (Phase

2+) (GSM); Security related network functions. ETSl TS 100 929.

Hall, J.W., 2000. Handbook of Otoacoustic Emissions. San Diego, CA: Singular

Thomson Learning. ISBN: 1565938739

Harrington, V., Mayhew, P., 200\. Mobile Phone Theft [online]. Home Office Research

Study 235, Development and Statistics Directorate. Available from: <http://www. homeoffice.gov.uk/rds/pdfs/hors235.pdf> [Accessed Dec. 2005].

Herschel, W., 1858. In: The Remains of Tomorrows Past: Speculations on the Antiquity of New Media Practice in South Asia. ISEA2004: 12th international symposium on

electronic art 14-22 Aug. 2004. Helsinki, Finland. ISBN 9529943903. Available from: <http://www.isea2004.net/content/allpres.php> [Accessed Nov. 2005].

Herzberg, A., Krawczyk, H. and Tsudik, G., 1994. On Travelling incognito. IEEE

Workshop on Mobile Computing Systems and Applications, 8-9 Dec. 1994. Santa

Cruz, C^.pp.205-211.

Home Office, 2006. Identity theft, don't become a victim [online]. Home Office Identity

Fraud Steering Committee. Available fi-om: <http://wwvv.identity-theft.org.uk/>

[Accessed Jan. 2006].

Hoogstrate, A.J., van den Heuvel, H., Huyben, E., 2001. Ear Identification based on

Surveillance Camera Images. Science Justice - journal of the Forensic Science

Society, piSSN: 1355-0306, Jul-Sept 2001. Vol.4l(3), pp.167-172.

Homak, J.P., 2006. The Basics of MR! [online]. Rochester Institute of Technology

(Chemistry and Imaging Science). Available fi*om; <http://www.cis.rit.edu/ htbooks/mri/index.htmI> [Accessed Oct. 2005].

243

References lannarelli, A.V., 1964. The lannarelli system of Ear Identification. l^*ed. New York:

Brooklyn Foundation Press. Reprinted 1989: Ear Identification. Freemont, CA:

Paramont Publishing Company. ISBN: 0962317802.

IBG, 2004. Biometrics Market and Industry Report 2004-2008. International Biometrics

Group, 4^ Mar. 2004. Available: <http://\vww.biometricgroup.com/press_releases/ pr_2004_%20Biometrics%20MIR.html> [Accessed Jan. 2005]. Update: Biometrics

Market and Industry Report 2006-2010. Available from: <http://www.biometric group.com/press_releases/pr_2006_BMIR _2010.htm> [Accessed Jan. 2006]. lEE IP, 2005a. Public trust in Internet at lowest level. Information Professional (Journal of the lEE), April/May, pp.10. lEE IP, 2005b. Report calls ID card system into question. Information Professional

(Journal of the lEE), April/May, pp.3.

ISO/IEC JTC1/SC37, 2004. Biometric Vocabidary Corpus. International Biometrics

Standards Sub-Committee: SC37. (ISO/IEC JTC1/SC37/WG1 N0456).

ITU, 2001. Enhanced IMT-2000 specifications for improved data performance

approved and technical framework for global circulation of terminals agreed in

Tokyo [online]. ITU Press, 25th Oct. 2001. Available from: <http://www.itu.int/ newsarchive/press_releases/2001/20.html> [Accessed Oct. 2002].

Jobusch, D.L. and Oldehoeft, A.E., 1989. Survey of Password Mechanisms: Weaknesses and Potential Improvements. Computers & Security, Vol. 8, No. 7, pp.587-604.

Joyce, R. and Gupta, G., 1990. Identity Authentication Based on Keystroke Latencies.

Communications of the ACM, Feb. 1990. Volume 33(2), pp. 168-176.

Juniper Research, 2002. MMS revenues to reach US$8.3 billion by 2004 (Juniper

Research). The Mobile Internet, Dec. 2002. Available from: <http://www.fmd articles.eom/p/articles/mi_m0NZB/is_12_4/ai_97731235> [Accessed Feb. 2004].

Kaspersky, E., 2006. Kaspersky boss explodes security myths [online]. siIicon.com,

Available from: <http://sofhvare.silicon.com/malware/0,3800003100,39155837,

OO.htm> [Accessed Jan. 2006].

Konstantinos, N.Y., 1997. Applications of Biometrics & Implicatiotis for Security and

Ethics (Shearson-Hamill, Wall Street, 1968), University o f Illinois at Urbana-

Champaign, 13th Nov. 1997. Available from: <http://www.staff.uiuc.edu/

'-efantis/biometrics/sld001.htm> [Accessed Jan. 2005].

Legget, J. and Williams, G., 1988, Verifying identity via keystroke characteristics.

International Journal of Man-Machine Studies, No.28, pp.67-76.

Lemos, R., 2003. Cracking Windows passwords in seconds [online]. CNET News, Jul.

2003. Available from: < http://news.zdnet.com/2100-l009_22-5053O63.html>

[Accessed May 2005].

Maltoni, D., Maio, D., Jain, A.K., Prabhakar, S., 2003. Handbook of Fingerprint

Recognition. New York: Springer. ISBN: 0387954317. Available from:

<http://bias.csr.unibo.it/maltoni/handbook/> [Accessed Jan. 2006].

244

References

MET, 1901. Fingerprint Bureau [online]. Metropolitan Police Service - Historical

Timeline. Available from: <http://www,met.police.uk/history/fingerprints.htm>

[Accessed Oct. 2005].

Miller, S., 2001. Mobile sales soar, driven by teenage market [online]. MediaGuardian,

23rd May 2001. Available from: <http://media.guardian.co.uk/newmedia/story/

0,7496,495263,00.html> [Accessed May 2002].

MIT Tech, 2003. JO Emerging Technologies That Will Change the World [online].

Technology Review - An MIT Enterprise, Feb. 2003. Available from: <http:// www.gapoptic.unige.ch/HomeExtras/MIT/I0%20Emerging%20Technologies%20

That%20Will%20Change%20the%20World.htm> [Accessed Nov, 2005].

Modisette, L., 1999. State-of-the-Art in Preventative Fraud Systems. The 1999 GSM

World Congress (Day 2). 23-25 Feb. 1999, Cannes. France.

Moenssens, A., \91\. Fingerprint Techniques (Inbau law enforcement series). Chilton

Book Co. ISBN: 0801955270.

Morgan, J., 1999. Court Holds Ear-print Identification Not Generally Accepted In Tfie

Scientific Community [online]. Forensic-Evidence.com. In: STATE v. David

Wayne KUNZE, Court of Appeals of Washington, Division 2. 97 Wash.App. 832,

988 P.2d 977 (1999). Available from: <http://\vww.forensic-evidence.com/site/lD

/ID_K:unze.html> [Accessed Feb. 2005].

Nanavati, S., Thieme, M., Nanavati, R., 2002. Biometrics - Identity Verification in a

NetM'orked World. New York: John Wiley & Sons. ISBN: 0471099457.

National Mobile Phone Crime Unit (NMPCU), 2003. A new weapon to combat phone theft, The Job [online], Vol.36. Available from: <http://www.met.police.uk/job/ job919/live_files/2.htm> [Accessed Dec. 2003].

Newmann, J., 1997. Improved measurement techniques for otoacoustic emissions.

Thesis (PhD). Universitat Oldenburg. Available from: <http://www.bis.unioldenburg.de/bisverlag/neurec97/inhalt.html> [Accessed Nov. 2005].

Nortel, 2005. HSDPA Trials Pick Up Speed [online]. Wireless Week, Feb. 2005.

Available from: <http://www.wirelessweek.com/article/CA503596.html7space desc =Departments> [Accessed May 2005].

Norton, R.E., 2002. Tiie Implications and Challenges of Integrating Biometric

Technology into Day-to-Day Immigration and Security Policy [online]. The

International Biometric Industry Association, 7th May, 2004. Available from:

<http://www.ibia.org/aboutibia/newsletter_detail.asp?id=28> [Accessed Jan. 2005].

NTT DoCoMo, 2004. DoCoMo's Newest 505i Handset Features Fingerprint

Authentication [online]. NTT DoCoMo, 9**" Jul. 2003. Available from: <http:// www.nttdocomo.com/presscenter/pressreleases/press/pressrelease.htTnl?param%5

Bno%5D=257> [Accessed Dec. 2004].

245

References

Open Mobile Alliance (WAP Forum), 2005. Material from Affiliates - Wireless

Application Protocol [online]. OMA. Available from: <http://vvww.openmobile alliance.org/tech/affiliates/wap/wapindex.html#wap20> [Accessed Dec. 2005].

Philips, 1985. Tlie predecessor of the CD [online]. Philips Research. Available from:

<http://www.research.philips.com> [Accessed May 2005].

Polemi, D., 1997. Review and Evaluation of Biometric Techniques for Identification and

Authentication, Including an Appraisal of the Most Applicable Areas. European

Commission DG Xin-C.4 on the Information Society Technologies (IST) (Key action 2: New Methods of Work and Electronic Commerce). Available from:

<www.cordis.lu/infosec/src/stud5fr.htinl> [Accessed Jan. 2005].

Porras, P.A. and Neumann, P.G., 1997. EMERALD: Event Monitoring Enabling

Responses to Anomalous Live Disturbances. 2(f^ National Information Systems

Security Conference, 7-10 Oct, 1997, Baltimore, Maryland, USA.

Ratha, N.K., Connell, J.H., Bolle, R.M., 2001a. Enhancing security and privacy in biometrics-based authentication systems [online]. IBM Systems Journal, Vol.40,

No.3. Available from: <http://www.research.ibm.com/joumal/sj/403/ratha,pdf>

[Accessed Apr. 2003].

Ratha, N.K., Connell, J.H., Bolle, R.M., 2001b. An analysis of minutiae matching strength. Hiird International Conference on Audio- and Video-Based Biometric

Person Authentication, 6-8 Jun. 2001, Halmstad, Sweden, pp. 223-228. Available:

<http://www.research,ibm.com/ecvg/pubs/ratha-strength.pdf> [Accessed Jun. 2002]

Richardson, IC., 2000. UMTS Overview. Electronics Communications Engineering

Journal, Vol.12, No,3, pp.100.

Rodwell, P., 20Q\. Determining Identity of a User. UK Patent Application GB 2375205

A 06.11.2002. US Patent Application 10/476,588 31.10.2003.

Rodwell, P. and Clarke, N . , 2002. Assessing Subscribers' Attitudes towards Mobile

Services and Security [online]. Network Research Group, University o f Plymouth.

Available from: <http://www.network-research-group.org> [Accessed Dec, 2003].

Rogers, J., 2001. Data Mining Fights Fraud [online]. Computer Weekly, 8th Feb. 2001.

Available from: <http://www.computerweekly.eom/Articles/2001/02/08/l 78302/

Dataminingfightsfraud.htm#ContentContinues> [Accessed Apr, 2003].

Rosenblatt, F., 1958. The Perceptron: A Probabilistic Model for Information Storage &

Organisation in the Brain. Psychological Review. Vol. 65(6), pp.386-408.

Sagan C , 1978. The Quest for Extraterrestrial Intelligence. Smithsonian, May 1978.

Available from: <http://www.bigear.org/vollno2/sagan.htm> [Accessed Mar. 2005]

Sagem, 2000. SAGEM points a finger at GSM [online]. SAGEM, 24^** Jan. 2000.

Available from: < http://www.sagem.com/en/communiques-en/cp-lsem2000en.htm - mc 959 id empreintO [Accessed Feb, 2001].

246

References

Sharma, D.C., 2005. PC sales growth to slow in 2006 [online]. CNET News, Dec. 2005.

Available from: <http://news.zdnet.co.uk/hardware/mobile/0,39020360,39243156,

OO.htm> [Accessed Dec. 2005].

Smith, R.E., 2002, Authentication - From Passwords to Public Keys. Addison-Wesley

Professional. ISBN: 0201615991.

Squires, M . , 2001. Interview. In: The Mobile [Documentary]. TV, Channel 5.

Transmitted: 27^^ May 2001.

UMTS Forum, 2003. Mobile Evolution - Shaping the Future. UMTS Forum, Aug. 2003.

Available from: <http://www.umts-forum.org/servlet/dycon/ztumts/umts/Live/en/ umts/Resources_Papers_index> [Accessed Mar. 2005].

UMTS Forum, 2005. 3G/UMTS subscribers hit 16 million, confirms UMTS Forum

[online]. UMTS Forum, Jan. 2005. Available from: < http://www.umts-forum.org/ servlet/dycon/ztumts/umts/Live/en/umts/News_PR_Article050105> [Accessed

Jan. 2006].

VisionGain, 2005, 3G and Wireless Data Services: Market Analysis and Forecasts 2005-

2010 [online]. MarketResearch, Jan. 2005. Available from: <http://w\vw.market research.com/product/display.asp?productid=l 118851&g=l> [Accessed Jan. 2006]. vnunet, 2000. How to sell mobile computing - part 4 [online], vnunet, Aug. 2000.

Available from: < http://www.vnunet.com/vnunet/features/2l29789/seIl-mobilecomputing-part> [Accessed Mar. 2005]. "

W2F, 2004. UK Wireless Statistics. 2004-2006 [online]. W2Forum, Apr. 2004.

Available from: <http://www.hottelecom.com/w2f-uk-mobile-statistics.html>

[Accessed Feb.2005].

Washington Technology, 1996. High-Tech Security Firms Have Summer Games

Covered [online]. Washington Technology, Vol.11(7), 7^^ Nov. 1996. Available from: < http://www.washingtontechnology.eom/news/l l_7/news/10086-l.html>

[Accessed Oct. 2005].

Watson, A., 200\, Standardise Tliis [online]. In: Goldman, J., TheFeature, Jul. 2001.

Available from: < http://www.thefeaturearchives.com/12040.html> [Accessed

Feb. 2005].

Woodward, J.D. Jr., Orlans, N.M., Higgins, P.T., 2003. Biometrics - Identity Assurance

in the Information Age, UK: McGraw-Hill Osborne.

Zakaria, T., 2003. CIA to capture iris recognition at a distance [online]. (Reuters) News in Science, 5^ Nov. 2003. Available from: <http://www.abc.nel,au/cgi-bin/ common/printfinendly.pl?/science/news/tech/InnovationRepublish_982770.htm>

[Accessed Feb. 2005].

247

248

Internet Links

Internet Links

Internet Links

Internet Links

3GPP

Name: Third Generation Partnership Project.

Function: Catalyst of telecommunications Standards Bodies.

Web: http://www. 3 gpp.org

A4Vision

Name:

Function:

Web:

A4Vision.

Provider of'Vision, Access, Enrolment and Identification' systems. http://www.a4vision.com

APWG

Name:

Function:

Web:

Anti-Phishing Working Group.

Committed to wiping out Internet scams and fraud. http://www.antiphishing.org

BBC Mobile Services

Name: British Broadcasting Corporation (BBC) Mobile services.

Function: The BBC on your mobile.

Web: http://www.bbc.co.ulc/mobile

Biomark

Name:

Function:

Web:

Biomark.

Specialists in electronic animal identification (tagging). http://www.biomark.com

Biometric Consortium

Name: The Biometric Consortium.

Function: R&D, evaluation and application of biometric identification technology

Web: http://www.biometrics.org

BioPassword

Name:

Function:

Web:

BioPassword Inc. (Issaquah, Washington).

Biometric password enforcement software. http://www.biopassword.com

Bluetooth

Name:

Function:

Web:

Bluetooth

The official Bluetooth website. http://www.bluetooth.com

CCCN

Name:

Function:

Web:

Centre for Cognitive and Computational Neuroscience, Department of

Computing and Mathematics, University o f Stirling.

Overview of neural-networks. http://nevis.stir.ac.uk

249

Internet Links

CompTlA

Name:

Function:

Web:

Computing Technology Industry Association.

Dedicated to advancing the growth of the IT industry. http://www.comptia.org

Disney

Name:

Function:

Web:

The Walt Disney Company.

Entertainment specialists in studios, parks and media, since 1923, http://www.disney.com

DuPont Authentication Systems

Name: Dupont Authentication Systems.

Function: Provider of authentication security solutions: IZON^'^ technology.

Web: http://www.dupontauthentication.com

ETSI

Name: The European Telecommunications Standards Institute (France).

Function: Information and Communication Technology (ICT) standards in Europe.

Web: http://www.etsi.org

GSM Association

Name: GSM Association.

Function: Annual Reports

Web: http://www.gsmworld,com

Home Office (Identity Fraud)

Name: The Home Office.

Function: Home Office Identity Fraud Steering Committee.

Web: http://www.identity-theft.org.uk iAfB/ICSA

Name:

Function:

Web:

International Association for Biometrics (iAfB)

International Computer Security Association (ICSA).

Glossary of Biometric Terms (1999). http://www.iaft5.org.uk/docs/glossary.htm

IBG

Name:

Function:

Web:

International Biometrics Group.

Biometrics leading consulting and technology services, since 1996. http://www.biometricgroup.com

ISIS(a)

Name:

Function:

Web:

Image Speech and Intelligent Systems Research Group.

Automatic Gait Recognition @ University of Southampton. http://www.gait.ecs.soton.ac.uk

ISIS(b)

Name:

Function:

Web:

Image, Speech and Intelligent Systems Research Group.

Automatic Ear Recognition @ University of Southampton. http://www.isis.ecs.soton.ac.uk

250

Internet Links

ISO

Name: International Organization for Standardization.

Function: Network of the national standards institutes of 151 countries.

Web: http://www.iso.org

ITU

Name: International Telecommunications Union.

Function: Telecommunications standards and harmonisation union, since 1865.

Web: http://www.itu.int

Juniper Research

Name: Juniper Research.

Function: Providers of analytical reports and consultancy to the telecoms industry.

Web: http://www.juniperresearch.com

Lavater (German)

Name: Johann Casper Lavater

Function: 19^ Century theologian and physiognomist.

Web: http.7/www.kunsthaus.ch/ausstellungen/2001/lavater

Meucci

Name:

Function:

Web:

Antonio Meucci

19**" Century inventor. http://www.italianhistorical.org/MeucciStory.htm

MDA

Name: Mobile Data Association

Function: Global association for vendors and users of mobile data.

Web: http://www.mda-mobiIedata.org/mda

National Statistics

Name; National Statistics and the Office for National Statistics (ONS).

Function: Home of official UK statistics.

Web: http://www.statistics,gov.uk

NTC

Name: National Training Centre for Scientific Support to Crime Investigation

Function: British police force crime scene investigation unit.

Web: NTC - http://www.forensic-training.police.uk

NTCSSI - http://centrex.police.uk/forensic-training/scientific.html

Nuance Communications Inc.

Name: Nuance Communications Inc.

Function: Providers of voice automation technology, since 1994.

Web: http://www.nuance.com

Orange

Name:

Function:

Web:

Orange^M PCS Ltd.

The principle UK mobile network operator (2003)(Section 3.3.1), http://www.orange.co.uk

251

Intemet Links

Otoacoustics Emissions

Name: The Otoacoustic Emissions (OAE) Portal Zone.

Function: Information, News and Forum on OAEs.

Web: http://www.otoemissions.org

Persay Inc.

Name:

Function:

Web:

Persay Inc. (Woodbridge NJ), a subsidiary o f Converse Technology.

Providers of voice verification technology: FreeSpeech™. http://persay.com

Recognition Systems Inc.

Name: Recognition Systems Inc. (Ingersoll-Rand Inc.)

Function: Principal supplier o f hand geometry products: HandPunch/Handkey®.

Web: http://www.recogsys.com / http://www.handreader.com

Sagan, C.

Name:

Function:

Web:

The Cari Sagan Foundation.

Dedicated to the "planet-wide campaign of public science". http://www.carlsagan.com

Statistics

Name:

Function:

Web:

Statistics Glossary

Explanation of statistical analyses terms. http://www.stats.gla.ac.uk/steps/glossary

VeriVoice Inc.

Name:

Function:

Web:

VeriVoice Inc. (Princeton NJ)

Providers of biometric voice verification solutions. http://www.verivoice.com

Veid Ltd.

Name:

Function:

Web:

Veid Pte. Ltd. (Singapore)

Hand Vascular Pattem Person Identification system: the VP-II. http://www.veid.net

Vocalist

Name:

Function:

Web:

Vocalist

Dedicated to the world of singers, vocalists and students o f the voice. http://www.vocalist.org.uk

W2F

Name: Wireless World Forum

Function: Online community of 4000 senior professionals in the wireless industry.

Web: http://www.w2forum.com

Wikipedia

Name:

Function:

Web:

Wikipedia

Web-based free-content reference encyclopaedia. http://en.wikipedia.org/wiki/Wikipedia

252

253

Bibliography

Bibliography

Bibliography

Bibliography

Ashboum, Julian

"Biometrics - Advanced Identity Verification", © Springer, 2000.

ISBN 1-85233-243-3

Baken, R.J.; Orlikoff, R.F.

"Clinical Measurement of Speech and Voice (Speech Science)"

© Singular Publishing, 2"** Edition, 22"^ Dec. 1999.

ISBN: 1565938690

Everest, F. Alton

"Master Handbook of Acoustics - Fourth Edition", © McGraw-Hill, 2001.

ISBN 0-07-136097-2

Hagan, Martin T.; Demuth, Howard B.; Beale, Mark

"Neural Network Design", © PWS Publishing, 1996.

ISBN 0-53-494332-2

Hall, James W. HI

"Handbook of Auditory Evoked Responses", © Allyn and Bacon, 1992.

ISBN 0-205-13566-8

James, Glyn

"Advanced Modem Engineering Mathematics", © Addison-Wesley, 1993.

ISBN 0-201-56519-6

Maltoni, Davide; Maio, Dario; Jain, Anil K.

"Handbook o f Fingerprint Recognition", © Springer, 2003.

ISBN 0-387-95431-7

Smith, Richard E.

"Authentication - From Passwords to Public Keys", © Addison-Wesley, 2002.

ISBN 0-201-61599-1

Nanavati, Samir; Thieme, Michael; Nanavati, Raj

"Biometrics - Identity Verification in a Networked World", © John Wiley & Sons

2002.

ISBN 0-471-09945-7

Woodward, John D. Jr., Orlans, Nicholas M., Higgins, Peter T.

"Biometrics - Identity Assurance in the Information Age", © McGraw-

Hill/Osbome, 2003.

ISBN 0-07-222227-1

254

255

Appendices

Appendices

Appendices

Appendices

Appendix A Anatomy of the Subscriber Identity Module ( S I M ) 258

Appendix B A Breakdown of the I M E I Code 262

Appendix C Mobile Phone Security Survey 265

Appendix D The Resource Interchange File Format ( R I F F ) 274

Appendix E A n Introduction to Neural Networks 278

Appendix F The H A T Demonstration Tool Manual 281

Appendix G H A T Trials Timetable 306

Appendix H Published Works 308

HI Conference Invited Speaker (Powerpoint) 309

H2 Published Paper 314

H3 Poster Presentation 321

H4 Pubhshed Paper 323

H5 Journal Article 328

H6 Poster Presentation 332

H7 Pubhshed Paper 334

H8 Journal Paper 340

H9 Poster Presentation 353

H10 Poster Presentation 355

HI 1 Additional Published Works 357

Appendix I Patent Material 359

11 Patent Proposal 360

12 UK Patent Application - no. 2,375,205 364

13 US Patent Application - no. 10/476,588 399

256

Appendix A : Anatomy of the Subscriber Identity Module (SIM)

Appendix A

Anatomy of the Subscriber Identity Module (SIM)

The anatomy of a typical mobile SIM card (Section 2.3.1)

257

Appendix A : Anatomy of the Subscriber Identity Module (SIM)

Appendix A Anatomy of the Subscriber Identity

Module (SIM)

The micro controller on a SIM is effectively a complete, albeit very small, computer on a single potted chip (Figure A-1), containing all the basic integrated hardware features normally found in a larger desktop or laptop system. It is this fully integrated package that gives a SIM its inherent security.

A SIMs' features include:

• An operating system which can respond to external or internal commands.

• Data storage that can be accessed via the operating system.

• Applications called to perform simple or complex tasks when requested.

^ 1 L

CPU

Secure

A c c e s s

RAM

ROM (SIM OS)

E E P R O M

(Application data: IMSI, Ki,...)

Figure A - l : Block diagram of a typical SIM

C P U (Typically 8-Bit) - The Central Processing Unit (CPU) is the processing heart of the SIM. Similar to the CPU found in a typical desktop computer, a SIM's CPU performs all required software and data processing. In stark contrast to a desktop computer system however, the CPU is typically only an 8-Bit', low performance, low power drain device.

Desktop computer CPUs circa 2004/5 were predominantly 32-bit, with 64-bit available for power users.

258

Appendix A : Anatomy of the Subscriber Identity Module (SIM)

RAM (Typically 256Bytes) - Unlike a conventional computer, the R A M is extremely limited in a smart card, usually amounting to only a few hundred bytes. This memory is used for functions, such as program variables, stack values and pointers, and in particular, the input/output buffer memory.

ROM (Typically 16IC) - The ROM section contains the SIM card operating system.

This is Masked ROM, which unlike conventional ROM that is programmed electrically with the operating system, is programmed during the wafer manufacture. This means that the code is processed into the silicon forming an integral part o f the device itself.

This mask process means that the code can never be altered, erased or replaced.

E E P R O M (Typically 4-16IC) - The EEPROM stores data on the card which needs to be permanent, it is analogous to the hard disk on a computer, except considerably smaller.

InputyOutput function - The I/O is the system by which the SIM communicates with the ME, The operating system uses a serial simplex protocol called T=0, which is an international standard specified by ISO.

Control Logic - The control logic implements o f functions associated with the low layer systems, such as memory management and security. Some o f the SlM's security measures are hardware implemented, such as clock and voltage tamper detectors.

These stop an attack on the device by shutting down the SIM i f monitored values stray outside tolerances i.e. additional CPU clock cycle detection due to unexpected coding instructions or additional battery loading due to hardware modification.

259

Appendix A : Anatomy of the Subscriber Identity Module (SIM)

Data Stored on the SIM

The data stored on the SIM is stored in 'elementary files', which are arranged in

'directory files' much like the DOS file system found on a standard PC. The operating system can select an elementary file, and then perform commands upon that file. For each individual file, access conditions can be set when the card is personalised. These access conditions determine i f an action can be performed.

GSM Data

The GSM data stored on the SIM card is used by the network operator to check the identity o f the subscriber and where they within the network. The SIM contains; an

International Mobile Subscriber Identity (IMSl); a Temporary Mobile Subscriber

Identifier (TMSI), used to identify the subscriber to the system; secret keys for authentication and encryption. The IMSl & TMSI are completely independent to the

IMEI. Using these keys, the network can authenticate who you are, or at least who the

SIM is registered to. I f authentication fails, then the subscriber is denied access to the network (Section 2.3,4). For security, the SIM also stores the current mobile cell identifier each time it is activated.

User Data

The SIM is able to store information for the user, such as phonebook data, short message data (SMS). In fact, the bulk of the EEPROM is used to store datafields required for user data. The network operator does however have some control over the size of the available user data. With flexible partitioning it is possible, for example, to limit the available phonebook to 100 entries in order to utilise some of the SIMs memory space to add operator specific customisation.

260

Appendix B : A Breakdown of the IMEI Code

Appendix B

A Breakdown of the IMEI Code

A breakdown of the mobile handset IMEI code (Section 2.3.2)

261

Appendix B : A Breakdown of the IMEI Code

Appendix B A Breakdown of the IMEI Code

The IMEI has undergone some evolutionary changes since its introduction in 1992; the three figures below represent the three possible variations of the IMEI, dependant on the manufacturing date of the mobile handset (Figure A-2).

Prior to 01.01.2003 (phase 1)

x x x x x x XX x x x x x x 0

SP: Spare

SNR: Serial Number

F A C : Final Assembly Code

TAG: Type Approval Code

Between 01.01.2003 and 01.04.2004 (Phase 2)

x x x x x x 00 x x x x x x X

CD: Check Digit

SNR: Serial Number

F A C : Final Assembly Code

TAG: Type Approval Code

After 01.04.2004 (Phase 2+)

XXXXXXXX XXXXXX X

CD: Check Digit

SNR: Serial Number

TAG: Type Allocation Code

Figure A-2: The code variations of ihe IMEI

262

Appendix B : A Breakdown of the IMEI Code

• T A C - Type Approval/Allocation Code

The first two-digits (all phases) identify the IMEI reporting body and the remaining digits, are the Type Identifier defined by the reporting body

• F A C - Final Assembly Code

Up until 31.12.2002, the FAC identified the manufacturing facility where the handset was assembled, as shown in Table A - 1 .

07, 40

10. 20

30

40, 41, 44

50

51

60

70

80

85

Motorola

Nokia

Ericsson

Siemens

Bosch

Sony Ericsson

Alcatel

Sagem

Philips

Panasonic

Table A-1 : IMEI Final Assembly Codes (FAC)

• SNR - Serial Number

A unique product serial number

• S P - S p a r e

The SP is an additional spare digit, usually set to zero.

• CD - Check Digit

The CD is a single digit dependent on the value o f the preceding 14 digits.

263

Appendix C : Mobile Phone Security Survey

Appendix C

Mobile Phone Security Survey

A copy of the questions asked as part o f the security survey covered in Chapter 3

264

Appendix C : Mobile Phone Security Survey

Appendix C Mobile Phone Security Survey

Section 1 of 4 - About You!

Q 1 . What Gender are you?

Male

Female

Q 2 . T o which age group do you belong?

Under 16

1 7 - 2 4

2 5 - 3 4

3 5 - 4 4

4 5 - 5 4

55 - 64

Over 65

Q 3 . Are you an employee/student at the university of Plynnouth?

Y e s

No

265

Appendix C : Mobile Phone Security Survey

Section 2 of 4 - Services

Q 1 . To which network provider do you subscribe?

0^(BT Cellnet)

Orange

T-Mobile (One2one)

Virgin

Vodafone

Other

Q 2 . How do you pay for your phone calls?

Contract

Pre-pay

Q 3 . Who is the manufacturer of your cunrent mobile phone?

Bosche

Ericsson

Motorola

Nokia

Samsung

Siemens

Sony

Q 4 . W h e n choosing your network operator, please rank the considerations below in order of importance to you.

Choice of handset

Network coverage

Operator loyalty

Prices, deals etc.

Reliability

Security features

Low

Medium

High

266

Appendix C : Mobile Phone Security Survey

Q 5 . When selecting your handset, p l e a s e rank the considerations below in order of importance to you.

Accessories

Battery life

Brand loyalty

Games

Connectivity

Security features

Swappable facias

Low

Medium

• n

High

Q 6 . Approximately, how many hours a day is your phone switched o n ?

< 1

2 - 5

6 - 1 0

> 10

Q 7 . Approximately, how many times in a typical day is your phone u s e d ?

Voice calls

Data services (SMS, etc)

Features (Games, etc.)

0 - 1

2 - 5

6 - 1 0

• n

> 10

Q 8 . P l e a s e indicate which services you u s e on your mobile phone.

Voice

Text messages (SMS)

Information services

WAP

Email

International roaming

Yes

No

Not

Available

267

Appendix C : Mobile Phone Security Survey

Q 9 . P l e a s e indicate any additional services you would like to s e e on a mobile phone in the future.

Video conferencing

Ecommerce

Personal organiser

Music download

Video on demand

Multimedia message (MMS)

G P S location services

Other

Y e s

No

268

Appendix C : Mobile Phone Security Survey

Section 3 of 4 - Security

Q 1 . P l e a s e indicate v^hich of these following statements applies to y o u ?

Note: T h e u s e of the term 'calls' in the following question includes all fonms of communications; voice, text. W A P etc.

My mobile phone has:

- been borrowed and tampered with.

- been borrowed and calls made.

- been stolen and NO calls made.

- never been stolen or abused.

Yes

No

Q 2 . Are you aware of the existence of the international mobile equipment identifier (IMEI) of your handset?

Y e s

No

Q 3 . Do you use any of the personal identification number (PIN) authentication facilities on your mobile p h o n e ?

Y e s

No

What is a PIN

If y e s , please indicate which facilities you use.

PIN @ switch-on

PIN keypad lock

Other PIN options

Yes

No

Not

Available

Not

Applicable

269

Appendix C : Mobile Phone Security Survey

Q 4 . How often do you change A N Y of your mobile phone P I N ' s ?

Not applicable

Never

Initially at purchase

Monthly

Yearly

Q 5 . How do you consider PIN authentication?

Convenient

Inconvenient

Q 6 . How do you feel generally about the protection the PIN provides against mobile phone m i s u s e ?

Very confident

Confident

Adequate

Inadequate

Indifferent

• n

Q 7 . Have you ever had to u s e the pin unlock code ( P U K ) on your mobile phone, b e c a u s e you have forgot your P I N ?

Y e s

No

Q 8 , Do you u s e the s a m e PIN for multiple services, s u c h a s your mobile phone, bank cards, P C A c c e s s etc?

Yes

No

Q 9 , Do you think, in principle, additional mobile phone security is:

A good idea

A bad idea

Indifferent

270

Appendix C : Mobile Phone Security Survey

Note: Biometrics is the measurement of unique personal characteristics (e.g.

Fingerprints, Voice Recognition & Hand Geometry)

Q 1 0 . How do you feel about biometric authentication in g e n e r a l ?

A good idea

A bad idea

Indifferent

Q 1 1 . P l e a s e indicate in the table below which of the following methods of security authentication are you aware of & which you would consider using on a mobile phone?

Finger Print

Voice Print

Hand Geometry

Facial Recognition

Iris Scanning

Typing Style

Aware of?

Yes

No

Would use?

Y e s

No

Q 1 2 . How would you feel about your mobile phone continuously and transparently authenticating who is using it?

A good idea

A bad idea

Indifferent

Q 1 3 . For any authentication technique to work, a security profile or signature about you h a s to exist somewhere; where would you prefer this security profile to reside?

A good idea

A bad idea

Indifferent

271

Appendix C : Mobile Phone Security Survey

Section 4 of 4 - General Knowledge

Q 1 . Which of the following is N O T a U K Network Operator?

Don't know

Nokia

T-Mobile

Orange

Vodafone

Q 2 . Which of the following is N O T a mobile phone buzzword?

Don't know

3G

ADSL

WAP

Q 3 . What is the data rate of a standard G S M connection?

Don't know

9.6 Kbps

14.4 Kbps

56 Kbps

64 Kbps

272

Appendix D : The Resource Interchange File Format (RIFF)

Appendix D

The Resource Interchange File Format (RIFF)

An explanation of the structure and usage of the WAV and RIFF file formats (Section 7.2)

273

Appendix D : The Resource Interchange File Format (RIFF)

Appendix D The Resource Interchange File Format

(RIFF)

The WAVE file format is a subset o f the Microsoft RIFF file specification, which can include many different types of data. Although it was originally intended for multimedia files, the specification is open enough to allow almost any form of data to be stored within the file format, and used or ignored as required by programs that can read the format correctly.

R I F F Format

RIFF is a file format for storing many kinds o f data, primarily multimedia data like audio and video. It is based on chunks and sub-chunks. Each chunk has a type, represented by a four-character tag. This chunk type comes first in the file, followed by the size of the chunk, then the contents of the chunk.

The entire RIFF file is a big chunk that contains all the other chunks. The first thing in the contents of the RIFF chunk is the "form type," which describes the overall type o f the file's contents. So the structure o f a RIFF file looks like this:

O f f s e t Length Contents Note

0000 4 b y t e s 'R' 'F' *F'

0004 4 b y t e s < f i l e l e n g t h > 3 2 - b i t u n s i g n e d i n t e g e r ^

0008 4 b y t e s Form type 4 c h a r a c t e r s

OOOC 4 b y t e s

0010 4 b y t e s

0014 chunk t y p e chunk l e n g t h chunk d a t a

4 c h a r a c t e r s

3 2 - b i t u n s i g n e d i n t e g e r ^

' All integers are stored in the Intel low-high byte ordering (referred to as "little-endian").

274

Appendix D : The Resource Interchange File Format (RIFF)

A more detailed description o f the RIFF format can be found in the Microsoft Win32

Multimedia API documentation, which is supplied as a Windows Help file with many

Windows programming tools such as C-H- compilers.

W A V E (wav) File Format

The WAVE file format is a subset o f RIFF used for storing digital audio. Its form type is "WAVE", and it requires two kinds of chunks:

• the fmt chunk, which describes the sample rate, sample width, etc., and

• the data chunk, which contains the actual samples.

WAVE can also contain any other chunk type allowed by RIFF, including LIST chunks, which are used to contain optional kinds of data such as the copyright date, author's name, etc. Chunks can appear in any order.

The WAVE specification supports a number of different compression algorithms. The

format tag entry in the fmt chunk indicates the type o f compression used. A value of 1 indicates Pulse Code Modulation (PCM), which is a "straight," or uncompressed encoding of the samples. Values other than 1 indicate some form of compression.

The WAVE format starts with the RIFF header:

O f f s e t Length Contents

Note

0000 4 b y t e s ^R' ^F' ^F'

0004 4 b y t e s < f i l e l e n g t h >

R I F F f i l e i d e n t i f i e r

0008 4 b y t e s ^A' ^E'

Wave f i l e i d e n t i f i e r

275

Appendix D : The Resource Interchange File Format (RIFF)

The fmt chunk describes the sample format:

O f f s e t Length

0 0 1 2

0 0 1 6

4 b y t e s

4 b y t e s

0 0 2 0

0 0 2 2

0 0 2 4

0 0 2 8

0 0 3 2

0 0 3 4

2 b y t e s

2 b y t e s

4 b y t e s

4 b y t e s

2 b y t e s

2 b y t e s

Contents

^m' ^ t '

0 x 0 0 0 0 0 0 1 0

0 x 0 0 0 1

< c h a n n e l s >

< s a i n p l e r a t e >

< b y t e s / s e c o n d >

< b l o c k a l i g n >

< b i t s / s a i n p l e >

Note

L e n g t h o f f m t d a t a

F o r m a t t a g : 1 = PCM

1 = mono, 2 = s t e r e o

S a m p l e s p e r s e c o n d s a m p l e _ r a t e * b l o c k _ a l i g n c h a n n e l * b i t s _ p e r _ s a m p l e / 8

8 - b i t o r 1 6 - b i t

Finally, the data chunk contains the sample data:

O f f s e t Length Contents Note

0 0 3 6 4 b y t e s ' d ' ' a ' ' t ' ' a ' d a t a c h u n k

0 0 4 0 4 b y t e s < l e n g t h o f d a t a b l o c k >

0 0 4 4 ? b y t e s < s a m p l e d a t a >

Additional Notes

• Sample data must end on an even byte boundary.

• A l l numeric data fields are in the Intel format o f low-high byte ordering.

• 8-bit samples are stored as unsigned bytes (0 to 255).

• 16-bit samples are stored as 2's-complement signed integers (-32768 to 32767).

• For multi-channel data, samples are interleaved between channels, like this:

s a m p l e 0 - c h a n n e l 0 ( L e f t ) s a m p l e 0 - c h a n n e l 1 ( R i g h t ) s a m p l e 1 - c h a n n e l 0 ( L e f t ) s a m p l e 1 - c h a n n e l 1 ( R i g h t )

Source: The Canonical W A V E File Format (www.timothyweber.org)

276

Appendix E : An Introduction to Neural Networks

Appendix E

An Introduction to Neural Networks

Neural-networks are an integral part o f the H A T process discussed in Section 6.2.4

277

Appendix E : An Introduction to Neural Networl^s

Appendix E An Introduction to Neural Networks

Neural-networks are based on the parallel architecture o f animal brains and represent a different paradigm to traditional linear computing. They are particularly suited to the task o f pattern recognition within large sets o f data, and are therefore particularly suited to analysing the sets o f biometric markers produced by H A T . They consist of:

• multiple simple processing elements referred to as neurons'.

• a high degree o f interconnection between neurons.

• adaptive interaction between neurons.

• simple scalar messaging.

Although biological neurons in real brains can have as many as 10,000 inputs, computerbased neural-networks traditionally have many orders o f magnitude less than this. The structure for a simple neural-network is shown in the example in Figure A - 3 , showing a single layer five neuron-network design. H A T utilises a single layer twenty-five input neuron arrangement (Figure 6-15), one neuron for each o f the spot-ft-equencies.

Hidden Layer Output

Figure A-3: A single layer five neuron neural-nelwork

Single Input Neuron

The neuron is the basic building block o f a neural-network, and it is in mutual quantity and arrangement that neural-networks gain their processing power. A representation o f a single input neuron (aka perceptron, Rosenblatt 1958) is shown in Figure A - 4 .

The simple processing elements within a neural-network arc named after their biological counterparts.

278

Appendix E : An Introduction to Neural Networks

f

Figure A-4: A single input neuron

In reference to Figure A - 4 , the scalar input p is multiplied by the scalar weight w to form i v p ; the first input to the summer. The second input, 1 , is multiplied by a bias^ b , forming the second input to the summer. The t w o input values are summed and outputted as the net input n , and passed into the transfer fuction^ ( ; which produces the scalar neuron output a. In summary, the neuron output is defined by the equation: a =

f

( p + b )

Transfer Function(s)

The transfer function ( / in Figure A - 4 ) is used to shape the operational envelope o f a neurons output and can be either linear (a = n ) or non-linear ( a = / ( n ) ) depending on the specific requirements o f the neural-network. The three most common transfer fijnctions and their input/output relationships are defined in Table A - 2 (non-symmetrical format).

Hard Limit

J:

Siaturating Linear

a =

0

n

<0

n

0

a =

0

n

<0

a= n 0 n

l

a =

+ l n > i

a =

Log-Slgmoid

Table A-2 : Table of common neural-network transfer function

' The input 'bias' is also sometimes known as the input 'offset'.

^ The ^transfer ftinction' is also sometimes known as the 'activation function'

279

Appendix F : The HAT Demonstration Tool Manual

Appendix F

The HAT Demonstration Tool Manual

A complete list o f the H A T help files is included as part o f the H A T demonstration tool

280

Appendix F : The HAT Demonstration Tool Manual

Appendix F The HAT Demonstration Tool Manual

rjjn HAT Introduction

The HAT Application Is the software element of the HAT demonstration tool. The tool harnesses a novel biometric capture and analysis process to enable the non-intrusive and continuous authentication of users of modern communications systenns.

HATs development is part of a PhD into Novel Authentication Systems for Next

Generation Mobile Devices, in association with Grange, and the University of

Plymouth, Network Research Group

• The Head Authentication Tool GUI is written in Microsoft Visual Basic

• Core functionality, including: Spectral Analysis, Neural Network training and

Identification are performed via MathWorks Matlab

281

Appendix F : The HAT Demonstration Tool Manual rjj(i The HAT Application Window

21 HAT Demor^^tr^lion Tool - Adiioii

Fie Toc\i HeJp

Working Dtecloiy

[iil:(P£NDRlVE)

&

C ^ w e VB Proce« ML

U:ef

0

3

r r

Identtfy

0

r r •:

Tian r

100

©

o

•50

•25

111

Vef:ionCl5 2buid304

O The live main window toolbar provides easy access to all of HATs primary functions; without the need to enter the menus.

O The path to the HAT working directory containing the HAT Application executable and additional HAT resources: HAT.ini etc.

O T h e HAT activity indicator constantly reports the operational state of the tool.

(!) A user can either manually enter a new user name for registration, or conveniently select their name from the static pull down list of included HAT trial participants.

© A small selection of the active user's demographic data; also saved as 'userjd.txt for each user. The language' option is the captured language not the user nationality.

787

Appendix F : The HAT Demonstration Tool Manual

© The tools central display window is used to prompt the user with example text to speak during a capture cycle, or random text during an authentication cycle.

@ The HAT capture progress-bar (green) Indicates the progress of a HAT Stage-1

Capture, working in tandem with the timing-bar © .

O The HAT wavefonn validation progress-bar (yellow) indicates the progress of the amplitude validation cycle perfomned on each new waveform.

Q The HAT filter progress-bar (light-blue) indicates the timing of the HAT Stage-2

Filter, HAT Stage-3 Absorption processing loop,

© T h e HAT analysis progress-bar (dark blue) indicates the progress of the HAT Stage-

4 Analysis using the HAT neural-network.

© T h e timing-bar Is used to prompt the user when to speak during Capture or Identify cycles: 'green' Indicates when to speak and 'red' when to wait.

G The current operation progress-bar indicates the progress of the complete active operation: for example, the five stages of an authentication cycle.

O The Identity confidence-bar Is used to Indicate HATs confidence in the claimed identity of the active user In four steps: 0. 25%, 50. 75% & 100%, Each step increment Indicates either a passed or failed authentication cycle.

© T h e auxiliary progress-bar Is used to indicate the progress of en-mass operations; for example, HAT Stage-4 Analysis of ALL the HAT trial participants

© T h e current HAT Application software build Information.

283

Appendix F : The HAT Demonstration Tool Manual

The HAT Processes

Note: For HAT data processing to be performed Matlab must be Installed o n the system, else an en-or will occur.

Capture

Capture a new set of wavefiles for an existing user, or a new user.

• The captured wavefiles are based on the contents of the Spoken-text file, in the

HAT*lnput' directory.

• HAT will automatically name the wavefiles based on their contents and repetition.

• A completed user directory will contain the following files:

Filename

Purpose

HAT_Spoken.txt A copy of the spoken-text file used at time of capture

???Jd.txt

User Id data & wavefile specifications at time of capture

• ? ? ? are the first 3 characters taken from the users name

???_C_##.wav

Captured wavefiles

• ? ? ? are the first 3 characters taken from the users name

• C is the individual spoken character

• ## is the spoken character repetition count

MEa_7.txt

MEa_?.mat

Threshold.txt

Analysis results

• ? is either F'ixed or Variable data

Neural-networks (Matlab)

• ? is either F'ixed or Variable data

Neural-network thresholds results

284

Appendix F : The HAT Demonstration Tool Manual

Analysis

Analyse the captured wavefiles according to the HAT rule-set and produce the appropriate MEa analysis data files.

• The analysed wavefiles MEa results are dependent on the frequencies defined in the frequencies resource file, within the HAT 'Input' directory.

Network

Build and Train a NeuraUnetwork based on the MEa analysis data files.

• The selected user MEa analysis data is presented to the neural-network as

Good data, and all other users MEa analysis data is presented as B a d data.

Threshold

Calculate the Authentication Threshold, by feeding a second data set Into the Neuralnetwork.

• A second data set is presented to the neural-network created using the first data set, and the relevant threshold calculated.

Identify

Authenticate a user against their profile.

• Authentication is based on a result exceeding their own network threshold.

• It may be possible for users to occasionally exceed thresholds other than their own. However, statistically their own threshold will sustain the best results In the long term. The confidence-bar attempts to iron out these anomalies.

285

Appendix F : The HAT Demonstration Tool Manual

rjj^i HAT Patent

The Head Authentication Tool core functionality is protected under UK Patent

Patent No. GB2375205, 2001 "Determining identity of a user"

First Author

Philip Rodwell

Network Research Group

Universitv of Plymouth UK.

Second Author

Paul Reynolds

Orange PCS

Bristol. UK.

286

Appendix F : The HAT Demonstration Tool Manual

f j j n System Requirements

Before installing the Head Authentication Tool, please ensure you have the following:

Hardware

• x86 processor clocking at least: o 500MHz for wavefile Capture only o IGH2 for Analysis and Networking, including Authentication

• 64 MB of system RAM or more

• Free hard-disk space: o 1Mb for HAT application and resources o 1.4MB for each registered user set

• A soundcard with line-in facility, via 3.5mm jack plug

• The HAT headset (2xLR44 batteries). Pre-amp and 9v Power transformer

Software

• Microsoft Windows 98/Me/NT 4.0/2K/XP

• Mathsoft Matlab v6.1 or later

• Latest version of HAT

Resource files (contained in either the HAT directory or Windows SYSTEM directory)

. MSVBVM60.DLL

- Microsoft Visual Basic generic controls

. MSCOMCTL.OCX

- Microsoft Visual Basic custom controls (Toolbar, Tabbed options window)

. RICHTX32.0CX

- Microsoft Visual Basic Rich-Text Control (Review window)

287

Appendix F : The HAT Demonstration Tool Manual

HAT.ini File

The HAT initialisation file is used to set HATs user definable options at startup.

If the file exists In the HAT application directory, It Is loaded at run-time by default, else

Internal settings will be assumed.

• The file is in fact a plain-text file and can be edited as such.

• HAT.ini is NOT automatically updated with changes made between sessions.

File Syntax

[Working DIr] worklng_dlr_path = filepath (filepath = 'HAT Application' directory)

[Operational Modes] capture_mode = capture_only | capture_analyse | analyse_only network_mode = network_only | networkjhreshold | threshold_only

[User] user_name = name (4 chars name 15 chars) user_sex = female | male u s e r j a n g u a g e = engllsh | other user_age = age (0 < age 120)

[Waveflle Format] wavefile_samplingrate = 11025 | 22050 | 44100 wavefile_bitspersample = 8 116

[Waveflle Validation] valldation_mode = full | half | off validation_amplitude = ampWude (0 amplitude 100) validationjolerance = ?o/erance (0 tolerance 100) cllpplng_amplitude = ampWude (0 amplitude 100) cllppingjolerance = to/erance (0 tolerance 100)

288

Appendix F : The HAT Demonstration Tool Manual

[Spectral Analysis] filter_ncount = coun/ (101 count(odd) 5001) filler_bandwidth = Jbancfw/tf//? (50 bandwidth 1000)

[Neural-Network] network_perfgoal = goa/ (0.001 goal 1) network_epochs = epochs (1 epochs 10000)

[View Output] view_waveform = yes | no view_waveform_axis = yes | no view_signature = yes | no vlew_signature_axis = yes | no view_bargraph = yes | no view_bargraph_axis = yes | no

[Advanced Settings] onscreen_prompts = on | off process_pauses = short | normal | long

289

Appendix F : The HAT Demonstration Tool Manual

r j i n

Options

P C M Wavefile F o r m a t

The Wavefile' tab Is used to the set the HAT Stage-1 Capture wavefile parameters.

• Channels: Number of capture channels (basic HAT locked on 2)

• Sampling rate: Wavefile sampling rate

• Bits-per-sample: Bit-size of each capture sample

4. HAT Options

^NeuiaLNelwork | View Advanced

Spectral Analysis ]

PCM W a v e f i l e F o r m a t mi

-Channels-

Q IRHortoJ © 2 (Stereo)

• fp Sampling Rate (Hz)^

© 11025 Q 22050 ©44100 rrBits Per Sample-

O 8-bit ® 16-bit

Default OK Cancel

290

Appendix F : The HAT Demonstration Tool Manual

r .

Wavefile Validation

The 'Validation' tab is used to the set the HAT Stage-1 Capture wavefile validation parameters.

Validation: Number of samples to validate (All | Half | OfQ (default = Half)

Detection: Minimum validation detection amplitude (0 —• 100%)

Valid Amplitude: Minimum validation amplitude (Detection —• Clip Amplitude)

Valid Tolerance: Minimum validation samples (0 —» 100%)

Clip Amplitude: Maximum validation amplitude (Valid Amplitude —> 100%)

Clip Tolerance: Maximum validation samples (0 —• 100%)

HAT options

Neuial Network j, View,

Wavefile I \"'"Vaiidation'

Advanced

Spectral Analysis

W a v e f i l e V a l i d a t i o n rValidation-

! O

An

1

Thresholds

Valid Amplitude 5i

ir^i in

; ® Half

Off

Valid Tolerance %

m

n

Clip Amplitude %

f Detection-

1

1

10

1 -

Clipping Tolerance %

FfTI

401

1

4|

¥\

1

111

l>\

Default OK Cancel

291

Appendix F : The HAT Demonstration Tool Manual

S p e c t r a l A n a l y s i s

The 'Spectral Analysis' tab is used to the set the HAT Stage-2 Filter parameters.

• Spot Frequencies: Preset spot-frequency values in Hertz

• Polynomial Coefficients: Coefficient count of the filter polynomial (1 10001)

• Filter Bandwidth: Bandwidth of the filter in Hertz ( 1 0 — 1000)Hz

• Show Signatures: Select the default capture set format (fixed | variable)

i ^ . H A T O p t i o n s

Neufa! Nelwoik View

J A d v a n c e d 1

Wavefile

1|

Validation [

_lPfE!l:?!?^^!^Zj

S p e c t r o l /Analysis p-Spot Frequencies-i r^Po\ynom\a\ Co-eflicienls-

100

200

300

400

500

600

700

800

900

1000

I!-

N = 110011 Terms r Filter Bandwidth-

I

100| Hz

Show Signatures ^

O Fixed ® Variable

Default

I 1; 0 ^ I IT C a n c e l

2 9 2

Appendix F : The HAT Demonstration Tool Manual

" 1 "

Neural-Network

The 'Neural-Network' tab is primarily used to set the HAT Stage-4 Analysis neuralnetwork training parameters.

• Identify-Set: Default data set to be used for HAT authentication

• Train-Set: Default data set to be used for neural network training

• Set Type: There are two different captures (Fixed | Variable)

• Training-Perf. Goal: Target error-rate whilst training (0.1 0.0001)

• Training-Epochs: Maximum number of training epochs (1 - * 10000)

•i. HAT Options ' X

W_avefile |i Validation ) Spectral Analysis 1

Neural Network

View A d v a n c e d |

N e u r a l - N e t w o r k r-Identify: Set=^ j

S e t | 1|

- T r a i n : Set — —

1 S e t | T"| Q A I I

Identify: Set T y p e =

Q Fixed ® Variable Both,

Training-

Perf. Goal | 0.0011 Epochs | 5000|

Default

OK Cancel

2 9 3

Appendix F : The HAT Demonstration Tool Manual

V i e w O u t p u t s

The View* tab is used to set the visibility state of mid-process graphical outputs.

• Waveform Stereo Capture: Time-domain plot of the captured waveforms

(upon completion of HAT Stage-1 capture)

• Absorption Spectral Analysis: HAT absorption template view

(upon completion of HAT Stage-2 Filtering / Stage-3 Absorption loop)

• Neural Network Analysis: Threshold comparison with all trial participants

(upon completion of HAT Stage-4 Analysis)

i « . H A T O p t i o n s

WaveRie ]^ Validation |^ Spectrat Analysis ]

Neural Netwoik

View

A d v a n c e d |

View Outputs

- W a v e f o i m Stereo Capturegj Show Giaphfsl % ...show axes

^Absorption Spectral A n a l y s i s = p-Bar-Graph: Neural-Network Analysis

Show Bai-Giaph I", ...show aKes

Default

OK

C a n c e l

294

Appendix F : The HAT Demonstration Tool Manual

rjici HAT Development Log (Extracts)

HAT_C15.2 (12.12.2005)

Minor cosmetic changes to reflect the renaming of the tool from the 'Head Authentication Tool' to the 'HAT demonstration tool', including renaming of HAT frames headers: Splash frame,

About frame, Patent frame, HAT Properties description

Rename Options > Spectral Analysis - 'Frequency nodes' to 'Spot-frequencies'

Updated, extended and completed HAT Help.

Corrected some minor bugs

HAT_C15.1 (26.10.2004)

Change user-name text box to a combo-box containing HAT registered users names in a pull down list

- entering a registered users name will update the users recorded demography settings from the users ? ? ? J d file

Add function headers to all functions

Reverse Development.log layout, with latest updates first

Convert a selection of in-program Help to HTML Help. Initial conversions include:

- HAT.ini Help link

- Capture & Analysis form

- Development Log

- Patent form

(27.10.2004)

Compile the HAT help file using VisualCHM

Add 'Contents...' to the Help menu

Add VB Help API, and implement HTML Help (CHM) for the first time

- Remove form: frmHAT_TrainHeIp

- Remove form; frmHATJdentifyHelp

- Remove HAT.ini reference from the Help menu and from the code

Remove all Toolbar references to the removed toolbar Help link

Add 'Index...' to the Help menu

(29.10.2004)

Correct inaccurate error reporting in frmHAT_Analysis for error 'File not found' & 'Path not found'

Add crude legend (coloured underlining) to Mean and Standard-Deviation display option

Edit help files, adding: Identify, Network & Threshold. Contacts topics

295

Appendix F : The HAT Demonstration Tool Manual

(01.11.2004)

Block illegal Mode selections when performing en mass operations

Correct visibility timing issue of Network button to match Identify button

Add HAT Process sheet to Help file

(08.11.2004)

VisualCHM v4.3 (currently latest) is proving too unstable and bug ridden, so switching CHM creation to Microsoft HTML Help

Modify capture simulation to mirror current Capture operational Modes

Modify capture simulation output curve to better simulate a real HAT analysis curve, via a simple smoothing algorithm

Code the captured waveform time-domain output graph, set via Tools>Options>View, as part of the wavefile Validation cycle

Change colour allocation to indirect method; ie set operational colours in the header file and not directly in the code

(10.11.2004)

Recode Cmb_UserName_LostFocus to trap empty username field

Delete Cmb_UserName_DbtClick function (no longer required), single click auto-selection

Add function: Cmb_UserName_Click, to catch username list selection

HAT_C15.0 (19.10.2004-25.10.2004)

Change tool from identification to authentication at the request of the PhD Director of Studies

Changes include massive reworking of tool, hence new major version number:

- split capture function into four separate functions: Capture. Analyse, Network & Threshold

(-30 hours)

- the last user capture set is now performed by a separate function. fnLastSet

- remove Help button from toolbar...will ultimately write separate HTML Help resource

- remove Pause option and all related links...added unecessary complication to the tool whilst offering non-essential functionality

- Add Tools>Build Networks Mode to menus with associated code; works in a similar way to

Tools>Capture Mode

- Add operational modes to Review panel

- Add 'ALL' codewords to Review panel

- Add [Operational Modes] to ini file

- Reorder visibility objects in fnSetEnable; create associated Excel spreadsheet to aid development

(26.10.2004) rework Identify function to work with the NEW thresholds file; for authentication (~6 hours)

- add dblThreshold variable to contain threshold file values (fixed and variable) rework fnTrainSuttonOK to handle user name entry for identification in addition to capture entry, button enable status

- and rename fnTrainSuttonOK to fnldentifyCaptureEnable, to reflect its NEW dual purpose

296

Appendix F : The HAT Demonstration Tool Manual

HAT_C14.8 (09.10.2004)

Planning on making a number of major changes. (4 pages of A4) after a long paper brain storming session one evening

Changes focus on, speeding up the processing time of the tool and further rationalising the forms

- Half validation: Place an option in Tools>Options>Validation to only validate half the samples.

As validations sole purpose is to ensure reliable captures, it is acceptable, that validation analysis does not have to be performed on every single sample

- Add Spectral-Analysis filter Tab to Tools>Options, displaying signature nodes, and editable ncount and bandwidth

- Change HAT_Config file to HAT.ini and relocate from C:\ to the application directory, adjust code accordingly

- Change all 'on-screen message' references to 'screen prompt'

- Change the Tools>\/alidalion Tab from text input to text+scroll-bars, and add DetectAmp option

(11.10.08)

Modify main HAT window title bar to include user name when valid, add kHAT constant to header

Add Review form option to Tools menu

Change setup icon to volume icon, to better reflect MDI call

Update HAT.ini handling to include all editable HAT options, extension of (09.10.2004)(4) above

Rebuild the vbMEla.m Matlab module, with some code optimisation

Run some tests on V B , C & Matlab to determine the speed ratings: C is 4x faster than VB which is 6x faster than Matlab

Experiment with building the routine into C with 'mcc -m vbMEta', but resultant code was bloated and NO faster

(12.10.2004)

Change centre frequencies file to minimise filler overlaps: though retaining 25 frequency points

Change n-count default to 1001 from 1301. as reducing the sampling rate (ages ago) reduced the need for the higher figure

Debug...run...debug...run...HAT

(14.10.2004)

Add facility to display the absorption signatures set of the identified user, by clicking the Train icon

Adjust validation so that it only validates the mouth samples, as these are the loudest

Correct a validation bug, where half validation was not stepping correctly through the samples

(18.10.2004)

Add frmHAT_Analysis form, as the displayed analysis data was too small to be of any use

Add point data to display near cursor, when cursor passes over relevent points

297

Appendix F : The HAT Demonstration Tool Manual

r j j n How to: Identify

Note: For HAT authentication to be performed, Matlab must be installed on the system, else an error will occur and the Identify process will exit.

Step 1: Select the HAT directory

Locate and select the 'Head Authentication Tool' directory.

• When capturing a new data-set, a temporary sub-directory will automatically be created within the HAT 'Output' directory.

Step 2: Provide training data

In order to be authenticated by the Head Authentication Tool, you must first register yourself with the system.

• Full Capture and Analysis instructions can be found here.

• The more training data you provide, over time, the more accurate the results will become.

Step 3a: Identify yourself

Input a user name.

• User names of at least 4 characters, and no more than 15 characters are allowed.

• The directory name will take the form of the entered user name, and the appropriate set number.

• If the selected user is already registered with the system, HAT will acknowledge this and assign a new data-set number for the existing user.

• If the selected user is a new user, the data-set number will default to 1.

298

Appendix F : The HAT Demonstration Tool Manual

Step 4: Try a simulation

The sinnulate option within the Help menu precisely mimics a nomrial Authentication run, and will familiarise you with the Authentication process.

• The simulation will respond appropriately to the relevant Options settings of

HAT. Eg. No OnScreen prompts, show signatures etc.

Step 5: The HAT headset

Position the HAT headset correctly on your head

• Ensure there are batteries in the headset plugs: LR44.

• The headset should be positioned with: the ear-piece sitting comfortably over the centre of the ear. and the mouth microphone should be central to the open mouth, though not too close to pick up breathing.

Step 6: When ready, press 'Identify'

Press Identify, and in a normal speaking voice, recite some text during the capture stage of the process.

• Try to time your responses to correspond with the green portion of the timingbar, below the display.

• Each response will automatically be validated in real-time. Yellow indicators will appear in the timing-bar indicating the main spoken part of the capture.

• HAT will determine the appropriate authentication response and notify the user accordingly.

• Identification requires a complete set of Neural-Network & Threshold data files to be present.

299

Appendix F : The HAT Demonstration Tool Manual

How to: Capture & Analysis

Note: For HAT data Analysis to be performed, Matlab must be installed on the system, else an error will occur.

Step 1: Select the HAT directory

Locate and select the 'Head Authentication Tool' directory.

• When capturing a new data-set, a unique user sub-directory will automatically be created within the HAT 'Output* directory.

Step 2: Select the Capture & Analysis Mode of operation

Via the Tools>Capture Mode menu, select the Capture & Analysis, mode of operation desired.

Step 3a: Identify yourself

Input a user name.

• User names of at least 4 characters, and no more than 15 characters are allowed.

• The directory name will take the form of the entered user name, and the appropriate set number.

• If the selected user is already registered with the system, HAT will acknowledge this and assign a new data-set number for the existing user.

• If the selected user is a new user, the data-set number will default to 1.

Step 3b: User demography

Select the appropriate demographic options, i.e. Sex, Nationality, Age.

300

Appendix F : The HAT Demonstration Tool Manual

Step 4: Try a simulation

The simulate option within the Help menu precisely mimics a nonnal Capture &

Analyse run, and will familiarise you with the Capture & Analyse process.

o The simulation will respond appropriately to the relevant Options settings of

HAT. Eg. No OnScreen prompts, show signatures, etc.

Step 5: The HAT headset

Position the HAT headset correctly on your head

o Ensure there are batteries in the headset plugs: LR44.

o The headset should be positioned with: the ear-piece sitting comfortably over the centre of the ear, and the mouth microphone should be central to the open mouth, though not too close to pick up breathing.

Step 6: When ready, press 'Capture'

Press Capture, and in a normal speaking voice, recite each character which appears in the *text-to-speak' central display.

o Try to time your responses to correspond with the green portion of the timingbar, below the display.

• characters will appear in the order they are presented in the spoken-text file.

• Each response will automatically be validated in real-time. Yellow indicators will appear in the timing-bar indicating the main spoken part of the capture.

301

Appendix F : The HAT Demonstration Tool Manual

rjjci How to: Network Analysis & Thresholds

Note: For HAT Network and/or Threshold to be performed, Matlab must be installed on the system, else an error will occur.

Step 1: Select the HAT directory

Locate and select the 'Head Authentication Tool' directory.

• When networking a data-set, the source files are located within the HAT

'Output' directory.

Step 2: Provide Capture & Analysis data

In order to build neural-networks, captured data must first have been analysed, and the

MEa data files created.

• Full Capture and Analysis instructions can be found here.

Step 3: Select the Network Mode of operation

Via the Tools>Network Mode menu, select the Networking, mode of operation desired.

• For authentication to be performed Network & Threshold are both required, else an error will occur.

Step 4: When ready, press 'Network'

Press Network, and the tool will attempt to build the selected users Neural-network and/or Threshold resources.

• Neural-network creation requires a complete registered users set of Capture &

Analysis MEa data files to be present.

• Threshold creation requires a least two complete data sets to be present, one being fed Into the other.

302

Appendix F : The HAT Demonstration Tool Manual

How to: En-Mass Operations

HAT has been enabled with the facility to perform the primary Analysis and Networking operations en mass.

En mass processing:

• will perform the requested operation on ALL registered used autonomously.

• triggers minimal internal delays, reducing individual user processing time by as much as 40%.

• is triggered by entering a case-sensitive codeword as the usernanne before activating the required process.

• will automatically set the valid Mode of operation, blocking any changes until the codeword is removed.

• must be performed in the order shown, as each stage depends on the previous stages results.

Codeword

ANALYSE

NETWORK

Function

Analyse ALL captured users wavefiles

Build Neural-Networks for ALL users

T H R E S H O L D Calculate Thresholds for ALL users

303

Appendix F : The HAT Demonstration Tool Manual

fjjci Contacts

All comments should first be directed to the projects author:

• Mr. Philip Rodwell

Network Research Group

University of Plymouth UK.

The authors PhD Director of Studies and Head of the Network Research Group is:

• Dr. Steven Furnell

Network Research Group

Universitv of Plymouth UK.

The projects industrial supervisor is:

• Prof. Paul Reynolds

Orange PCS

Bristol. UK.

304

Appendix G : HAT Trials Timetable

Appendix G

HAT Trials Timetable

A table documenting H A T trials participant's demography and session data (Section 7.3)

305

>

— o'

•o" g;

n

>

X

o

a.

Usei Usei Alios' Sex

NoTioiiality-

Session 1

Session 2

1 u01„Phi

2 u02_Nit

3 u03_Viv

M

F

F

4 u04_Aun M

Enqlish

Mauritian

English

Burmese

5

6

7

9

1 1

U05_VQS u06„Zak u07_Don

M

Gre^k

M Indian

F

8 u08_Adr M u09_5tv

10 ulO_Paiu

uU^Abd

M

M

M

English

Roman ian

English

English

Arabic

1 2 ul2_NQt

13 ul3_Bog

14 ul4_Shu

15 u l 5 _ I b r

16 ul6_Fen

17 ul7_Pet

1 8 ul8_And

1 9

20 ulPjSim u20j;ja

M

M

M

M

F

M

M

F

M

09.09.2004

14:30

15.09.2004 21:00

13.09.2004 20:00

15.09.2004

12:00

11.09.2004

21:00

16.09.2004 20:30

09.09.2004 17:00

16.09.2004 14:00

09.09.2004 15:00

14.09.2004 14:45

09.09.2004 16:30

22.09.2004 15:00

10.09.2004

12:00 14.09.2004 17:00

09.09.2004

09.09.2004

10.09.2004

16:15

22.09.2004 15:30

17:15

22.09.2004 16:00

17:00

14.09.2004 16:45

09.09.2004 14:45

09.09.2004 14:45

16.09.2004 12:30

09.09.2004 16:00

14.09.2004

14:00

09.09.2004 16:45

22.09.2004 ' 17:15

14.09.2004 14:15

English

Roman ian

Malaysian

Turkish

Greek

English

English

14.09.2004 10:00

14.09.2004 15:00

22.09.2004 17:00

23.09.2004 16:30

15.09.2004

20:00 22.09.2004 ^ 21:30

22.09.2004 16:30

23.09.2004

14:00

English

16.09.2004 16:00

24.09.2004 14:30

Indonesian

23.09.2004 14:00

24.09.2004 14:00

Elapsed Notes'

6

2

5

7

Mild cold session 2

Session 3 - Creole

Session 3 - Burmese

5 Session 3 - Greek

13

Session 3 - Hindi

4

13

13

4

7

5

Session 3 - Arobic

13

5

Session 3 - Malay

0.5

Session 3 - Turkish

1

7

1

8

1

^ The HAT Application allocates user aliases according to the entered user name to preserve trial participant's anorymity.

• AH sessions were recorded in English unless otherwise staled.

' Non-English sessions (session 3) were performed immediately after session 2.

O

307

Appendix H : Published Works

Appendix H

Published Works

Appendix H : Published Works

Appendix H Published Works

HI Conference Invited Speaker (Powerpoint) 309

Communication Fraud Control Association, Spring 2000

H2 Published Paper 314

PG-NET 2000

H3 Poster Presentation 321

Britain's Younger Engineers in 2000

H4 Published Paper 323

Euromedia2001

H5 Journal Article 328

British Computer Society - South West Journal

H6 Poster Presentation 332

Britain's Young Engineers in 2001

H7 Published Paper 334

Third International Conference on 30 Mobile Communication Technologies

H8 Journal Paper 340

Computers and Security (Elsevier Science)

H9 Poster Presentation 353

Third Intemational Networking Conference (INC 2002)

HIO Poster Presentation 355

Biometrics 2002

Hll Additional Published Works 357

308

Appendix H : Published Works

H I Conference Invited Speaker (Powerpoint)

Communication Fraud Control Association, Spring 2000

Presentation on behalf of Orange PCS.

2-5 May 2000, Crowne Plaza Hotel, The Royal Mile, Edinburgh, Scotland.

"Non-intrusive Security in 3G — UMTS, Subscriber Authentication "

309

Appendix H : Published Works orange

Non-intrusive Security in

3 G " U M T S

Subscriber Authentication

- an Operators Perspective

Mr. Philip Rodwen

PhD Ross arch Student

Unhfersdy ol Plymou*

Uniled Wngdcrm

Overview

CFCA Spring 2000

• Introduction

• 2G - Security Issues, specdicdly GSM

• 3G - Autheniicaion Requirements. UMTS

JuGtficalion of requtiements

• Review pctentiat 3G secunty solutions

• Summa/y

B

Introduction !

Security pr wsions within the oirrent GSM nctworV ffe primarity amed m secure communicaions through data encryption and femwflf authemicawn via the 3 M card

The proposed services UMTS demand a more secure subscriber based autheniication system in order to protect persona* inlormeDon in the e/ent of masqjerade ECtacks.

GSM Security (2G)

Tenninal Authentication

• International Mcdile Equipmem Identifier (IMB)

» Inconjunctbnwth the Equipment Ideniity Register (EIR)

• Subscriber Identity Module (SIM)

Subsober(Sh9 a\£it6riizstion(rnpeniona9

"•tn cofqurtction wi!h an Authenicawiri Cenie (AiC)

- Personal UBittficstion Mumbei (PIN) f P ^ r a w J

GSM Security

The SIM Card

• SiHscrltierWErtityniodJe

• Teimlrci aixnertlcaoon

(IMS!)

• Oaa eniypUcn (clFfier key)

• Peremauserdsia

• Uriqi£ Operaor d3Q

• SiMtooiHt-e.g.SMS

tD-l SIM

310

Appendix H : Published Works

GSM Security

Subscriber Authentication

/ Wha you have - Token SM card

Wha you know-Passwad/RN

Poin-of-enay aulhcnticaiian only

— Skjbscribei Inlrusive

^ Relea ontrartsfeiable browtedge

* Wha you ere-Physiological sigiature 7

3G Introduction

The Evolution to 3G

Bitfs

EDCE

OS- nsiSs

96tot/s 5010S , ,

— I —

2001

3G Introduction

UMTS

Untverea Mobilo Telecommunicaions S/slem

Siandads Commiaee: 3G Partnership Prejects

A complete ^otsel sysiem (SJanC^rd)

Broadband Service - up 2Mbits/s (-400kbii/s)

S)( 20 year Ucences (Total vdue: £22.47 Biiyon)'

Expected introduaion data 2001/2

3G = 1G Convergence Q

ur^s

Telephony E . „ ^ „ ^ „ Inttrnet (Compuling)

Peisartal

Digdal

Assets rn

Scheduling

(Daiy)

A

4

03n}ang ConEerencing

3G Security Requirements Q

The Changing Business Model

\ c o n t e r t \ \ SeivKB ^

' Provider j

crrantpinN

/ Piovder i i8otjtior>\

fProfOBry

ITfi

Yahoo

Viig:n

Orang&

C e m e t

Nolda

Ericssonl

• Who owns tne custDmer ?

• Each pany in tre ct\^n needs to know tnat content 13 secure

3G Security Requirements Q

Implications for Operators

• Move from bit-shifter to broker

• Greater respcnsitMlity -

Contem now indudos hank dmails. shai e p onfol bs....

• 1 rtcreasad accounta>iIity

• Non-repudtaijon agreements

• Consequentia Damages

I f '

311

Appendix H : Published Works

3G Security Requirements |

The Difference is Services

• Mobile Phone •» Personal Dgild Assistant (PDA)

• Financial details Bnabiing e-comincrce

• Bedroniccertricatssfordrgtuleisnatures

• FuOcoM3dileta23offtiend3&as£ocialB6

> Personal SchcduiertCatartdai)

- Medical dnails

• A real need f a increased access security

3G Security Requirements

Subscriber Authentication

• Preventing against masquerade attacks:

/ What you ha^e-Token SMcard

What you know-Passvcrd/PIN

^ What you are - Physiologcal signature

a PeTOn3l(NaiTGnninal) eubsccibef authemicatton

• Reaktrns+Pofil-of-eniry aulhenlicatton

• Non-tntnisiveaccurly techniques

• BiomeH'c subscriber signaturing

3G Security Requirements ^

Biometric Authentication Techniques

• Physiological Signaturing

- \1sion » erifcaifon fFacu/ recogntfb/^ • 2Df30 lecnngjcs

Fingerprim/Pahiprini

• Behavioural profiling

VbcQveriTication fSpeator/ecpgnfiw/^

Services profile

- Syaem profile ^ ^ ' - ^

3G Security

A Biometric authentication system

^^liUiJ

M C 9 5 9 I D

• Duatband GSM (900^800) handsel

• IncDipor^es compad fingerprinl readof into the back partel.

• Provides secure auiherKicalion for advanced services like e-cammsrce and iTtobde banking

• rto real need for access PIN

Authentication Centricity 0

Temiinal-cenlric

• Inherently insecure ?

Securrty systern held within the lerrninal SIM

• Sgiaure confidentiality in hands of sutKcriber

• Potentielly fast authentication (becter transpaency)

Increased Mobile Equipment (ME) CfV usage

Subsequent inaeaso in torrrinat cost

• Link independent (bandwidth independent)

Authentication Centricity |

NetNwork-Centric

• Potential for increased persond mobility

NsAwoilchoUsBubscribera personal idenlfier

*• Need not carry a network access terminal (subsaibei!

• Sgiaturo confidenttaliiy in hands ot network

• Overhead of increased netvwwkirsflic

— Mnimal iruToasa in ME CPU opeiations

• Link dependent (bancVfldh restricted)

312

Appendix H : Published Works

2G/3G Authentication Q

Scope of Mobility

Terminal

User

Network

Terminal MDbUv

P m m a l M o U t y

3G Security •

Primary Issues for Networ1< Operators

• Dependent on centralisation ol sotuiion

• Increased administration

• Increased hardware cost (Mobile Equipment)

- LBrgcf memory roqulromcns

- faster CPU'S

- larger (heavier) Dotasics

• Btometiics ts as much about corruenierv:e as security

Summary

UMTS Authentication Requirements

• 2G Authentication Techniques

— TenninsI based (SIM CBTd)

• Need for increased authentication techniques

— SubsoiDer rairier than tenninni outhenljarton

• Based on biometric signaturing and/or proftling

— Operates In reet-time

— NtMvJnsustvo to me end user

• Network or Tenninal based ?

3G Today

Welcome to the 21st Century

Video Phone

Internet Access e-mail e-commerce ee-backpain...!

the future's bright... the future's Orange

313

Appendix H : Published Works

H 2 Published Paper

PG-NET 2000

Symposium on the Convergence of Telecommunications, Networking and Broadcasting.

19-20 June, John Moore's University, Liverpool, UK.

''Non-intrusive security requirements for third generation mobile systems "

314

Appendix H : Published Works

Non-intrusive security requirements for 3*^^ generation mobile systems

P.M.Rodwell^ S.M.Fumell^ and P.L.ReynoIds^

^ Centre for Communications, Networks and Information Systems, Department of

Communication & Electronic Engineering, University o f Plymouth, United Kingdom

* Orange Personal Communications Services Ltd, St James Court, Great Park Road, Bradley

Stoke, Bristol, United Kingdom

Abstract

The next few years will witness the emergence of third generation mobile technologies, such as the Universal Mobile Telecommunications System (UMTS). The increased bandwidth available will enable the support of significantly wider application scenarios than the voice telephony and basic data services of current networks. This expansion of services will also demand a corresponding increase in the level of protection provided by the devices and network operators. This paper considers the security requirements o f UMTS, with particular focus upon subscriber authentication techniques, comparing them against the more basic measures that have been considered satisfactory within second-generation systems such as GSM.

Introduction

The world wide market for mobile telephone technologies has experienced dramatic growth in recent years. Statistics from October 1999 indicated that there were 376.5 million subscribers (with a growth of 52.5% having been experienced in the previous twelve months) and the forecast market by 2003 will exceed one billion (Intekom, 1999). The mobile technologies themselves have already evolved from the voice-only analogue systems of the mid to late 1980s, to the current second generation (2G) systems, introduced in the early 1990s. These systems, based upon digital technology, have enabled mobile data links, albeit at rather limited rates (e.g. 9.6 Kbit/s). Second generation networks are currently being enhanced with a range of data-oriented developments, designed to increase both the capacity of the air interface (e.g. the General Packet Radio Service, GPRS) and the range of mobile data services (e.g. the Wireless Application Protocol, WAP). However, by

2001, it is expected that these technologies will begin to be superseded by third generation

(3G) systems such as UMTS, the Universal Mobile Telecommunications System (UMTS

Forum, 1998).

UMTS aims to provide a complete, global system and offer a broadband service of up to 2

Mbit/s. This increased capacity will facilitate a fundamental improvement in mobile services, offering the potential for true multimedia capabilities. As such, UMTS is seen as the natural evolutionary path for both subscribers and operators, and a competitive market can already be seen to exist. At the time of writing, the auction of five UMTS licenses in the

UK have all attracted bids in excess of £3.5 billion from the network operators (Rushe and

Oldfield, 2000).

As service opportunities advance, so to do the requirements to protect subscribers and network operators from the possible effects of fraud and unauthorised use. This paper considers the security requirements for 3G systems, comparing them to the established security practices utilised within 2G networks. Specific requirements are considered from the subscriber perspective, leading to the identification of a requirement for non-intrusive methods that do not impede legitimate activity.

315

Appendix H : Published Works

Security in second generation (2G) systems

The most widespread 2G system is the Global System for Mobile Communications (GSM)

(Mouly and Pautet, 1992), which, by September 1999, accounted for 344 operational networks across 127 countries (GSM Association, 1999). Security provision in GSM networks is largely geared towards secure communication (i.e. radio interface encryption) and terminal-based authentication. The latter is achieved via the combination o f the Subscriber

Identity Module (SIM) and the Intemational Mobile Equipment Identifier (IMEI). The SIM holds the subscriber's personal information, such as contact numbers and text messages that have been sent and received. The SIM also contains the Intemational Mobile Subscriber

Identity (IMSI), enabling the subscriber to be uniquely identified, irrespective of the handset into which their SIM may be placed. The terminal itself can be uniquely identified via the

IMEI number. This can be used in conjunction with the operator's Equipment Identity

Register (EIR) database to determine the status of a device. This status will indicate that the temiinal is either white-listed (i.e. allowed to access the network), grey-listed (i.e. under observation for possible problems) or black-listed (i.e. not permitted to connect to the network as it has been reported as stolen or is not of an approved type). This provides a good level of access control between the tenninal devices themselves and the network.

Relatively little attention is paid to the authentication of the person using the handset or their access to services. Authentication of the subscriber to the terminal is normally achieved via a Personal Identification Number (PIN), which is also held in the SIM. This is a facility that the subscriber must enable on the handset before any protection is provided and, assuming they have done this, the level of protection can still vary between devices.

On some systems, the PIN will only be invoked when the handset is first switched on, whereas on others the subscriber also has the option to put the device into a Mocked' state whilst it is still in standby mode (requiring PIN entry before further actions are possible).

Having said this, PIN protection can generally be considered commensurate with the level of risk associated with unauthorised use. Unless the terminal is lost/stolen (in which case the subscriber would be expected to report it and access would be denied by the operator), the window of opportunity for unauthorised use by an impostor who has breached the PIN would be relatively brief, with relatively contained potential consequences.

Requirements for security in third generation (3G) devices

The proposed services of UMTS (Cox, 1997) demand a more secure subscriber-based authentication system in order to protect personal information in the event o f masquerade attacks. On a typical second-generation handset, the consequences from theft or impostor access can be broadly grouped into two categories: o financial loss, as a result of the thief making calls at the legitimate subscriber's expense (depending upon the policy of the operator, these losses may not be passed on to the subscriber once the handset is reported as stolen), o breach of personal privacy, as a result of the names of the subscribers' contacts and their telephone numbers being held within the SIM card. However, it is acknowledged that this is a fairly limited amount of information, the disclosure of which would not normally be considered highly sensitive. Stored text messages may potentially have more significance, but would not generally represent a significant body of infonmation.

316

Appendix H : Published Works

When considering the nature of a 3G device, however, the potential consequences become more severe. The reason for this is that we are likely to witness convergence with Personal

Digital Assistant (PDA) type devices and an expansion in the range of possible services that can be accessed. As such, a device might also store:

• fmancial details to enable mobile commerce payments;

• electronic certificates for digital signatures;

• full contact details of friends and associates;

• miscellaneous information of a commercially sensitive or private nature (e.g. entered into scheduler or notepad applications).

The need for security within UMTS has already been recognised and relevant standards work is progressing in a number of areas, including (3GPP, 2000):

• definition of a U^4TS security archilecUire and specification of underlying elements;

• detailing of security requirements for UMTS service provision (e.g. user access, billing fraud control) and physical network elements (e.g. user identity module, core network and interfaces to non-UMTS networks);

• requirements specification of cryptographic algorithms;

• development of security guidelines.

Aspects such as these will inform the implementation of UMTS networks and services by the international community.

One significant consideration is whether security monitoring should reside within the subscriber's terminal or within the network. Compared to GSM, UMTS does not share the concept of a home network - the 'universal' aspect suggested in the name is based upon roaming between operators to suit the service required. This indicates a need for security to be focused within the handset, as to rely on it within the network will only be as strong as the weakest link (in terms of operators). However, a counter-argument is that UMTS also supports personal mobility, where a subscriber may register with any terminal (fixed or mobile) in order to access services. In this scenario, the subscriber's profile would need to be accessed from the network in order to determine valid services. A terminal-based approach has the advantages that the confidentiality of security details is in the hands of the subscriber, as opposed to being held by the network operator, hi addition, authentication and supervision may be performed without imposing any network traffic overhead and independently of link/bandwidth availability. With network-centric monitoring, details would need to be collected on the terminal and then transmitted for remote analysis. A hybrid approach is likely to represent the most appropriate solution.

In addition to terminal and network security, certain services, such as e-commerce, may also incorporate their own security safeguards in addition to the standard facilities within the network and the terminal. This can already be seen to be the case with current e-commerce web sites, which typically require supplementary identification and authentication via their own usemames and passwords before the user is permitted to make purchases.

317

Appendix H : Published Works

Non-intrusive security options

Even in 2G systems, PIN codes do not represent an ideal form of subscriber authentication.

Their use can be criticised in a similar manner to traditional passwords in desktop IT systems, in that subscribers may introduce vulnerabilities by sharing them with other people or writing them down (Jobusch and Oldehoeft, 1989), In addition, PINs can be considered to be intrusive, as they require specific actions from the subscriber in order to authenticate themselves. Where a subscriber wishes to make a quick call or mobile-based transaction, the need to firstly enter a PIN can be a hindrance. As a consequence, many subscribers do not make use of the facility to lock their handsets between transactions (leaving them in a vulnerable state i f lost or stolen). Ideally, there is a requirement for non-intrusive or transparent protection measures, such that the provision of security does not unduly interrupt or inconvenience the legitimate subscriber.

One of the slated requirements for secure UMTS service provision is that it should be possible for service providers to "authenticate users at the start of, and during, service delivery" (3GPP, 1999). Authentication during service delivery represents a departure from the standard approach of 2G systems and again implies the need for some form of transparent measure to avoid disrupting a subscriber's legitimate activity. Options for achieving this may be related to periodic/continuous supervision of activity, utilising profiling techniques or biometrics.

There is already a significant emphasis upon subscriber profiling in order to counter fraud, with operators applying data analysis techniques to network data in order to identify and flag potentially fraudulent transactions (Modisette, 1999). The same principles could be extended to address user authentication (i.e. to prevent masquerade attacks) and anomaly detection. Profiling could encompass factors such as the types of services typically accessed and the times/durations of access in order to construct a model of the subscriber's normal behaviour. Such techniques have been the focus of work in general IT for some time and have been incorporated into network-based intrusion detection systems (Porras and

Neumann, 1997).

The features of 3G terminals that will enable more advanced subscriber services will also offer the potential to facilitate more advanced security options. For example, a number of biometric approaches (Cope, 1990) could conceivably be integrated in a non-intrusive manner, depending upon the nature of the mobile device and the service being accessed.

Suitable options include:

• voice verification, for use in traditional voice-telephony scenarios;

• facial-recognition, for videophone applications;

• fingerprint recognition, to detect that the correct person is holding the handset (such a technique already exists the Sagem MC 959 ID handset- see www.sagem.com);

• keystroke analysis, enabling authentication via key interactions (Fumell et al, 1996);

• handwriting recognition, in scenarios where the user may interact via a pen and touch-screen combination.

Such information could be gathered to facilitate real-time identity verification, leading to progressive withdrawal of accessible services (e.g. e-commerce transactions, international call capability) as more potential problems are identified. Anomaly detection could also be based upon current activity, matching overall rules that have been pre-determined to suggest anomalous conditions. Significant departure from a subscriber profile could trigger further levels of response, such as locking the terminal or authentication via a human intermediary

(an operator), who could then take the necessary steps to verify the users legitimacy.

318

Appendix H : Published Works

It is considered that information such as that listed above could be most usefully handled within a flexible security framework, which is able to intelligently monitor the available characteristics based upon the current activity of the subscriber. For example, voice verification could be utilised during a voice call, but during an e-commerce transaction it could be replaced by other characteristics that are more appropriate to the context, such as keystroke analysis. The monitoring system would determine which characteristics, from those available on the terminal, should be assessed at any given time and then pass on the relevant data for analysis. The analysis itself could be network or terminal-based. However, to avoid traffic overhead (as previously mentioned), the latter approach may be preferable.

The terminal could then securely send the results to a network-based monitoring agent for access decisions (the involvement of the network level ensures that the network operator / service provider is kept aware o f potential compromise). In this scenario, the network ultimately remains in control of the security and could request re-sampling by the terminal if the authentication results were inconclusive. Such an arrangement is illustrated in figure I below. The approach would be non-intrusive in the sense that the terminal user would be unaware of the security system unless compromise is suspected.

Terminal

Network

External notifications

(e.g. stolen handset)

Analysis results

Monitoring

Agent

A c c e s s decisions/ re-authenticatio requests

Analysis

Profile

Conrtparison

Data

Collection

Poteiiti.ll chiiiacteiistics

Ot^:^ S e w i c e

I .1 utilisation

F a c e

Voice

Profile

Keystrokes

Figure 1: Potential subscriber monitoring scenario

In this scenario, PIN or password-based methods could still be utilised, but would represent a baseline approach, invoked only when other monitoring methods are not able to provide sufficient data for conclusive analysis. The authors are currently in the eariy stages o f a research project addressing these issues.

Conclusions

The capabilities of 3G mobile systems will open up a range of new service opportunities and, as a consequence, will impose new security requirements. This paper has identified the requirement for non-intrusive methods of subscriber authentication and supervision. Further work is required to establish an appropriate monitoring framework and the monitoring methods best suited to mobile application. While biometric systems have been evaluated in the context of desktop IT systems, little work has been conducted to assess their effectiveness in the mobile environment. As such, fiirther research is required to determine whether existing methods can be tailored or, indeed, whether new approaches identified.

319

Appendix H : Published Works

References

3GPP. 1999. 3G Security: Secunty Tlneats and Requirements. 3"^ Generation Partnership

Project. Technical Specification Group Services and System Aspects. Document 3G TS

21.133 version 3.1.0).

3GPP. 2000. Tenns of Reference: Services and System Aspects - Working Group 3. TSG

SA WG3 - Security. hrtp://www.3gpp.org/TSG/ToR/TSG-SA/sa3-tor.htm

3GPP TS 25.855 High Speed Downlink Packet Access (HSDPA); UTRAN description

3GPP TS 25.856 High Speed Downlink Packet Access (HSDPA); Layer 2 and 3 aspects

3GPP TS 25.876 Multiple-Input Multiple-Output Antenna Processing for HSDPA

3GPP TS 25.877 High Speed Downlink Packet Access (HSDPA) - lub/Iur Protocol Aspects

3GPPTS 25.890 High Speed Downlink Packet Access (HSDPA); User Equipment (UE) radio transmission and reception (FDD)

Cope, B.J.B. 1990. "Biometric Systems of Access Control". Electrotechnology, April/May:

71-74.

Cox, A. 1997. "New Services for UMTS". Proceedings of UMTS - The Next Generation of

Mobile, London, UK, 27-29 October 1997.

GSM Association. 1999. "GSM Worldwide Networks on Air". GSM Association, 'GSM

Worid' website. 6*^ Sept. 1999. http://www.gsmworld.com/membership/networks_on_air.html.

Fumell, S.M.; Green, M.; Hope, S.; Morrissey, J.P. and Reynolds, P.L. 1996. 'TVon-

Intrusive Security Arrangements to support Terminal and Personal Mobility". Proceedings

ofEUROMEDIA 96, London, UK, 19-21 December 1996: 167-171.

Intekom. 1999. "Latest Global & Regional Cellular Statistics - Worid Cellular Indicators". http://home.intekom.coni/ceIlular/statistics_latest.htm.

Jobusch, D.L. and Oidehoeft, A.E. 1989. "A Survey of Password Mechanisms : Part !",

Computers <&. Security, Vol. 8, No. 7: 587-604.

Modisette, L. 1990. "State-of-the-Art in Preventative Fraud Systems". Proceedings ofTiie

1999 GSM World Congress - Day 2. Cannes, France, 23-25 February 1999.

Mouly, M. and Pautet, M. 1992. 77;e GSM System for Mobile Communications. Mouly and

Pautet, 4 rue Elisee Reclus, F-91120 Palaiseau, France.

Porras, P.A. and Neumann, P.G. 1997. "EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances", Proceedings of 2(f^ National Information Systems

Security Conference, 9 Octber 1997.

Rushe, D. and Oldfield, C. 2000. "The biggest game in town". The Sunday Times, Business

Focus, 16 April 2000: 3.

UMTS Forum. 1998. Tlie Path towards UMTS ~ Technologies for the Information Society.

Report no. 2. The UMTS Forum, http://www.umts-forum.org/reports.html

320

Appendix H : Published Works

H 3 Poster Presentation

Britain's Younger Engineers in 2000

4 December 2000, House of Commons, Houses of Parliament, London, UK.

'Advanced Authentication and Intrusion Detection Technologies"

321

Appendix H : Published Works

Advanced Authentication and Intrusion Detection Technologies

Paul DoMland. Or Steven Fumel. George

NetvwDtt Research Group. DepvUnenl of

PipaMd. Prof P M J Reynolds, PTvlp RodiMel. H«pi Skigh

and Electronic Engineering. Unnerstfy of Pfymout*. UK

corrvTwc* MMm » B dvnwx t a M l y to a r w * I

C3<XM> Th» a n ^ m i - r t f . • i n mtmr

nmimm\J to tm frmmtma m cmnna mrara \

I by an mmtrn fnnma atfto 9m IMaark 9mmm

• r o m l tha compl a< a o a i * ^ a « I M I

I a njTtMf I

ct t a u iji.aaa Tim

1 / \ 1 I *^ ••MMHM

MeMid Reeearcif Protects

Ttm

1. m naa a iwiaa* of Maaa i • M l a iwigi M a a a g M aad » * emmt aap«3 of tia MS a a a K a a m

Tr« prqad • • • J to d a i v i and daMlOp a SBMrtC M w may ffan ba uaad to ipac#y rtnaiaM d v a E M a E i •

Tha «Mak taa* n to « a c * c u a a a f c ^ u n of f n r to i

Ila^lanato laar I n t o n m c t t i

4

a

to c o i H i i t o J ' new m> IMS ayaiam i n « M t « « >woKa <laa«n and praeka aaAMon of mm m

aM lOfaaiMr

im pntKt NgMgNa t * naad tar

1 II >| i| '1 il ! j II

^ ^ a e i * . w . » a M » j a H (anvMi

. B M . D n t o « r a . * a

http:/yia<laaB. pfym.ac.uk/nrg

3 2 2 o r a n g e

Appendix H : Published Works

H4 Published Paper

Euromedia 2001

18-20 April 2001 ,Universidad Politecnica de Valencia, Spain.

"A Conceptual Security Framework to support Continuous subscriber

Authentication in third generation mobile networks"

323

Appendix H : Published Works

A Conceptual Security Framework to support Continuous subscriber

Authentication in third generation mobile networks

P.M.Rodwellt, S.M.Fumellt and P.L.ReynoldsJ t Network Research Group, Department of Communication and Electronic Engineering, University of Plymouth,

Plymouth, United Kingdom, t Orange Personal Communications Services Ltd, St James Court, Great Park Road, Bradley Stoke, Bristol,

United Kingdom.

K E Y W O R D S

UMTS, Authentication, Security, RM-ODP. private data, will demand a parallel and corresponding increase in the level of protection provided by the terminal devices and the associated network operators.

A B S T R A C T

This paper discusses a conceptual framework addressing the issue of continuous subscriber authentication for 3"* generation mobile networks, based upon the International

Telecommunications Union Reference Model for Open

Distributed Processing (RM-ODP). Security provisions within current 2"^ generauon mobile networks such as

GSM, are primarily aimed at secure communications through data encryption and terminal authentication via use of a smart card (SIM). Proposed services of the

Universal Mobile Telecommunications System (UMTS) demand a more secure subscriber based authentication system, in order to protect personal information in the event of masquerade attack. Any authentication technique will be an integral pari of an overall real-time security framework in order to offer continuous protection. In exercising the first three viewpoints of the

RM-ODP, a summation of key security issues and a conceptual framework presented.

INTRODUCTION

It is not difHcuIt to see that we are currently in the middle of a mobile communications revolution. From the appearance of mobile communication devices in school playgrounds, to more abstract applications of the technology, such as GSM equipped clothing

(Philips, 1999). Owing to its circuit switched nature and a limited bandwidth of only 9.6kbit/s, it is recognised that the current GSM air interface is only

practically suitable for voice telephony, text messaging and rudimentary data services. However, the next few years will witness the evolution of GSM technologies into a wireless Internet of advanced packet switched data services exhibited by the General

Packet Radio Service (GPRS) and Enhanced Data rates for GSM Evolution (EDGE) standards; culminating sometime in the next few years in 3"*

Generation (3G) networks. Proposed by the

International Telecommunications Union (ITU) initiative, IMT-2000, 3G mobile communications for

Europe will come under the banner of UMTS (UMTS

Forum, 2000). The proposed increases in bandwidth available will enable service providers to support significantly wider application scenarios than voice and the rojdimeniary data services of current cellular networks. This expansion of services, especially data services and the subsequent increase in personal and

This paper will introduce and justifying one of the most important of these security requirements; enhanced subscriber authentication; proceeding to discuss key issues pertaining to a conceptual security framework capable of supporting alternative advanced authentication techniques, in addition to the principle of non-intrusive and continuous monitoring. Although this paper does not discuss any specific continuous authentication mechanisms, the bias is towards biomeuics, owing to its inherent suitability to nonintrusive application. (Biometrics Consortium, 2000).

The framework discussed in this paper takes a topdown approach to the problem, introducing and discussing relevant issues through the use of the I T U

Reference Model for Open Distributed Processing.

E N H A N C E D A U T H E N T I C A T I O N - A 3"*'*

G E N E R A T I O N R E Q U I R E M E N T

When considering the proposed services of UMTS

(Cox, 1997), and the nature of future 3G devices, we realise that a more secure subscriber-based authentication system is essential in order to protect personal information in the event of masquerade attack (3GPP,

1999). A primary reason for this is the hastening convergence of mobile devices with Personal Digital

Assistant (PDA) type devices, and the subsequent expansion in the range of possible services enabled as a consequence. In spite of the impoverished Man-

Machine Interface (MMI), inherent to these devices

(Nielsen, 1999), there is siill a growing trend towards

Internet style services through developments like the

Wireless Application Protocol (WAP), Europe and I-

Mode, Asia. The potential consequences, therefore, of masquerade attacks are far more severe owing to the additional and more personal information that these mobile/PDA devices are now storing and exchanging:

• financial details facilitating m-commerce

• electronic certificates for digital signatures

• frill contact details of family and associates

• commercially sensitive miscellaneous information (e.g. scheduler/notepad files)

A key aspect of any proposed security framework is the balance of storage and distribution of the sensitive subscriber signature data within the communications device (handset) and across the network.

324

Appendix H : Published Works

Compared to GSM, UMTS does not share the concept of a home network - the 'universaP aspect suggested in the name is based upon roaming between operators to suit the service required. In order to support true personal mobility, where a subscriber may register with any terminal interface (fixed or mobile) in order to access services, profiles need to be distributable throughout the network. The subscriber's profile could theoretically be accessed fi-om any point within any compliant network in order to authenticate access to valid subscribed services. In such a network-centric solution, security details would be collected on the terminal and then securely transmitted and securely stored within the network for remote analysis.

C O N C E P T U A L F R A M E W O R K T O S U P P O R T

C O N T I N U O U S M O B I L E A U T H E N T I C A T I O N

This section addresses conceptual issues when considering techniques for discrete real-time authentication over a mobile communications network.

The discussion covers the first three viewpoints of the

Requirements Analysis and Functional Specifications sections of the RM-ODP schematic. Figure 1.

Enterprise

/ c

Requirements Analysis

InTonnation Computniional

- A X

7 ^

Engineering

Functional Specification

R E F E R E N C E M O D E L O F O P E N

D I S T R I B U T E D P R O C E S S I N G

Design

The Reference Model of Open Distributed Processing

(RM-ODP, 1994) was a joint effort by the

International Standards Organisation (ISO) and the

ITU-T to develop a coordinating framework for the standardisation of open distributed processing (ODP), supporting heterogeneous interworking between systems. The model describes an architecture, integrated into which are distribution, interworking, interoperability and portability. The RM-ODP framework takes a top-down approach, defining five abstract system viewpoints: Enterprise, Information,

Computation, Engineering and Technology. The different viewpoints enable one to move progressively away fi-om the conceptual world of user interfaces and enter into the tangible worid of the supporting technologies and hardware infrastructures.

Technology

Implementation

Figure I : R M - O D P Viewpoints

Low level engineering and hardware infrastructure issues have not been considered at this stage.

Enterprise (business) Viewpoint

The enterprise viewpoint, addresses the performative actions governing the proposed framework. This is achieved through the use of active and passive objects, where an object is any unique entity within the framework; groups of objects or object communities^ purposeftilly grouped to achieve a larger goal; and object permissions/prohibitions or roles of objects.

View-points

The prescriptive framework, RM-ODP Part3, proposes five viewpoints decomposing the specification of the

ODP system, focusing on the separate concerns. Using the conceptual structures rules and functions, a fundamental framework is generated specifying and bounding the proposed ODP system.

Top Le\'el Objects

Under normal operation, there is only one active object within the security framework:

• the subscriber.

In the extreme case that the system is unable to resolve a security issue autonomously, a human operator could intervene in the decision making process, but essentially and for the majority of the time, the subscriber will be under network control.

The five viewpoints of the RM-ODP are briefly categorised as follows:

• Enterprise: Purpose, Scope & Policy analysis.

Organisational policies, per formative actions.

• Information: Semantics and Information

Processing. Required information through the use of Schemas.

• Computational: Functional Decomposition.

Functionality of ODP application, object handling.

• Engineering: Infrastructure to support the distribution.

• Technology: Technology for implementation.

Using this top-down approach, a large and complex system specification can be broken down into smaller, separate and manageable pieces, each focusing on the relevant issues to a particular working group.

The passive objects forming the top of the framework: die mobile network (community) the network interface handset (community) the subscriber account the archived subscriber reference profile the handset generated subscriber profile subscriber data packets subscriber payments (money)

Treating the network and handset as single entities/object communities, negates the need to break them down into their hardware infrastructures. Separate payment objects recognise those subscribers who prefer to pay in advance, rather than via contractual schemes.

As these objects are not authentication issues, they are omitted fix>m subsequent discussions.

325

Appendix H : Published Works

Communities

The primary top-level object communities consist of

'the network, the subscriber account, the subscriber profile' and 'the interface handset, the subscriber authentication profile'; both objects share the data and subscriber objects.

Network (Croup)

Subscriber Account

Subscriber Security

Profile

• Static - state of an object at a particular time.

• Invariant - restricts state/structure at all times.

• Dynamic - defines permitted state changes.

Static schemas

• At Point-Of-Entry, a user is unauthenticated.

• At fixed or variable network defined intervals authentication is transparently requested.

Invariant schemas

• Continuous authentication is always active.

• The network handset must be authenticated to access the network.

Data packets

Handset (Group)

Subscriber Aulhenlicalion

Profile

Subscriber

Figure 2: Enterprise Object Communities

Dynamic schemas

A subscriber:

• state change - authenticated to unauthenticated.

• profile is permitted to change over time; e.g. with age, health, behaviour etc.

• is permitted to change their handset(s) over time without affecting archived profiles.

Roles of Objects

Identifying the rules bounding the objects within the conceptual framework through;

• Permissions - What C A N be done

• Obligations - What MUST be done

• Prohibitions - What MUST-NOT be done.

Computational viewpoint

This view specifies the ftinclional interactions between system objects at a low level. From this viewpoint, it can be argued that authentication may exist at several levels, as illustrated in Figure 3.

Permissions:

A subscriber can choose lo:

• access their network account at any time;

• change their network interface handset;

• terminate their account at any lime.

The network can choose to:

• issue an authentication challenge at any time;

• maintain more than one profile for each subscriber.

SubscritHir

Auttionticalion

Tcrmiruil tnterfBce

D«vle«-c«ntjfc

- * UMf Sup«rv1«k>n

PF)

SIM

T«rmlrul

Supervision

N.tvw>rtM;«ntrtc U w SupwvUlon

Mobile

Notwoili

Figure 3: Mobility Authentication

Obligations:

A user:

• must have a valid network account;

• must continuously satisfy authentication;

• must sufficiently fund their network access.

The network:

• must act on authentication failure;

• must provide suitable protection of subscriber profiles; under legislation like the E U Data

Protection Directive (Lloyd, 1996).

Prohibitions:

A subscriber

• can only access their account;

• cannot initiate authentication profile changes;

• caiuiot bypass authentication;

• authentication profile cannot be artificially generated by any casual means.

Information viewpoint

This viewpoint presents the schemas involved with handling the state and structure of the pre-defined data object schemas at particular times:

It is considered that a suitable framework for achieving this is not dissimilar to previous security work carried out in the area of real-time network monitoring; i.e. The

Intrusion Monitoring System (IMS), (Fumell, S.M.,

Dowland, P., 2000). Building on this work, it can be demonstrated that with suitable modifications, the IMS can be remodelled to meet the requirements of a continuous authentication system for mobile applications, where a detected anomaly is represented by a failed subscriber authentication. Considering the architecture in a purely authentication-based role (i.e. where misfeasor abuse is not considered), a suitable conceptual structure is shown in Figure 4.

In this revised structure, the client is represented by the subscriber handset and several of the modules have been renamed from the original IMS to reOect the more restricted authentication-only role (on the network side, the Archiver function has been removed altogether, reflecting the fact that the system is looking to perform real-time authentication, rather than ongoing activity monitoring).

326

Appendix H : Published Works

Subscriber Handsot

Host NQtworli

It can be argued that a brick wall lock out is not necessarily the best solution to authentication failure.

As mentioned previously, quality of service is critical, and a low False Rejection Rate is fundamental to any continuous authentication scenario. It is advisable to exercise a form of phased service lockout, ranging from logging of user activity to a complete system bar.

C O N C L U S I O N S

Figure 4: Enhanced Mobile Authentication System

The authentication function need not reside completely within the network. Point of Entry (PoE) authentication in particular could reside in the subscriber terminal, using an appropriate technique as the basis (e.g. the baseline method could still be a PIN, but more advanced methods like fingerprint recognition could also be used if a handset was suitably equipped).

However, rather than being an isolated function within the tenninal, it could be linked into the wider networkbased monitoring system. For example, the network could be notified of any handset login failures, which would enable its alert status to proceed from an initially higher starting point than it would have otherwise done in the case of a completely successful login at the first attempt. More advanced, ongoing supervision would be network-based and, in this sense, the role of the handset becomes that of collecting relevant authentication data, upon request from the host network, and then responding as instructed when the data has been remotely analysed. It can be seen that the decision making process is retained within the network under the control of the network operator 'Authenticator' module.

This is a basic security issue, offering advantages to both the operator and the subscriber For the operator, it removes control and possibility of casual authentication tampering fix)m the subscriber handset, for the subscriber, it offers the service of subscriber mobility.

This paper introduced and justified the need for improved subscriber authentication within the next generation of mobile communication devices.

Through the approach of the ITU RM-ODP, the rules for a conceptual discrete real-time authentication framework have been generally defined and, through on going work on the IMS at the University of

Plymouth, a suitable core architecture proposed.

R E F E R E N C E S

3GPP. 1999. "3G Security: Security Threats and

Requirements." Technical Specification Group

Services and System Aspects. Document: 3G T S

21.133 V3.1.0.

Biometric Consortium. 2000. "An introduction to biometrics". The Biomeiric Consortium,

http://www. biometrics, org/html/introduction. html

Cox, A. 1997. "New Services for UMTS".

Proceedings of UMTS - Tlte Next Generation of

Mobile, London, UK, 27-29 October 1997.

Fumell, S.M., Dowland, P. "A conceptual architecture for real-time intrusion monitoring", Information

Management & Computer Security, vol. 8, no. 2.

Lloyd, I. 1996. "An outline of the European Data

Protection Directive". 77ie Journal of Information,

Law and Technology, 1996.

Nielsen, J. 1999. "The Graceful Degradation of

Scaleable Internet Services", Aleribox, 31 October,

http://www.iiseit.com/alertbox/99103I.html

RM-ODP, 1994. "Reference Model of Open

Distributed Processing". Standards: ISO #10746.

ITU-T #X.900.

There can be a number of mechanisms in place lo trigger the authentication challenge request process:

• a simple chronological time-out.

• significant change of destination tolling.

• change from normal usage profile, i.e. departure from normal calling pattern, etc.

• mobile cell handover, a point of potential system weakness to a system abuser.

• e-commerce transaction.

Any combination of the above should transparently trigger re-authentication. In addition, there are other qualiiy-of-service considerations to be addressed:

• network loading issues.

• reception conditions.

• available network bandwidth when roaming.

• remaining life-cycle of GSM handsets.

B I O G R A P H Y

Philip Rodwell was educated in Communication

Engineering at the University of Plymouth, England; where he received his B.Eng. Honours degree in

* Personal Communications and Networks'. The programme included a one-year placement at Philips

Consumer Communications, Le Mans, France; where he was part of the D E C T team responsible for developing sofhvare for the Xalio range of cordless products. He is currently studying for his PhD within the Network Research Group at the University of

Plymouth, researching 'Non-Intrusive Security

Systems for 3"* Generation Mobile Networks', in association with Orange PCS, Bristol, England.

327

H5 Journal Article

British Computer Society - South West Journal

A p i i l 2 0 0 I

Appendix H : Published Works

User authentication for current and future mobile telephony: Assessing subscriber acceptance"

328

Appendix H : Published Works

User authentication for current and future mobile telephony:

Assessing subscriber acceptance

N.Clarke, P.M.Rodwellt, S.M.Fumellt and P.L.ReynoldsJ t Network Research Group. D C E E , University of Plymouth, t Orange Personal Communications Services Ltd, Bradley Stoke, Bristol.

Email: [email protected]

Introduction

The worldwide market for mobile telephone technologies has experienced dramatic growth in recent years and it is not difficult to see that we are currently in the middle of a mobile communications revolution. Recent figures indicate that the number of cellular subscribers today is nearly 479.5 million worldwide, with forecasts for the end of 2003 estimating the number to be around 1.073 billion [1].

The mobile technologies themselves have already evolved from the voice-only analogue systems of the mid 1980s, to the ciurent second generation (2G) digital systems, first introduced in the early 1990s. Owing to its circuit switched nature and a limited bandwidth of only

9.6kbil/s, it is recognised that the current G S M air interface is only realistically suitable for voice telephony, text messaging and rudimentary data services. However, the next few years will witness the evolution of current G S M technologies into a wireless Internet of advanced packet switched data services exhibited by the General Packet Radio Service ( G P R S ) and

Enhanced Data rates for G S M Evolution ( E D G E ) standards; culminating sometime in the near future in 3"" Generation (3G) networks. Proposed by the International Telecommunications

Union initiative, IMT-2000, 3 G mobile communications for Europe will come under the banner of U M T S (Universal Mobile Telecommunications System) [2]. As an indication of the commitment UK. mobile operators have already made lo U M T S , the auction of the five U K licenses in April 2000 raised an incredible £ 2 2 . 4 7 billion [3], The proposed increases in bandwidth available under U M T S will enable service providers to support significantly wider application scenarios than the rudimentary voice and data services of current cellular networks.

This expansion of services, especially data services and subsequent increase in private data, will demand a corresponding increase in the levels of protection provided by the network hardware.

Security in the current second generation GSM system

The most widespread second generation mobile system in use in the world today is the Global

System for Mobile Communications ( G S M ) [4], which, by September 1999, accounted for 344 operational networks in 127 countries, 63% of the worlds total cellular market today (Inlekom,

2001). Security provision within G S M are largely geared towards secure communication (i.e. radio interface encryption) and terminal-based authentication. The latter being achieved via the combination of the familiar SIM smart card (Subscriber Identity Module) and the less familiar

IMEI (International Mobile Equipment Identifier). The S I M holds all the subscriber's personal details, such as contact numbers, text messages, in addition lo network operator registration details like the IMSI (International Mobile Subscriber Identifier). Mobile hardware is uniquely identified via an I M E I , which is used in conjunction with an operators E I R (Equipment Identity

Register) to determine a devices security status, e.g. has it been reported stolen.

Relatively little attention is attributed to the authentication of the actual subscriber.

Authentication of the subscriber to the terminal S I M is achieved through use o f an impersonal and optional PIN (Personal Identification Number); stored in the S I M . This facility must be enabled by the subscriber before any level of protection is provided. Assuming this is done, the level of protection can still vary between devices depending on the handsel manufactiu-es implementation. Having said this, PIN protection can generally be considered commensurate with the level of risk of unauthorised use within a G S M environment.

329

Appendix H : Published Works

Requirements for security in tliird generation Networks

When considering the proposed services of U M T S [5], and the nature of fxiture 3G devices, we realise that a inore secure subscriber-based authentication system is essential in order to protect personal information in the event of masquerade attack [6]. The primary reason ifor this is the hastening convergence of mobile devices with Personal Digital Assistant ( P D A ) type devices, and the subsequent expansion in the range of possible services enabled as a direct result. The potential consequences, therefore, of a masquerade attack will therefore become far more severe owing to the additional and more private information that these hybrid devices are now storing:

• financial details enabling mobile electronic commerce transactions

• electronic certificates for digital signatures

• full contact details of family and associates

• commercially sensitive miscellaneous information (e.g. scheduler/notepad files)

• medical records as a result of telemedicine or teleconsultations.

Attitudes to security provision within mobile networks

Within the University of Plymouth, a survey was conducted into the attitudes o f mobile users to the current security provision within their mobile telephones and possible areas o f improvement should they feel them inadequate for present and future systems. The survey was distributed locally to a broad range of mobile telephone users, in both hard copy and as an on-line questionnaire. There were a total of 161 responses completed both on paper and on-line.

Opinions on current security

As discussed previously, the primary method of personal security within a mobile handset is the

PrN. Although 89% of respondents knew about the PIN facility, only 56% of them actually used it. The survey shows that 76% of respondents had phones with only a single level of security (at power on). O f those users that did have access to keypad P I N lockout in standby, only 46% of them used this facility on a regulariy basis. 41% of respondents felt that entering a PIN number was inconvenient, with the same percentage also feeling unconfident in the level of protection the PIN provided. Although the results are not conclusive for or against the effectiveness of the

PIN, there are a number of points that can be drawn from the data:

• 11% of respondents did not even know about the P I N facility. Scaled up this could represent up to 52.8 million subscribers worldwide.

• O f the 44% of respondents who did not use the PIN facility, 65% gave the reason as being its inconvenience; that is it's intrusive nature.

• Actually providing additional levels of security does not necessarily mean that a subscriber will actually use them. A significant 64% of respondents did not even use the more convenient PIN facility of keypad lockout whilst in stand-by (where available).

• A large number of respondents, 41%, have little confidence in the protection offered by the PIN facility, believing their handset is still at risk even with the facility active.

Opinions on having additional security

With telephone technology progressing rapidly to provide users with additional data services, this survey already identifies users accessing 2G data services and willing to continue to do so into the 30 technology. It is an encouraging sign that these users also recognise the need for security, with 81% believing it would be either good or very good to have increased security.

Only 2 respondents thought it a bad idea. Although not proposing any specific scheme for improved authentication, the bias is towards biometrics, owing to its inherent suitability to nonintrusive application. [7].

Contributor's responses to the implementation of additional security show a strong preference towards fingerprint analysis; over 70%. Voiceprint and iris scanning also achieved good responses. Analysing the results does however indicate that respondents have possibly reacted more positively to those authentication mechanisms that they are already aware of.

330

Appendix H : Published Works

Fingerprints have for a long time, primarily through Police use, been known to provide a reliable means o f identification. In fact finger print recognition is already being used by

Sagem in a mobile handsets for advanced e-commerce authentication purposes [8]. V o i c e print analysis has also attracted much attention recently through computer software and also in the telephone industry as a means o f dialling numbers. Techniques such as ear geometry and typing style (keystroke analysis) are more recent, as such, less research exists on them.

Ear G»oiT..try r . c « l R-togn.bon Wn S c . n f i ^ g

Positive responses to six main authentication techniques

The survey not only found users wanting more security for their handsets but 63% of respondents, who were not indifferent, also felt a non-intrusive continuous authentication method during a session to be a good idea. Obviously some authentication techniques lend themselves to this technique much better than others, for instance voiceprint, as the user would probably already be talking on the telephone.

Conclusions

Up until now, PIN protection has generally been regarded as providing enough access protection, since the information contained on handsets has been relatively benign in nature, telephone numbers, simple text messages, etc. and thus of little value to a thief More recently, with the advent of W A P enabled 2 G handsets, there is a movement towards the storage o f more sensitive material. This will culminate in the near future with the merger of P D A ' s and mobile telephones into 3G devices carrying all the associated data both these devices may contain. This does beg the question, how far can we rely on numerical passwords, how secure are they and how secure do users believe them to be? The fmdings of the survey have demostrated a perceived weakness in the current PIN technique in the eyes of it's users. They have however, responded positively towards alternative authentication techniques, principally fingerprint and speaker verification.

References

[1] Intekom, 1999. "Latest Global & Regional Cellular Statistics", http://home.intekom.com.

[2] U M T S Forum, 1998. The Path towards UMTS - Technologies for the Information Society.

Report no. The U M T S Fomm. http://www.umts-forum.org/reports.html

[3] Radiocommunications Agency, http://www.spectmmauctions.gov.uk

[4] Mouly, M. and Pautet, M . , 1992. The GSM System for Mobile Communications, 4 me

Elisee Reclus, F-91120 Palaiseau, France.

[5] Cox, A . , 1997. "New Services for U M T S " . Proceedings of UMTS- The Next Generation

of Mobile, London, U K , 27-29 October 1997.

[6] Third Generation Partnership Project, 1999. http://www.3gpp.org

[7] The Biometrics Consortium, 2000. http://www.biometrics.org

[8] Sagem MC-959-ID. Smart Card 2000 Show, London, http://www.sagem.com

331

Appendix H : Published Works

H6 Poster Presentation

Britain's Young Engineers in 2001

3 December 2001, House o f C o m m o n s , Houses o f Parliament, L o n d o n , U K .

''Non-Intrusive Subscriber Authentication for 3G Mobile System "

332

Appendix H : Published Works

Non-Intrusive Subscriber Authentication for 3G Mobile Systems

Natwn Clwfca. Pwi Do«vlind. O Stewn Fumal. Prof Paul Reynolds and Pti«p RodvMl

Network Rasaarch Group. DaparlmenI o» Communication and Electronc Enginaaring. Univoraity of Ptymoutli, UK

• 1

11

AnExamplaBtometrtc

Summary

I i H M M H C M M M M M to p W « t I t « 1 1 2 t I S

3U M9 »

« W t S

i

hn p://www.ply mouth .ac. u k/nrg

Appendix H : Published Works

H7 Published Paper

Third International Conference on 3 G Mobile Communication

Technologies

8-10 M a y 2002, London, U K .

"Advanced Subscriber Authentication Approaches For Third Generation

Mobile Systems "

334

Appendix H : Published Works

Advanced subscriber authentication approaches for third generation mobile systems

N.L.CIarke^ S.M.Fumell^ P.L.Reynolds* and P.M.Rodwell^

^ University of Plymouth, United Kingdom

* Orange Personal Communications Services Ltd, United Kingdom

I N T R O D U C T I O N

Personal Identification Number (PIN) based

Recent years have witnessed substantial and wellmethods. This facility must be enabled by the subscriber before any level of protection is provided. Even assuming this is done, the level of communications sector, with global mobile protection can still vary between devices depending subscribers forecast to rise from 768m in 2001 to on the handset manufacturer's implementation.

1,848m by 2004 [I]. However, in parallel with this

Nonetheless, it can be argued that the level of rise in ownership there has been a rise in mobile security delivered by the PIN is commensurate with related abuse, suggesting the need for greater the requirements of the devices, as the potential security measures to prevent unauthorised use. consequences from theft or impostor access can be

Mobile handsets are already recognised as being broadly categorised as financial loss (which the prime targets for thef^ and research findings legitimate user can limit by reporting the theft of the published by the U K Home Office has estimated phone and getting it blocked by the operator) and that over 700,000 handsets were stolen from breach of personal privacy, due to the impostor subscribers during 2001 [2]. It can be conjectured gaining access to contact details and text messages that the more advanced capabilities of third held on the device. However, it is acknowledged generation (3G) handsets will make them even more that this is a fairly limited amount of information, desirable targets in this respect. Additionally, the the disclosure of which would not normally be increased bandwidth available in 3G will enable considered highly sensitive. Stored text messages service providers to support significantly wider may potentially have more significance, but would application scenarios than the rudimentary voice not generally represent a significant body of and data services of current cellular networks. This information. By conU^t, the proposed services 3G expansion of services and subsequent increase in networks demand a more secure subscriber-based private data will demand a corresponding increase authentication system in order to protect personal in the level of protection provided by the terminal information in the event of masquerade attacks. The and network hardware. primary reason for this is the hastening convergence of mobile devices with Personal Digital Assistant

This paper presents consideration of the security requirements for 3G, considering specifically the issue of subscriber authentication. The discussion includes the results of a survey of current mobile subscribers, to determine their attitudes towards

(PDA) devices, and the subsequent expansion in the range of possible services enabled as a result. The potential consequences of a masquerade will, therefore, become far more severe owing to the additional and more private information that these hybrid devices will store: existing security measures, leading into architectural considerations and initial experimental results in relation to future techniques.

• financial details enabling mobile electronic commerce transactions; suBScareER

S E C U R I T Y R E Q U I R E M E N T S

F O R 3 G S Y S T E M S

• electronic certificates for digital signatures;

• frill contact details of family and associates;

• commercially sensitive miscellaneous information (e.g. scheduler/notepad files);

Secixrity provisions within 2G networks such as

GSM are largely geared towards secure communication (i.e. radio interface encryption) and terminal-based authentication. The latter is achieved via the combination of the SIM (Subscriber Identity

• medical records as a result of telemedicine or teleconsultations.

A T T I T U D E S T O S E C U R I T Y PROVISION

WITHIN M O B I L E N E T W O R K S

Module) and the IMEI (International Mobile

Equipment Identifier), and enables the legitimacy of the terminal to be determined before allowing it to utilise the network. By contrast, relatively little

A survey was conducted to determine current mobile attention is devoted to ensuring the legitimacy of the current user, and subscriber authentication provisions in the vast majority of devices rely upon subscribers' attitudes towards the security provisions within their devices, and possible areas of improvement The survey was distributed to a broad range of mobile phone users, in both printed and

335

Appendix H ; Published Works

online formats, yielding a total of 161 responses. Full details of the results can be found in [3]. but relevant summary information is presented below.

Techniques such as ear geometry and typing style

(keystroke analysis) are more recent and, as such, less research has been done on them. Preliminary results in relation to keystroke analysis on mobile phones will be considered later in the paper.

As discussed previously, the primary method of personal security within a mobile phone is the PIN.

Although 89% of respondents knew about this facility, only 56% actually used it. The sur\ey showed that 76% of respondents had phones with only a single level of security (at power on). Of those users that had the facility to PIN protect the phone in standby mode, only 36% used it. Other key findings included:

• 11% of respondents did not even know about the PIN facility. Scaled up this could represent up to 84.5 million subscribers worldwide.

• Of the 44% of respondents who did not use the

PIN facility, 65% gave the reason as being its inconvenience.

• Providing additional levels of security does not necessarily mean that a subscriber will actually use them, as evidenced by those users who did not use the PIN to lock phones in standby.

• A large number of respondents, 41%, have little confidence in the protection offered by the PIN facility, believing their phone is still at risk even with the facility active.

Figure 1: Positive responses to six m a i n authentication techniques

Given these results, even in a 2G context, the prognosis for the successfiil application of the same methods in 3G is not encouraging. At the same time, the survey also revealed that 88% of users wanted to be able to access additional data services, such as m-commerce. video conferencing and web browsing, from their devices highlighting the need for better authentication in future devices.

Of the respondents who indicated that they would like more security, 63% also felt that a continuous technique during normal phone use would be a good idea. This apparent acceptance of continuous authentication is compatible with one of the stated requirements for secure 3G service provision; namely that it should be possible for service providers to "authenticate users at the start of, and during, service delivery" [5]. Authentication during

.service delivery represents a departure from the approach in 2G systems, and again implies the need for some form of transparent measure to avoid disrupting subscnbcr's legitimate activity. Options for achieving this may be related to periodic or

ci^ntinuous supervision, adopting profiling techniques

or biometric monitoring. Some authentication methods clearly lend themselves to this better than others, and it is impcmant trom the user acceptance jxrrspective to ensure that chosen method(s) could be applied in a non-intrusive manner.

Despite their reluctance to use the existing PINbased methods, the survey results revealed thai respondents recognised the need for security, with

81% believing it would be either good or very good

io have increased protection. Only 2 respondents thought it a bad idea.

\N \ K C HI r F ( 11 R \ l FK W I E W O R K F O R

\ l I I I E N T I C A T I O N

Responses to the implementation of additional security showed a strong preference towards fingerprint analysis; over 70%. Voiceprinl and ins scanning also achieved good responses. Analysing the results does however indicate that respondents have possibly reacted more positively to those authentication mechanisms that they are already aware of Fingerprints have, for a long time, been known to provide a reliable means of identification.

In fact fingerprint recognition has already being demonstrated by Sagem for advanced e-commerce authentication purposes in mobile phones [4]. Voice print analysis has also attracted much attention recently through computer software and also in the phone indu-stry as a means of dialling numbers.

.Authentication could most usefully be handled within a flexible security framework, which is able to intelligendy monitor the available characteristics based upon the current activity of the subscriber.

For example, voice verification could be utilised during a voice call, but during an e-commerce transaction it could be replaced by other characteristics that are more appropriate to the context such as keystroke analysis (see later discussion). The monitoring system would determine which characteristics, from those available on the terminal, .should be assessed at any given time and then pass on the relevant data for analysis.

336

Appendix H : Published Works

The concept of such an arrangement is illustrated in

Figure 2. The approach would be non-intrusive in the sense that the tenninal user would be unaware of the security system unless compromise was suspected.

Network issues

There are some very strong arguments for introducing a centralised network based security system. It can be argued that placing security into the handset, and effectively into the hands of the subscriber, is inherendy insecure to begin with. It could, for example render the profile more vulnerable to misuse or compromise if the terminal is stolen. From the operator's perspective, holding the profile, and performing any analysis, within the network may represent a more trusted solution.

Figure 2: Potential Subscriber Monitoring Scenario

It can be seen from Figure 2 that elements of the functionality are split between the network and the terminal. However, the approach depicted in the diagram is by no means the definitive solution, and a fundamental issue is whether the security monitoring should be decentralised within the subscriber handset (and SIM), or centralised within the mobile network. Compared to GSM, UMTS does not share the concept of a home network - the

'universal' aspect suggested in the name is based upon roaming between operators to suit the service required. This raises a number of important issues, not least of which being that any security system needs to transcend the technology infrastructures of both software and hardware, raised by the different operator networks.

Another potential advantage offered by the network centric system is that of increased personal mobility, where a subscriber may register with any network terminal in order to access their network operators' services under their personal subscription. Although

GSM was originally designed to offer personal mobility via the SIM, the reality is that hardware, software, and operator network incompatibilities, as well as network locking agreements, have often restricted mobility to within a subscriber's own network. Additionally, the modem plug-in SIM generally resides behind the battery and is inherently too small and inconvenient to be of practical use as a token of true personal mobility.

By replacing the token with a biometric, and centralising the authentication system, true personal mobility can potentially become a reality.

Terminal Issues

There are however some consequences to the p)ersonal mobility scenario, two primary drawbacks being increased data traffic over the wireless link and subscriber signature confidentiality. Taking the first point, the increased bandwidth of proposed

A terminal-based approach, where the subscriber's biometric profile is held within the handset, or more likely within the SIM card, places responsibility for the security of the profile, and consequently security of the network portal, in the hands of the subscriber. From an operator's perspective, this negates the need for additional government confidentiality legislation or network server security; there is also less need for a legal pathway of non-repudiation. As biometric authentication and supervision would be performed within the handset, it can be achieved without imposing additional network traffic next generation networks should have little trouble handling the extra handshaking required by any biometric and potentially continuously monitoring security system, especially compared to the bandwidth of a video signal. The second point of subscriber signature confidentiality reverses the trust issue mentioned earlier. Now the onus on data confidentiality is in the hands of the network operators, with subscribers trusting their sensitive and personal biometric data to not necessarily their network operator but perhaps even a third party associate. overhead and enabling authentication to be performed independent of link availability.

In reality, the network-centric solution is more elegant, enabling network operators to better protect themselves against rogue users, and ultimately offering the more secure option for both of the legitimate parties.

There are also hardware issues relevant to the terminal-centric solution. For example, any additional processing within the handset would consume valuable CPU cycles and potentially reduce the performance for other tasks. It would also have an associated impact upon battery life and subsequent recharge interval, especially if the technique were to be applied continuously.

In either scenario, the approach requires suitable biometrics to be available to monitor fi-om the handset. Some experimental findings in relation to one such technique are presented in the next section.

337

Appendix H : Published Works

M O B I L E S U B S C R I B E R A U T H E N T I C A T I O N

VIA K E Y S T R O K E DYNAMICS

Previous studies have shown neural networks to provide an effective foundation for keystroke analysis [9,10], and they have consequently been used in these investigations. The neural network

Keystroke Dynamics is the term given to a bioraetric authentication technique that is able to classify, authenticate or identify a person according to their typing pattern. The use of keystroke dynamics as an authentication technique for mobile phones has two distinct advantages over other structure is constructed on the feed-forward backpropagation network [ I I ] ; best exemplified for pattern recognition techniques.

Results biometric techniques, in that it requires no additional hardware and can be implemented in a completely mmsparent environment

Brief analysis of the input data has identified two types of variance that enable or inhibit the

The principal typing feature that is used to characterise behaviour in keystroke dynamics is the inter-keystroke latency. Many smdies have classification process. The inter-user variance, which is essentially a measure of similarity between users and ideally would be as large as possible, and the inter-sample variance, which is a taken place over the years, dating back to the

1980's, such as Joyce and Gupta [6], Leggett and

Williams [7], Napier et al [8], which have all demonstrated that characteristic patterns can be discerned from an individual's typing style, which in many cases can be used to distinguish that individual from a would-be impostor. However, these studies have all centred upon the verification or identification of a user typing on a full computer keyboard. One previous study investigated authenticating users from a numerical input entered on a standard numerical keypad [9].

Although not identical to a mobile phone keypad, due to tactile qualities and typing context, the study concluded successfully, suggesting the potential for further experimental evaluation in a telephony context. measure of similarity between individual samples of a particular user, and would ideally be zero.

Neither of these variances are near their respective ideals, giving rise to the following results, as indicated in Table 1 and illustrated in Figure 3.

Each investigation gives rise to a characteristic curve with two competing error rates. The False

Acceptance Rate (FAR), the rate at which impostors are accepted by the system, and the

False Rejection Rate (FRR), the rate at which the authorised user is rejected by the system. As can be seen from the figure it is possible to reduce one of the error rates only at the expensive of increasing the other. Therefore a decision has to be made between high security and low user acceptance (due to inconvenience), or low security and high user acceptance. Table 1 illustrates a

Experimental investigations also given as this can ofien be used as a

From the foundation provided by previous studies, conducted, each involving a total of 16 performance measure when comparing biometric systems [12]. The figures in the table are, of a series of investigations were designed to examine the feasibility of using keystroke dynamics on a mobile handset. Three experiments were course, averages across all of the test subjects involved. It is relevant to note, however, that some individual networks performed as well as 0% FRR and 1.3% F A R - showing that in some cases the participants: technique has a much more significant potential than the average results would seem to imply.

1. the entry of a four digit number, analogous to the PINs used on current devices; threshold level chosen to have a compromise between error rates. The Equal Error Rate (EER) is

2. the entry of a series of varying telephone

A

C r ^

I D

tfM ffM

T R R

M

F A R numbers;

3. the entry of a fixed telephone number.

The first and third investigations required the participants to enter the numeric keystroke sample thirty times, with twenty samples then being used to create a reference profile, and the remaining ten for subsequent testing. The second investigation required a larger number of samples due to the changing nature of the input string, and thus the need to train the authentication system more accurately. ?i(iy samples were taken, with thirty for training and twenty for testing.

Figure 3: Perfomiance Curves for the PIN Investigation

338

Appendix H : Published Works

Investigation

P I N Code

Varying Telq)hone

Fixed Telq>hone

FAR

18.1

36.3

16

FRR

12.5

24.3

IS

EER

15

32

15

Table 1: Keystroke Dynamics Investigation Results

The results demonstrate the potential to distinguish authorised users from impostors, although arguably not to any great accuracy. However, the experimental procedure used in this study was performed under controlled conditions; with users all entering the same input data - a condition that is unlikely in the real worid. Additionally, the design, and implementation of the neural network used for classifrcation was primitive and un-optimised.

Continuation of the smdy beyond this feasibility stage requires variables such as pre-processing, generalisation, network sensitivity and network configuration to be considered and analysed.

Further development of the technique will also consider other forms of user interaction with mobile handsets, in order to attempt to profile behaviour in different contexts. For instance, the way in which someone types when entering an SMS message is likely to be different to the way in which they enter a telephone number. Some users will use certain applications or functionality on the phone more often than others; will dial certain number more than others; and equally as important will not use or dial certain people or services. All of these factors could potentially be used as discriminating characteristics, leading to a stronger overall verification technique.

CONCLUSION with the keypad. If the user begins a voice or video conference call, the approach becomes an intrusive and impractical method for continuous authentication. In order to overcome this, the use of two or more biometric techniques could be used in a hybrid non-intrusive manner, i.e. keystroke dynamics for typing authentication, voice recognition whilst speaking, and facial recognition for video conferencing. The effective and intelligent management of these biometrics would provide the necessary security required in a 3G environment.

REFERENCES

Giussani, B. 2001. Roam - Making Sense of the

Wireless Internet. Random House Business Books,

London, UK.

BBC. 2002. "Huge surge in mobile phone thefb",

B B C News report, 8 January 2002. http://news.bbc.co.uk/hi/english/uk/newsid_174800

0/I748258.stm

[3] Clarice, N.L., Fumell, S.M., Rodwell, P.M. and

Reynolds, P.L. 2002. "Acceptance of subscriber authentication methods for mobile telephony devices". Computers & Security.

[4] Sagem. 2000. Sagem MC-959-ID. Smart Card

2000 Show, London, http://www.sagem.com

[5] 3GPP. 1999. 3G Security: Security Tlireats and

Requirements. 3G Partnership Project. Technical

Specification Group Services and System Aspects.

Document 3G TS 21.133 version 3.1.0.

[6] Joyce, G., Gupta, G. 1990. "Identity

Authentication Based on Keystroke Latencies".

Communications of the ACM, Vol 39. ppl68-l76.

[7] Leggett, J., Williams. G. 1988. "Verifying

Identity via Keystroke Characteristics".

International Journal of Man-Machine Studies,

Vol. 28.

The capabilities of 3G mobile systems will open up a range of new service opportunities and, as a consequence, will impose new requirements for security. The survey fmdings indicated a weakness of the current provisions, in that the authentication technology is optional and, therefore, of\en unused.

However, subscribers have shown the desire for additional security, and have responded positively towards a number of alternative techniques. Given that many respondents do not use the current security techniques that are available to them, it can be assumed that a non-intrusive method of authentication may prove to be most acceptable and widely utilised by end users. Viable architectural frameworks can be specified to support this, and appropriate biometric measures can be identified to provide the underlying authentication methods.

Keystroke dynamics can only be considered to be a transparent technique when the user is interacting

[8] Napier, R., Laverty, W., Mahar, D., Henderson,

R , Hiron, M., Wagner, M. 1995. "Optimising digraph-latency based biometric typist verification systems: Inter and intra typist differences in digraph latency distributions". Int. Journal of Human-

Computer Studies, Vol. 43, pp579-592.

[9] OTd,T. and Fumell, S.M. 2000. "User authentication for keypad-based devices using keystroke analysis". Proceedings of the Second

International Network Conference (INC 2000),

Plymouth, UK, 3-6 July 2000: 263-272.

[10]Cho, S., Han, C , Hee Han, D., Kim, H. 2000.

"Web based keystroke dynamics identity verification using neural networks". Journal of

Organisational Computing & Electronic Commerce,

Vol. 10, No. 4, pp. 295-307.

[1 l]Bishop, C. 1995. Neural Networks for Pattern

Recognition. Oxford University Press.

[12]Ashboum, J. 2000. Biomeiric. Advanced

Identity Verification. Vie Complete Guide. Springer

339

H8 Journal Paper

Computers and Security (Elsevier Science)

June 2002, Vol. 21, no.3, pp.220-228(9).

Appendix H : Published Works

"Acceptance of subscriber authentication methods for mobile telephony devices"

340

Appendix H : Published Works

Acceptance of subscriber authentication methods for mobile telephony devices

N.L.Clarke, S.M.Fumell, P.M.Rodwell and P.L.Reynolds

Corresponding Author

S.M. Fumeli

Head o f Group

Network Research Group

Department of Communication and Electronic Engineering

University of Plymouth

Plymouth

United KJngdom

Tel: +44 1752 233521

Fax:+44 1752 233520

Email : [email protected]

Other Authors

N.L.Clarke

Research Student

Network Research Group

Department of Communication and

Electronic Engineering

University of Plymouth

Plymouth

United Kingdom

Tel: +44 1752 233520

Fax: +44 1752 233520

P.L.Reynolds

Manager Strategy and Trials

Orange Personal Communications Services

Ltd

St James Court

Great Park Road

Bradley Stoke

Bristol

United Kingdom

Tel: +44 973 746050

P.M. Rodwell

Research Student

Network Research Group

Department of Communication and

Electronic Engineering

University of Plymouth

Plymouth

United Kingdom

Tel: +44 1752 233520

Fax: +44 1752 233520

341

Appendix H : Published Works

Acceptance of subscriber authentication methods for mobile telephony devices

Abstract

Mobile phones are now an accepted part of everyday life, with users becoming more reliant on the services that they can provide. In the vast majority o f systems, the only security to prevent unauthorised use of the handset is a four digit Personal Identification

Number (PIN). This paper presents the findings o f a survey into the opinions o f subscribers regarding the need for security in mobile devices, their use of current methods, and their attitudes towards alternative approaches that could be employed in the ftiture. It is concluded that, although the need for security is understood and appreciated, the current PfN-based approach is under-utilised and can, therefore, be considered to provide inadequate protection in many cases. Surveyed users responded positively towards alternative methods of authentication, such as fingerprint scanning and voice verification. Based upon these findings, the paper concludes that a nonintrusive, and possibly hybrid, method of authentication (using a combination of techniques) would best satisfy the needs of fijture subscribers.

Key>vords

Authentication, Mobile, GSM, UMTS, Biometrics.

Introduction

The mobile phone market has witnessed phenomenal growth in recent years, such that the phone itself is now regarded as an essential everyday item by millions of people.

Indeed, cellular subscribers currently total around 479.5 million woridwide, a 56.87% growth on the previous year, with forecasts for the end o f 2003 estimating that the number of subscribers will be in the region of 1.073 billion [ I ].

In addition to increasing subscribers, the capabilities o f the phones themselves will also improve. With the introduction of third generation mobile devices, part o f the ITU IMT-

2000 initiative [2], a broadband service of up to 2 Mbps will be on offer, providing the potential for true multimedia services [3]. As the technology advances, the range of potential services also expands. Whereas the first generation analogue phones o f the

1980s were purely aimed at the provision of voice telephony services, the arrival of second generation (digital) phones in the early 1990s ushered in basic data services such as SMS (Short Message Service) text messaging. In more recent years, devices supporting the Wireless Application Protocol (WAP) have facilitated limited Internet access, and the emergence of faster access technologies, such as GPRS (General Packet

Radio Service) and UMTS (Universal Mobile Telecommunications System), will hasten the convergence of the mobile phone with Personal Digital Assistant (PDA) devices.

This, in tum, will significantly increase the range o f in-built and network-based applications of the device, thus also increasing the range o f potentially sensitive and private information that the devices will hold.

342

Appendix H : Published Works

As the sensitivity o f information stored on a mobile device increases, the need for effective security also increases. The 3"* Generation Partnership Project (3GPP), who provide the technical specifications and regulations for UMTS, have recognised the need for secure data communications and produced appropriate standards [4], However, security over the air interface is only one aspect o f the problem, and it is also important to ensure appropriate protection o f the device against unauthorised access. Current mobile handsets do incorporate some level o f protection in this respect, but it is fairly rudimentary, and as the need for security increases there is the potential to incorporate more advanced methods. At this stage, however, questions remain about the security measures that customers would expect, and tolerate, to protect their personal information. This paper considers the need for security on mobile handsets, end-user attitudes towards current authentication measures, and their views in relation to future service opportunities and the consequent security requirements that these w i l l impose.

Subscriber authentication in mobile systems

At the time of writing, the dominant mobile network standard is GSM (Global System for Mobile communications), which accounts for 63% o f the global cellular market [1].

The authentication security that the GSM networks currendy provide is focused between the terminal devices and the network, as shown in Figure I , with a number o f checks being made to ensure that the handset is permitted to use the network, has not been reported stolen etc. By contrast, the security between the terminal and the subscriber is currently quite rudimentary, with subscriber authentication based upon the use of a Personal Identification Number (PFN).

User

Terminal

Network

PIN Code

IMEl Code

IMSI Code

PIN - Personal Identification Number

IMEl - International Mobile Equipment Identifier

IMSI - International Mobile Subscriber Identifier

TMSI - Temporary Mobile Subscriber Identifier

Figure 1 : User - Terminal - Network Security Processes

For the majority o f mobile phones, the PIN is the only form o f authentication required in order for a user to be able to access the device. The authentication process will typically only allow the user to enter the number incorrectly a finite number o f times

(typically three) before the Subscriber Identity Module (SIM) within the phone becomes locked and requires a special unlock password (PUK) from the network service provider. In this way, brute force attacks on the PIN code (where every combination is

343

Appendix H : Published Works

systematically tried) are avoided. However, the security here assumes two things: firstly, that the PIN facility is activated, and secondly, that the user has not compromised its protection (e.g. by not changing it from the factory default, by writing it down, or by telling someone else) in the many that frequently occurs with other knowledge-based authentication approaches, such as passwords [5].

If the PIN facility is enabled, it may (depending on the make/model of phone) provide two levels o f authentication. A l l phones can be configured to request the PIN when they are switched on (normally only allowing emergency calls in its absence). Some models also allow locking o f the keypad when switched on, requiring PIN re-entry before each use. As such, the PIN is capable o f providing protection, and to date it has generally been regarded as providing sufficient security, given that the information held on the devices is relatively limited (e.g. telephone numbers, simple text messages, etc.), and thus o f little value to a thief Therefore the main threat comes through unauthorised usage of the phone, which only exists in a finite window before the phone is reported stolen and subsequently disabled by the network operator.

Recently, with the advent o f WAP-enabled second-generation phones, there has been a movement towards the storage of more sensitive material. For example, some handsets contain a credit card reader that is able to make transactions over WAPenabled web sites. Although this still requires a PIN identification before use, it does pose the question of how far we can rely on PIN codes, how secure they are, and how secure users believe them to be.

Whereas PIN-based authentication relies on something the user knows, an alternative method is authentication via something the user is, a domain more commonly referred to as biometrics. There are two categories o f biometric authentication [6]:

• Physiological biometrics, based upon bodily characteristics (e.g. fingerprint analysis, facial recognition, iris scanning and ear geometry).

• Behavioural biometrics, based upon the way people do things (e.g. voice print, typing style).

Much research has gone into developing these techniques into practical systems, and they are already employed as alternative authentication methods in desktop PC environments - for example, 9% of the respondents to the 2001 CSI/FBI Computer

Crime and Security Survey claimed to use biometric security technologies [7]. In addition, there is already evidence of their application within the mobile domain. The

Sagem MC959 handset, for example, incorporates a fingerprint recognition system into the back panel [8]. When considering the application o f biometrics, in the context of mobile handsets, appropriate thought needs to be given to the practicality o f the technique. It is noticeable, for example, that physiological techniques generally require additional hardware, such as the fingerprint scanner, to be added, whereas behavioural techniques do not. Implementation o f behavioural techniques can be achieved through software only. Clearly, for mass-market devices, component cost is a major consideration, and handset prices are already subsided by network operators in many countries in order to keep the cost down for the consumer. However another major consideration to take into account is how the subscribers actually feel about security. Customers in today's worid dictate the success or failure o f a product, so their attitudes and opinions are important factors to take into consideration.

344

Appendix H : Published Works

A survey of subscriber attitudes towards mobile security

A survey was conducted to assess the attitudes and opinions o f current mobile subscribers towards authentication on their phones. T o this end, a questionnaire was devised that assessed the following aspects:

• how the phone is used (e.g. voice communications, text messages etc.) and how subscribers would like to use their phones i n the future. This gauges the level to which additional security is necessary - i f the phone is used purely for voice communications then the need for increasing security is questionable;

• users opinions about the current form o f authentication, the PIN;

• whether users believe there is a need for increasing security, and i f so how would they like to see a solution implemented.

The survey was distributed as hard copies to a wide range o f people, w i t h one proviso in order to be able to offer a valid opinion, the respondents had to be current or past users o f mobile phones. A total o f 138 paper-based copies where returned. A n on-line version was also created, achieving another 23 responses. Thus, a final total o f 161 responses were obtained, and the results are analysed i n the sections that f o l l o w .

General

The survey was not aimed at any specific age group or gender, the hope being to obtain a good cross section o f users. As shown in Figure 2 below, 53.5% o f respondents were in the 17-24 age group. Although at first glance this figure does not suggest a particularly represcnlati\c sample, it is actually a fair rctlcctioii o f mobile phone ownership in the U K , where the survey was focused. Recent market research studies have illustrated that teenagers now account for a significant proportion o f phone purchases, particular in relation to pre-pay phone options [ 9 ] . With this in mind, the predominance o f younger respondents in this study is less surprising, and serves to make the results a more accurate reflection o f typical subscriber aUitudes.

70

nO

59

• Male • Female

t

40

I

^4

2-5

^ 20

10

10

3 2

I i

1

Under 16

17-24

25-34 35-44

45-54

Age Group

Figure 2 : Gender and age split in the respondent group

345

55+

Appendix H : Published Works

The desire to remain contactable is apparent from how long respondents leave their handsets switched on. 57% o f those questioned said they kept their phone switched on for greater than ten hours a day, with 19% claiming between six and ten hours, and the percentage descending in order to 11% for less than one hour a day. These findings have a couple of implications:

• The need to leave the phone on comes in part from the need to stay in touch. So is the mobile phone the users principle means of doing this? Those switching on for less than one hour are likely to be users who only switch on when they wish to use the phone themselves. Thus either do not wish to be kept in contact with or have another principle means o f communication, for instance a landline phone. Those leaving their phones on for a long period o f time are likely to consider their phones to be there major means of contact, showing a possible long-term commitment towards the use o f mobile phones.

• With the large number of respondents leaving their phone on, this could have implications for security, especially those who do not have or do not use a PIN facility to lock their keypad on standby.

Different phone manufacturer's, although providing a range of different phones, often keep the same software ftjnctionality, i.e. Nokia and its proprietary menu system. Nokia and Motorola's use of the PIN is no different in principle. However, whereas Motorola provides the facility to lock the keypad whilst on standby, Nokia however does not. In this particular sample, 57% o f respondents are Nokia owners, of whom 96% leave their phone on for more than one hour a day, and 87% leave it on for more than six hours a day. This results in a significant number of unlocked phones on stand-by mode for long periods o f time every day, leaving them with effectively no defence from un-authorised use if lost or accidentally left unattended.

Mobile phone usage - present and future

Unsurprisingly, results indicate that the vast majority use their mobile phone for talking.

More interestingly, however, 90% of respondents regularly use text messages as a means of communication. Figure 3 illustrates these findings, in addition to responses for a range of other current services. The other services are newer, and from the responses have not been adopted as widely at present. A possible discrepancy in the data exists surrounding the use of the email service. Although this service is currently available on only a small proportion of handsets, 64%> responded 'yes' or 'no' to the question of whether they used the facility. It is considered likely that many respondents who answered 'no' were doing so because their phone does not offer them the option (and, therefore, they should ideally have selected the 'not available' option on the questionnaire). This hypothesis also applies to the use o f WAP services. However, it is valid to note the proportion of users that do use their phone for WAP and email services stands at 6% and 9% respectively, indicating an emerging acceptance and use o f advanced data services.

Respondents were also asked whether they would consider using a small range o f other services that are likely to be offered by ftiture mobile handsets.

346

Appendix H : Published Works

180 r

158

160

• Yes QNO •rOotAvalable

142

B

120 c

5

I100H

E

Z 60

-UJ

20

99

28

68

82

Talking Text Messages Information Sen/ices WAP Services Text-Based Email

Figure 3 : Services used by respondents

The questionnaire specifically suggested the options "video conferencing*, "online shopping', "Worid Wide Web', "Downloading music' and Tersonal Organiser', as well as offering respondents the option to suggest other ideas that would interest them. The results strongly suggested that the adoption o f advanced mobile service is likely to continue, with 40% looking to use video conferencing, 43% interested in online shopping, 58% desiring mobile web access, 53% wishing to download music, and 73% wanting an integrated personal organiser. Although the latter would not necessarily involve communication between phones and the network, the data stored in personal organisers could well contain sensitive information such as bank account details etc.

The additional services that were suggested by respondents included "digital money',

"radio\ and "global positioning system' - all o f which are very likely to emerge i n combination with telephony handsets. Overall, it is also worth noticing that 88% o f respondents did want to use some form o f additional service.

Usefulness of current securit\

As previously discussed, the primary method o f user authentication for m o b i l e phones is the PIN, which is able to provide up to two levels o f security. Although 89% o f respondents knew about the PIN facility, only 56% o f them use it in either form. The survey shows that 76% o f respondents had phones with only one level o f security (at power on). O f those users that did have both levels o f security, only 4 6 % o f them used the second level on a regularly basis. Asking whether the respondents feel entering a

PIN number is inconvenient, 4 1 % responded 'yes' with the same percentage also expressing doubts about the level o f protection the PIN can provide. Although the results are not conclusive enough to put an argument for or against the usefulness o f the

PIN facility, there are a number o f significant points that can be drawn from the data:

347

Appendix H : Published Works

• 11% of respondents did not know about the PIN facility. On the face of it, this is a relatively small percentage, but on a worldwide scale that accounts for 52.8 million subscribers who do not even know that security is available.

• O f the 44% of respondents who do not use the PIN facility, 65% o f them considered it to be inconvenient, thus suggesting a good reason why they do not use it.

• Providing additional levels o f security does not necessarily provide the user with additional protection i f s/he does not use it through inconvenience. 64% o f respondents for whom the ability to PIN-protect the phone between calls is available, still do not use the facility because they find entering the PIN inconvenient.

• A significant proportion o f respondents, 4 1 % do not have confidence in the protection the PIN facility provides, indicating users believe their phone is sfiU at risk from misuse even i f the PIN facility is in use.

• 52% o f female respondents do not use the PIN facility compared to 39% o f males.

The survey also asked respondents to comment about issues relating to the compromise of security. When asked to consider compromise by another party, only 11% o f users believed that their phone had been used without their permission. The real percentage is likely to be higher, ft-om misuse that has gone undetected. For instance people who may use the phone briefly without the owner's knowledge. Those respondents who answered positively to this question are likely to have had their phone stolen, and thus detected the misuse. The questions also considei-ed compromise of protection arising from the subscribers' own actions. There are several ways in which subscribers may invalidate the PIN security, such as revealing the number to someone else, forgetting it, or writing it down. Table 2 presents a summary o f the findings here.

Forgotten It

Told Someone Else

Taken a Written Note Of It

Yes (%) No (%)

17

26

6

83

74

94

Table 2 : Respondents who invalidate their PIN protection

Attitudes towards future authentication options

With mobile handset manufacturers and network operators both aiming to provide users with additional services, the need for security is likely to increase. This survey has identified that users are already using data services, and are willing to use fiiture services as and when they become available. It is an encouraging sign that the respondents also recognise the need for security, with 81% believing it would be either good or very good to have more security. Only Uvo respondents thought it would be bad idea. This recognition shows that users are aware of the need for security, and are also possibly worried about their current level o f protection. Interestingly, however, the desire for more security shows a downward trend as the respondents' age increases, as shown in Table 3.

348

Appendix H : Published Works

Age Group

Responded positively (%).

Under 16

100

17-24

25-34

35-44

89

72

66

45-54

68

55 or older

42

Table 3 : Respondents opinions on having additional security

Having established that respondents were generally accepting o f additional authentication measures, the survey proceeded to assess their preferences for the forms that it could take.

Having dctcnnined that PIN-bascd protection is problematic, it is considered that other authentication methods based upon something the user knows (e.g. passwords) would be equally under-utilised or inconvenient. The implication o f this is that the most sensible route for improving authentication is to base the approach upon a biometric technique (the other option for authentication, basing it upon something the user has, is likely to offer little advantage, as the phone itself is something the user has, and any supplementary authentication token would be likely to be kept with the device). With this in mind, the survey respondents were presented with a range o f biometric authentication options and asked to indicate which o f them would be preferable to the PIN. The biometrics otTered as options were as follows: fingerprint recognition, voice print recognition, ear geometry, facial recognition, iris scanning, and typing style A l l o f these techniques have been the focus o f previous research, and some are already widely recognised as commercial products in the domains o f physical access control and desktop computing [10]. The respondents" opinions in relation to the techniques are illustrated in I igiire 4.

100 ;

90

H

50

28

26

Finger Port Vex* Pnrt Ear Geometry Faaal Recognition Iris Scanning Typing Sty4e

Figure 4 : Positive responses to biometric authentication techniques

349

Appendix H : Published Works

Techniques such as ear geometry (in which the subscriber would be identified by the physical shape of their ear) and typing style (in which authentication would be based upon characteristic inter-keystroke latencies observed when subscribers dial numbers or otherwise interact with the keypad) are less recognised in the marketplace, but are considered particularly suited to non-intrusive application in a telephony context.

The results showed a strong preference towards fingerprint analysis, with approximately three quarters of the respondents selecting this option. Voice print analysis and iris scanning also achieved good scores, albeit significantly lower than fingerprint analysis in both cases. The remaining three techniques were demonstrably less popular, appealing to just over a quarter of respondents in each case. However, any conclusions drawn fi-om these results should be tempered with the observation that the respondents are likely to have responded most positively to those ideas that they have already heard o f Fingerprints have long been known to provide a means o f successftilly identifying people, and indeed such techniques are already being used in mobile phones. Voice print analysis has also attracted much attention through the media, computer software applications, and also in the phone industry (albeit in the context o f voice recognition for dialling numbers, rather than as a means o f authentication). It is also fairiy easy to understand this authentication technique, as people generally sound different.

Techniques such as ear geometry and typing style are newer, and less information is known about them. Although keystroke analysis techniques have been extensively researched for use in PC-based authentication [11,12], it is not a widely advertised or used technique. As for ear geometry, although it is not very difficult to imagine how this technique might possibly work, there are no current implementations on the general market, and knowledge about this technique would, therefore, have been very limited amongst the respondents.

The point, therefore, is not to regard the results as a conclusive attitude towards one technique over another. The key observation that can be made is that all techniques were (to some degree) considered favourably, and that i f a technique were to be implemented that was less known about generally, a degree of education and awareness before wide scale adoption.

One advantage of certain biometrics when compared to the PIN is that they offer the potential for authentication to be performed on a continual basis rather than as a one-off judgement. Respondents were, therefore, asked whether they would consider continuous authentication during a call to be acceptable. The results revealed that 4 1 % o f respondents considered continuous authentication during a call to be a good idea, while

24% were against the idea, and 35% were indifferent to the idea. However, the actual number of users willing to break during their call to authenticate themselves is likely to be low, which implies that any continuous authentication method implemented would have to be non-intrusive (without explicit action by the user). Certain authentication techniques will clearly lend themselves to this better than others, for instance voiceprint, as the user would be talking on the phone already. Techniques such as keystroke analysis would not typically be viable during a traditional voice call, but could potentially provide a measure of authentication as each call is initiated, or during the conduct of keypad-oriented, non-voice sessions.

For all authentication techniques, including the PIN, some information needs to be stored so that a comparison is possible with the input data. The final objective of the

350

Appendix H : Published Works

survey was to establish users' opinions on where this profile should be stored - on the phone or in the network. The advantage o f storing the profile on the phone is that authenticafion can then occur completely on the phone, with the result that no personal details are communicated to and fi-om the network, and the network traffic overhead is minimised. However, the disadvantage is that the user is then restricted to being authenticated on the one phone. By having profile information stored on the network, users would be able to login at any network access point, thus enhancing their personal mobility. It would also enable the network operator to monitor the success or failure rates for possible misuse. Where a preference was expressed, the opinions fi^om the survey respondents clearly favoured the profile being held in the handset, with 52% of respondents selecting this option. By contrast, 26% favoured the network, while 20% did not mind and 2% did not understand the question. Given that the respondents were probably not be giving much thought to the issue of the network overheard, it is likely that their preference for the handset-based profile relates to the ability to retain control over their own profile data.

Discussion

Although the results have suggested the desire for a greater level o f security, this clearly represents something of a contradiction when it is considered alongside the fact that many respondents do not even use the current method that has been provided for them. This suggests that it is the security technique, rather than the concept o f security, that users are rejecting, and as such a move towards non-intrusive methods of authentication may provide the protection that users are looking for, but without the associated inconvenience that is currently perceived. Although fingerprint scanning was a favourite technique, it does not necessarily lend itself to non-intrusive implementation, as the user would need to place his/her finger on the scanner. I f the scanner were to be placed in a natural area on the phone where a finger would normally be placed to hold the device, then the level o f intrusiveness would be arguable. Voiceprint lends itself to both one-off and continuous monitoring of voice communications, but would either lose its non-intrusiveness, or the ability to authenticate, on data communications. Keystroke analysis also lends itself to nonintrusive authentication for one-off monitoring and would be more likely to facilitate continuous monitoring during the utilisation o f keypad-oriented services.

Since none o f the biometrics discussed can provide non-intrusive authentication for all possible scenarios, and secondly cannot provide 0% false acceptance and false rejecfion rates, it would seem logical to provide a hybrid model o f authentication, using a number of non-intrusive methods as first/second line security, with the PIN (or some other knowledge-based methods) providing a fallback method i f needed. Current research is focusing upon the realisation and evaluation o f such an approach, and the authors are investigating the application of biometrics in this context. A preliminary investigation of keystroke analysis has been conducted to assess whether it is possible to authenticate people fi'om the way in which they dial numbers on a standard GSM handset. Although the results are not conclusive at this stage (with false acceptance and false rejecdon errors of around 15% being observed), it is considered that refinement o f the technique may yield better performance. The full results fi-om this element o f the investigation will be published in due course.

351

Appendix H : Published Works

Conclusions

The survey findings have indicated a weakness of the current security provisions on mobile handsets, in that the authentication technology is optional and, therefore, not used by a large proportion of users. However, subscribers have shown both the need and the desire for additonal security, and have responded positively towards a number o f alternative authentication techniques. At the same time, the results showed that many respondents do not use the current security techniques that are available to them. In view of this, it can be assumed that a non-intrusive method o f authentication may prove to be most acceptable and widely utilised by end users.

With the introduction o f the third generation phones, a range of new advanced services will become available, services that the respondents in the survey indicated that they would be keen to use. In this context, the protection of users' information must become a prime concern, especially when considering the possible sensitivity of the data, and the need for a sucessflil transition into a multi-billion dollar mcommerce market. Security is, essential, and approaches must be employed that subscribers will tolerate and use.

References

[I] Intekom. 2001. Latest Global & Regional Cellular Statistics. hltpV/home.intekom.com

[2]rrU. 2001. Full description of the IMT-2000 (International Mobile Telecommunications) initiative located on the ITU (Intemational Telecommunications Union) website at www.itu.int,

Radio-Communication (ITU-R) division.

[3] UMTS Forum. 1998. Tlie Path towards UMTS - Technologies for the Information Society.

Report no. 2. The UMTS Forum. hltp://www.umts-forum.org/reports.html

[4] 3GPP. 2000. Terms of Reference: Services and System Aspects - Working Group 3. TSG SA

WG3 - Security. hltp://www.3gpp.org/TSG>ToRyTSG-SA/sa3-tor.htm

[5] Jobusch, D.L. and Oldehoeft, A . E . 1989. "A Survey of Password Mechanisms: 1",

Computers & Security, Vol. 8, No. 7: 587-604.

[6] Cope, B.J.B. 1990. "Biometric Systems of Access ConU-ol". Electrotechnology, April/May: 71-74.

[7] CSI. 2001. '2001 CSI/FBI Computer Crime and Security Survey*, Computer Security Issues

& Trends, vol. VII, no. 1. Computer Security Institute. Spring 2001.

[8] SAGEM. 2000. "SAGEM points a finger at GSM", Press Release, 24 January 2000. htlp://www.sagem.com/en/communiques-en/cp-lsem2000-en.htm#mc 959 id empreinte

[9] Miller, S. 2001. "Mobile sales soar, driven by teenage market", MediaGuardian report, 23

May 2001. http://media.guardian.co.uk/newmedia/story/0,7496,495263,00.html.

[10] Polemi, D. 1997. Biometric Techniques: Review and Evaluation of Biometric Techniques for

Identification and Authentication, Institute of Communication and Computer Systems, National

Technical University of Athens. April 1997.

[ I I ] Legget, J. and Williams, G. 1988. "Veritying identity via keystroke characteristics",

Intemational Journal of Man-Machine Studies, 28.

[12] Joyce, R. and Gupta, G. 1990. "Identity Authentication Based on Keystroke Latencies",

Communications of the ACM, Volume 33, February 1990.

352

Appendix H : Published Works

H9 Poster Presentation

Third International Networking Conference (INC 2002)

July 2002, University of Plymouth, Plymouth, UK.

"Biometrics - Authentication You Are Born With"

353

4 -

Biometrics ?

Biometrics - Authentication You Are Bom With

ftn feivM(lo«on Me M«wi<*d AultMnlicalton toy H r M I ^ R»*M«. Rt*Mrch Mu«Mt. UM«««ty tf WywyWi. UMted Knffdom.

H e i g h t l a i i n u M i -

iT M tMM « »w M U or KM cy*

M o r t y man irtdBoMi palHI—tectmiqu**

F i n g e r ( s )

Do you know your Biometrics 7

By the time she buys her first mobile (Mvlce, biometrics

could t>e as common-place as the PIN Is today

INC 2002

Appendix H : Published Works

HIO Poster Presentation

Biometrics 2002

November 2002, Excel Centre, London, UK.

''Non-Intrusive Biometric Authentication for Mobile Devices "

Poster awarded 'Best Student Prize'

355

Appendix H : Published Works

H l l Additional Published Works

Additional published works are expected to emerge from the HAT-related research.

At the time of going to press a journal paper entitled, "A novel non-intrusive

authentication mechanism for application in mobile devices " was in final draft, pending submission to the journal, Computers and Security (Elsevier Science).

357

358

Appendix I : Patent Material

A p p e n d i x I

Patent Material

Appendix I : Patent Material

Appendix I Patent Material

11 Patent Proposal 360

12 U K Patent Application - no. 2,375,205 364

13 US Patent Application - no. 10/476,588 399

359

Appendix I : Patent Material

II Patent Proposal

Copy of an original patent proposal, based on the core PhD Research, presented to Orange lawyers (circa2001),for legal formatting and formal

UK & US patent application submission.

360

Appendix I : Patent Material

Patent Proposal

A B S T R A C T

A proposal of an idea for a novel continuous, non-intrusive, biometric authentication technique; for initial application in a mobile communications environment. The technique will utilise wave propagation effects to extract and exploit a unique biometric based on the physiological modification of sound waves. The primary realisation of this technique will exploit the exclusive topography of the human head.

AUTHOR

Philip Rodwell, Orange PLC, Bristol.

C O N T R I B U T O R S

Prof. Paul Reynolds, Orange PLC, Bristol.

Dr. Steven Fumell, Manager Network Research Group, D C E E , University of Plymouth.

I M KODUCTION

Security provisions within the current GSM European mobile telecommunications network are primarily aimed at secure communications through data encryption and terminal authentication via use of a smart card, the Subscriber Identity Module (SIM). The proposed services of 3'*^

Generation (3G) mobile systems demand a more secure subscriber based authentication system in order to provide greater protection of more advanced and personal information in the event of a masquerade attack.

Current security provision includes an International Mobile Equipment Identifier (IMEI), to identify and protect the Mobile Equipment (ME) and a Personal Identification Number (PIN), to authenticate a user to and subsequently access the SIM. As the PIN technique is fundamentally

Point of Entry (PoE) authentication, is not physiologically personal to the actual subscriber, and is based on transferable knowledge, it is vulnerable to masquerade attacks. This proposal presents a technique, which can potentially overcome the problems of the current system, being both suitable for continuous authentication and being based on subscriber's individual physiological signatures. Such biometric authentication approaches are advantageous in that they cannot be forgotten, lost or stolen in the same way that would be possible with approaches based upon secret knowledge or the possession of physical tokens.

What is required is a biometric that can be applied effectively and non-intrusively in a telephony context.

D E S C R I P T O R

When a person hears a st^und, owing to the unique topography and sensitivity of the inner-ear and auditory canal, individually, that person will perceive a different sound to a second person listening to the same sound'.

The idea proposes a way of utilising this exclusivity as a novel means of biometric authentication; with an initial leaning towards mobile communications.

Auditory Perception, A New Analysis and Synthesis. R.M.Warren, ©Cambridge University Press, 1999.

361

Appendix I : Patent Material

While it is possible to identify numerous other physiological and behavioural biometric techniques (e.g. fingerprint recognition, face recognition), none are ideally suited to transparent and non-intrusive application within a voice telephony context.

The closest usable biometric authenticator for telephony is speaker verification, in which the subscriber may be authenticated based upon the analysis of their voice characteristics. Some examples of work in this important area are the European Commission funded, C A V E ' and

PICASSO^ projects.

In practice, however, the speaker verification technique has several drawbacks that limit its application and the degree of protection that it can provide:

<• Verification is most effective (accurate) when the user profile is constructed on the basis of known words or phrases. In this context (text dependent), authentication can only occur when the specific phrase(s) that have been profiled are then spoken - which may give limited opportunity in many scenarios.

*> Continuous (text independent) verification is less reliable, which could lead to false rejections and, therefore, result in inconvenience to legitimate subscribers.

• The technique requires the subscriber to be speaking before an authentication judgement can be made. In certain scenarios, this would not need to be the case in order for security to be compromised (e.g. retrieval of sensitive messages from a voicemail system may require no spoken interaction from an impostor).

In developing a system to utilise the new proposed idea, one important criteria is the nonintrusive nature of the technique. This system transparency presents the novel possibility of continuous authentication within the mobile telephony environment.

There are a number of approaches to realising this novel biometric signature;

*> The primary approach will use an inband (human auditory range) pulse of pink noise

(band-limited white noise), of short enough duration as to be undetectable, or at least non-intrusive to the user. The resulting reflected spectrum will then be used as the authenticating signature. Using an inband pulse will prevent any onboard filtering from modifying the generated pulse and negate the need for modified hardware. The pulse will be initiated from the network as and when requested by the security architecture leaving control of security access to the network operator, hi addition, it is possible to signature the pink noise pulse by varying the amplitudes at selected frequencies, adding a further level of security to the system. This pink noise signature could possibly be used unique to the network/user or varied according to a specific algorithm.

<• A second approach will utilise the telephones side-tone (via the ether) as a reference sound source, making a comparison with the same original sound as it is detected at the earpiece of a handset after traversing through the skull of the user to the ear. The modified sound, will have been subjected to, in addition to other effects, the wave effects of reflection, summing, differencing in addition to the absorption characteristics of the varying densities and thicknesses of the solids and fluids in the humaji skull. This difference spectrum from the direct/indirect path could be used as the authentication signature, being compared with a reference stored in either the terminal or the network.

One disadvantage of this system is that it would require the user to speak, or at least make a sound into the system before authentication could take place, unless a suitable pink noise tone was utilised for initial PoE authentication purposes.

The European CAller VErification Project. hltp://www.pn-telecom.nl/cave/

Picasso Project, http://www.picasso.kpn-telecom.iil/

362

Appendix I : Patent Material

• A third approach is the use of frequencies in the out-of-band, ultra-sonic frequencies.

This technique could adopt either of the first two principles of signature creations, being based either on reflection or modified transition owing to the skull. As this technique would be inaudible to the user, authentication would be completely transparent.

All of the above systems would need to be able to update user authentication signatures dynamically as a users physiology changes with age and/or health.

In detemiining the viability of the system for commercial application, research is addressing:

• the practicality of the resultant system;

• additional hardware requirements, specifically for mobile application;

• system efficiency in extracting exclusive biometric signatures;

• false Acceptance and False Rejection rates;

• the level of transparency to the end user.

IV\C K C R O U N D

After conducting an extensive literature search, I am unaware of any research applying these techniques to the area of authentication security.

The nearest area of similar research involves earprints', based on outer ear geometry. This is applied in a similar way to the established biometric technique of hand geometry', where a unique signature is devised from a physical image of the user's hand, based purely on its 2dimensional shape.

ANT1-MCUX 1

A N ri T R A G U S

C I t U S o r HfXlX

TMAGUS

ADDITIONAL C O M M E N T S

Potentially such a system would be extremely secure, as working in continuous authentication mode, only an authorised users ear in close proximity to the ear-piece would pennit the system to release information. As an extension to the system, it should also be possible to develop the system to work with a separate earpiece for authentication purposes outside of the mobile communications arena, e.g. PC based user authentication.

' Automatic Ear Recognition. - http:

w a v w

.isis.ecs.soton.ac.uk.

Image, Speech and Intelligent Systems Research Group.

Department of ElecU-onics and Computer Science, University of Southampton

' Hand Geometry Website: http: www.hand-scan.com

363

Appendix I : Patent Material

12 UK Patent Application - no. 2,375,205

Copy of UK Patent Application: "Determining Identity Data for a User "

364

Appendix I : Patent Material

(12)

UK Patent Application

n9,GB

,,,,2375205

, , 3 ,

A

(43) D823 of A Publication 06.11.Z0O2

[9M i;rr c i '

AC1B 5/117

471) Applicantts)

O r a n o B Personal C o m m u n i c a t j o n s Gervtces U m t t o d

( I n c o r p a a t B d t n t h o U n H c d Kingitomt

James

C o u r t . G r o a t

BS32 U n i t e d K i n g d o m f731 I n v e n i o f t a )

PhiSp BOaurice RocKveO

Paul R o r n o l d s

p i ) A o e n i a n t l t o r A d d r e s s f o r S o f v i c o n . Q . C J t n k U w ft C o

20 Ccunon S n o o t , L O N D O N , S V / I H O U ,

U n i t e d C n f l d o m

C 4 H K T G K 1 A H 1 3 D H 1 4 A

G 4 R f e r R i x

U l S S 3 2 0 a S » t 5

(S£> Oooumcnts Ciied

G B 1 4 S 0 7 4 t A U S S 7 8 7 i a 7 A

Field Ot S « a £ C h

UK C L (EdU3on T ) CMH H T G . G4R R E T

U J T C L ' A S I B B / C O 6/117 , C07C 9 / 0 0

OnUne:V/P|. EPOOOC, JAPIO

(54) Abstrvd llilfl

Determining Identity of o user i57» A n i n i c r a c u i d s o u r w ) s i g n a l resulting f r o m o n o r f g l n a l s o w n d s i g n a l I n i s r o c l i n g w i l h a p a r t o l i h e b o d y o f i h o u s e r i s r e p r o s e n t a i i v o o f a p h y s i o l o g i c a l c h a r a c t e i i s t i c o f t h o u s e r n n d i s u s e d t o i d c n i i f v t h e u s e r .

F I G .

3 to

DO ro

CJl

N>

O

CJl

365

Appendix I : Patent Material

D£TERMI^aNG roENTITY DATA FOR A USER

Field of the Present Invention

The present invention relates to determining identity data for a user of

5 an electronic device using a biomctric technique. More particularly, but not exclusively, the present invention relates to using a biometric technique for authentication of a user of a telephony device.

Background of the Present Invention

10 Historically, there has been a general need for user authentication in the fields of electronics, data processing, computer nctx^-orks and telecommunications. For example, the user of an automated telling machine

(ATM) will Domially be required to enter a personal identification number

(PIN) before being allowed access to bank account services or funds. Similarly,

15 for user access to private or public computer networks, such as an intranet or the Internet, typically the user will need to enter a user name and poss^^ord before being allowed access. Internet Service Providers (ISPs) typically implement authentication, authorisation and accounting (AAA) systems to a) ascertain who the user is (authentication), b) determine access rights for the user

20 (authorisation), and c) set up the necessary charging mechanisms for the user

(accounting). The processes of authorisation and accounting are both dependent on successful authentication. Similarly, individual network resources such as Web sites, and other services, may also implement conditional access systems using, for example, user name and password entry.

366

Appendix I : Patent Material

In the field of mobile commumcation3» in particular with second generation systems such as the Global System for Mobile communications

(GSM)» security is implemented through data encryption and subscriber authentication via use of a smart card known as the Subscriber Identity Module

5 (SIM). The mobile station may optionally be set to require entry of a PIN before allowing access to the data stored on the SIM and non-emergency calls.

However, the technique of requiring a PIN is not truly personal to the subscriber and is based on transferable knowledge - i.e. the PIN code. Thus, the technique is vuhicrabte to masquerade attacks whereby a third party obtains

10 or successfully guesses the PIN number and is able to masquerade as the subscriber. The same can be said of any technique requiring a password, such as the user name and password technique.

Furthermore, PIN or user name and password techniques arc point of entry techniques, which only perform authentication periodically on the t5 occurrence of certain events, such as on switching on a mobile station. Thus, an unauthorised party obtaining a previously authenticated mobile station may not be required to undergo further authentication until the mobile station is switched off or runs out of powr. This problem is exacerbated with improvements in power capacity of mobile stations whereby mobile stations

20 need hardly ever be switched off.

Furthermore, the problems of point of entry authentication techniques, such as requiring a PIN code or a user name and password, are becoming exacerbated with the advent of "always on" telecommunications access whereby a user of a fixed or mobile telecommunications device is provided

367

Appendix I : Patent Material

with continuous access to network resources and services without having to periodically dial up a connection and undergo point of entry authentication.

With the advent of third generation mobile conmiunications technologies, and with the convergence of fixed and mobile

S telecommtmications and computer networks, more services of greater value will be accessible via both mobile and fixed stations. More advanced and potentially more sensitive information, such as bank account information, geographic location, private correspondence and so on, will be accessible from a multitude of telecommunications devices. For example, e^ruiil, e-commerce

10 transactions, and location-based services may be available to users of both mobile and fixed teleconununications devices.

Thus, it can be seen that there will be an increasing need for greater security in future mobile and fixed telecommunications systems and, in particular, a need for enhanced, truly persona], and continuous, user-based

1S authentication.

International publication no. WO 99/08238 discloses a portable client personal distal assistant (PDA) with a microphone and local central processing unit (CPU) capable of processing biomctric data to provide user verification.

The device inchides a modem to provide direct commimications with peripheral

20 devices and is capable of transmitting or receiving information through wireless communication. Optionally, a biometric sensor may be provided for collecting biomenic daUi such as a finger, thumb or palm print, a handwriting sample, a retinal vascular pattern, or a combination thereof, to provide biometric

368

Appendix I : Patent Material

verificatioo. Ho>*-cvcr, the document discloses a preference for biometric verification through voice data

Intematioiial publication no. WO 99/45690 di^loses a protected access system for controlling access to networks such as telephone networks, ^Mbich

5 may use biometric characteristics for subscriber identification. The document discloses using any of three biometric characteristics for authentication, namely, retina patterns, speech or voice characteristics of fingerprints.

International publication no. WO 99/54851 discloses a device, such as a mobile telephone and SIM card, comprising sensors for detecting biomctric

10 characteristics and a data processing device for determining authentication informatibn from the biometric characteristics. The docimicnt discloses using any of three biometric characteristics, namely, fingerprints, retinal patterns, and voice or speech characteristics.

US Patent no. 5,872,834 discloses a telephone provided with a contact

15 imaging device for obtaining biometric data to identify or authenticate the user.

Contact imaging devices arc stated to include electrical contact imaging sensors such as capacimtive fingerprint imagers and optical contact imaging sensors siich as optical fingerprint imagers. The user must make physical contact with an electrical or optical component of the imager for biometric data to be

20 obtainable.

The CAVE project (CAller VErification in banking and telecommunications) and the follow up project PICASSO (Pioneering Caller

Authentication for Secure Service Operation) arc known research projects in the field of speaker verification in which authentication of a user o f a telephony

369

Appendix I : Patent Material

service is based upon an analysis of their voice characteristics. Both research projects focussed on text-dependent speaker verification, in the sense that the verification procedure assusnes that the text of the spoken utterance is known by the verification system. This results in more accurate verification* but requires

S the user to utter known words or phrases for authentication may take place.

One problem with voice or speaker verification techniques is that for accuracy, the subject must uner pre-dctermincd words or phrases, which may not be possible in many cases and may become inconvenient and tiresome for the subject. Furthermore, i f text dependent techniques are used, continuous

10 verification is oot possible. In any case, whether text dependent or independent techniques are used, the subject is required to be speaking before an authentication judgement can be mode. These and other problems are solved by the present invention.

15 Summary of the Present Invention

According to a first aspect of the present invention, there is provided a method of determining identity data in respect of a user of an electronic device such OS a telephony device, the method comprising the steps of: a) receiving an interacted sound signal resulting fiom an original

20 sound signal interacting with a part of the body of the user, b) deriving a signature from at least the interacted sound signal, the signature being representative of a physiological characteristic of the user, the physiological characteristic not being a characteristic o f the voice or speech of the user.

370

Appendix I : Patent Material

c) determining the identity data in dependence on the signature.

The interacted sound sigiiaJs may be received more or l e ^ continuously and provide data fioro which a physiological characteristic of the user can be determined. Thus an enhanced, truly personal, and* if desired, continuous, user*

S based method of authentication is provided.

According to a preferred embodiment of present invention, the electronic device generates the original sound signal. Preferably, the original sound signal is undetectable or non-intrusive to the user. The soimd signal may be outside the human auditory fiequency range or, alternatively, inside the

10 human auditory ficquency range but of sufficiently short duration so as to be undetectable or unobtrusive. Thus, identity data may be determined by comparing an original sound signal, with known characteristics, to dbe received interacted sound signal, without disturbing the user.

According to another preferred embodiment of present invention, the

15 original sound signal has a pre-selcctcd characteristic, and the step of determining the identity data in dependence on the signature is dependent on the pre-selected characteristic. Thus, improved acciuacy of authentication may be achieved by selecting a sound characteristic appropriate to the physiological characteristic being used for authentication.

20 Preferably, in a first determination of identity data, the original sound signal has a first pre-selcctcd characteristic, and in a second detenninatton of identity data, the original sound signal has a second pre-sclectcd characteristic different to the first pre-selected characteristic. For example, the soimd characteristic may be selected on a random or pseudo-random basis. Thus.

371

Appendix I : Patent Material

security is generally improved against, for example, masquerade attacks by providing a varying "challenge" to the user.

Preferably^ the pre-selected characteristic is selected by a process performed externally to the electronic device. Thus security is further improved

S against, for example, attacks in which the security processes of the electronic device have been determined by the attacker.

Preferably, the pre*selected characteristic is selected in dependence on a) an identity or characteristic of an authorised user of the electronic device; b) an identity or charucteristic of an authorised user of a service accessible via the

10 electronic device; and/or c) the identity or characteristic of a provider of a service accessible via the electronic device. Thus, a variable level of security may be selected appropriate to the particular circumstances of use.

In a further embodiment of the present invention, there is provided a method according to the first aspect, comprising the step of:

15 aa) receiving the original sound s\g^a\, wherein the original sound signal is produced by the user and the signature is derived from the interacted and original sound signals.

For example, the original sound signal may be the voice or speech of the user. Thus, authentication may take place using an original sound signal

20 generated by the user without the need for the electronic device to generate sound signals for that purpose.

According to another preferred embodiment, the electronic device is a telephony device and comprises an earpiece for generating sound signals a mouthpiece for receiving soimd signals and other sound signal processing

372

Appendix I : Patent Material

8 apparatus. Thus, authentication of a user of the telephony device may be performed by receivmg aiid/or processing sound or signals representing sound using apparatus present in the device for other purposes, thereby taking advantage of existing apparatus in the telephony device.

5 According to another prefetred embodiment, the physiological characteristic relates to the physiology of the auditory apparatus or head of the user. Thus, advantage is taken of the unique topographies of the human ear or human head to perform accumte authentication.

The method of detemiining identity data may be carried out by a to telecommunications netwoik comprising an electronic device connectable to one or more network n o d ^ or by a stand-alone electronic device. The electronic device may be a telephony device such as a mobile station of a mobile telecommimications network.

According to a second aspect of the present invention, there is provided

15 a telephony device arranged to process sound signals for use in determining identity data in respect of a user, the telephony device comprising audio signal coding/decoding apparatus arranged to use a first data coding format for coding or decoding the voice or speech of a user and a second different data coding format for coding or decoding sound signals for use in determining identity data

20 of a user. Thus, the data coding format used may be optimised to the characteristics of the sound signals used when determining identity data in respect of a user.

According to a third aspect of the present invention, there is provided a telephony device comprising a locally accessible data store, the data store

373

Appendix I : Patent Material

storing data rq>resenting one or more origina] sound signals, the telq)hony device being controUable by a icmote device to generate a original sound signal using data stored in the data store and to receive an interacted sound signal resulting from the origina) sound signal interacting with a part of the body of a

S user for use in determining identity data in respect of the user. Thxis, die quality of original sound signal generated may be guaranteed and netvvoric traflSc reduced.

According to a fouith aspect of the present invention, there is provided a telephony device comprising a loudspeaker for generating an original sound

10 signal and a mioophone for receiving an interacted soimd signal resulting from an original sound signal having interacted with a part of the body of a user of the telephony device, the telephony device being arranged so that, when in normal operation by a user, the loudspeaker and microphone are located adjacfflt to an ear of the user.

15 According to a fifth aspect of the present invention, there is provided an earpiece or headpiece for use with a telephony device, the earpiece or headpiece comprising a lotidspeaker for generating an original sound signal and a microphone for receiving an interacted sound signal resulting from an original sound signal having interacted with a part of the body of a user of the telephony

20 device, the earpiece or headpiece being arranged so that, when in normal operation by a user, the loudspeaker and microphone arc located adjacent to an ear of the user.

374

Appendix I : Patent Material

10

According to a sixth aspect of the present inventioiu there is provided a method of dctenmning identity data in respect of a user of an electronic device, the method comprising: a) receiving a sound signal n ^ t m g from an original sound signal

S ha\nng interacted with a part of the body of the user, b) determining the identity data in dependence on a characteristic derived firom the received interacted sotmd signal.

Further aspects of the invention ore as set out in the appended claims.

There now follows, by way of example only, a detailed description of

10 preferred embodiments of the present invention in which;-

Figure 1 is a schematic diagram of a known mobile stadon of a mobile telecommunications network for use in the present invention;

Figure 2 is schematic diagram of an adapted mobile station for use in the present invention;

15 Figure 3 is a schematic diagram showing the process o f determining identity data for a user in a first mode where the mobile station generates the original sound;

Figure 4 is a schematic diagram showing the process o f determining identity data for a user in a second mode what the mobile station generates the

20 original sound; and

Figure 5 is a schematic diagram showing the process o f determining identity data for a user in a third mode where the user generates the original soimd.

375

Appendix I : Patent Material

11

l>etailed Deacription of Preferred Embodiments of the Present Invention

Figure 1 is a schematic diagram of a known mobile station of a second generation mobile telecommunications network, such as a GSM network, for use in the present invention. The mobile station 10 comprises a

5 transmit/receive aerial 12, a radio firequcncy transceiver 14, a speech coder/decoder 16 connected to a loudspeaker 18 and a microphone 20, a processor circuit 22 and its associated memory 24, an LCD display 26 and a manual input port (keypad) 28, and a removable SIM 30. The loudspeaker 18 and microphone 20 are both connected to the processor circuit 22 via speech

10 codci/decodcr 16. Speech codec/decoder 16 comprises an analogue to digital converter (ADC) connected to nucrophone 20 and a digital to analogue converter (DAC) connected to loudspeaker 18. Mobile station 10 may communicate with a mobile teleconununications network using radio signals transmitted by transmit/receive aerial 12.

15 Typically, coder/decoder 16 uses a digital coding fonnat optimised for efiEicicnt transmission of data reprinting voice or speech over low bandwidth communications channels. In particular, the coding foniiats used generally do not substantially represent sound at frequencies outside the hunum auditory range. Thus, in embodiments of the present invention using standard,

20 unadapted mobile stations for second generation mobile networks, the process of determining identity data is preferably performed using in-band (Le. within the human auditory frequency range) sound signals. Alternatively, in embodimwjts of the present invention using out-of-band sound signals, m particular ultra-sonic signals, on adapted mobile station may be used in which

376

Appendix I : Patent Material

12 coder/decoder 16 is arranged to use a different data coding format, when being used for the piirposes of determining identity data, the different data coding format being suited to represent the sound signals at the freqtiencies used.

Figure 2 is schematic diagram of on adapted mobile station for use in

5 the present invention. The mobile station 10 of Figure 2 is as described with reference to Figure 1, save that an additional mi^ophone 32 is located at the earpiece close to loudspeaker 18 and also connected to speech coder/decoder

16. A further AIX^ may also be provided in coder/decoder 16 connected to microphone 32 for separately converting the analogue signals received from

10 microphone 32. Again, for embodiments of the present invention using out-ofband sound signals, coder/decoder 16 may be arranged, when being used for the purposes of determining identity data, to use a data coding format suited to rc|Hesent the sound signals at the frequencies used. According to a further embodiment of the present invention, the functions of loudspeaker 18 and

15 microphone 32 are both performed by a single sound transceiver located at the earpiece of mobile station 10.

.Although Figures 1 and 2 show mobile stations using inbuilt loudspeakers and microphones, ^'bands-free*' equipment consisting of a loudspeaker and/or microphone separate from but cormectable to the mobile

20 station, may also be used in the present invention. Furthermore, an adapted hands-free earpiece or headpiece comprising a loudspeaker and microphone corresponding to loudspeaker 18 and microphone 32 of Figure 2 may also be used when connected to an adapted mobile station such as shown in Figure 2.

377

Appendix I : Patent Material

13

Alternatively, the loudspeaker and microphone of the adapted earpiece or headpiece may be combined into a single soimd transceiver as described above.

The process of detennining identity data for a user of mobile station 10 may be controlled by either processor 22, the processor of SIM 30, or by one or

5 more nodes of the mobile telecommunications network. We shall refer to the entity controlling the process of determining identity data as the authenticating entity. In embodiments of the present invention in which original sound signals are generated by loudspeaker 18 of mobile station 10, digital data representing an original sound signal, formatted in a suitable data coding format, is sent by

10 the authenticating entity to coder/decoder 16 for decoding and causing the generation of the original sound signal at loudspeaker 18. Conversely, interacted sound signab received by microphones 20 or 32 are coded into digital data by coder/decoder 16 and are sent to the authenticating entity.

Where the authenticating entity is the processor of SIM 30, the data is sent over

15 the mobile siation/SIM interface. Where the authenticating entity is a node of the mobile telecommunications networic, the data is sent over the radio interface via radio frequency transceiver 14 and transmit/receive aerial 12.

In embodiments of the present invention in which original sound signals are generated by loudspeaker 18 of mobile smtion 10, a plurality of different

20 original sound signals may be used. The authenticating entity may generate the data representing the original sound signal to be used, or select from one or more prc-gcnerated data items stored in a data store accessible to i t For example, where processor 22 is the authenticating entity, pre-generated data may be stored in memory 24. Where, the processor of SIM 30 is the

378

Appendix I : Patent Material

14 authenticating entity, pre-generated data may be stored in a memory of the SIM card. Alternatively, the authenticating entity may control the generation of the data representing the original sound signal by another device, or control another device to select from one or more pre-generated data items stored in a data store

5 accessible to the other device. For example, where the authenticating entity is a node of the network, the node may choose a presletermined original sound signal to be used and control processor 22, or the processor o f SIM 30, to generate or select pre-generated data representing the chosen signal.

Figure 3 is a sdiematic diagram showing the process of determining

10 identity data for a user in a first mode where mobile station 10 generates the original sound signal. Mobile station 10 is an ad^ted mobile station as described with reference to Figure 2. When in normal operotiort, a user holds mobile station 10 to his or her head 40 so that the loudspeaker 18 and microphone 32 of the earpiece are adjacent on ear 42 of the user. When

15 authentication is required by the authenticating entity, coder/decoder 16 is controlled to cause loudspeaker 10 to generate an original sound signal 44.

Preferably, the generated sound signal is pink noise (i.e. band-limited urhitc noise) within the human auditory range (approximately 20 - 20,000 Hz), so that the standard data coding format of coder/decoder 16 may be used. However,

20 the signal is of short enough duration so as to be undetectable or at least nonintnisive to the user. In on alternative embodiment, out-of-band (i.e. outside the human auditory range) sound frequencies may be used, in particular ulua-sonic frequencies wMch enable a higher physical resolution than lower frequency signals. Ultra-sonic frequencies would be undetectable to the user thus

379

Appendix I : Patent Material

15 resulting in completely transparent authentication. In thi^ case, coder/decoder

16 is arranged to use a data coding format suited to the frequency range of the signals 44 and 46 as described above.

Additionally, the original sotmd signal 44 may have a pre-determined

5 signature. For example* a pink noise signal may be adapted by varying the amplitudes of the signal at selected frequencies. By selecting from a phirality of original sound signals with different signatures, further security is added to the system in that an attacker is presented with a varying "challenge". The sound signal 44 of pre-determined signature is preferably selected by the

10 authentication entity. Selection may be on a random or pseudo-random basis, or in dep^dencc on a) an identity or characteristic of an authorised subscriber of the mobile network, b) an identity or characteristic of an authorised user of services accessible via the mobile station and/or c) an identity or characteristic of the provider of services accessible via the mobile statiorL For example.

15 varying levels of security may be required by different users or by different telecommunications networks or by the providers of services or resources available using the mobile station. More specifically, a subscriber authorised for voice calls only, may, for example, only be required to imdergo low-level authentication, whereas a subscriber authorised to access highly personal

20 information via the mobile station, such as bank account information or geographic or positioning information, may be required to undergo high-level authentication.

The interacted soimd signal 46, having been reflected in the soft tissues

of the inner car and auditory canal of the user, is then received by microphone

380

Appendix I : Patent Material

16

32 and converted into digital data by codei/decoder 16. The digital data output from coder/decoder 16 is then sent to the authenticating entity for analysis.

Data representing the original sound signal 44 and the received interacted sound signal 46 are then compared to detennine a signature corresponding to the

5 physiological topology o f the inner ear and auditory canal of the user. This may be performed using known techniques of digital audio signal processing such as using Fast Fourier Transforms ^FTs) to obtain a frequency response,

The generated physiological signature is then compared to a pro-stored physiological signature or statistical model for the authorised subscriber to

10 determine authenticity. I f the determined signaturo matches within a predetermined level of tolerance, then the user of mobile station 10 is authenticated. However, if the determined signature does not match within the tolerance level, then the user of mobile station 10 is not authenticated The process of determining the degree of match between the generated

15 physiological signature and the pro-stored physiological signature uses known techniques of statistical pattern matching.

The pro-stored physiological signature or statistical model for the authorised subscriber of mobile station 10 may be determined in much the same manner as for subsequent determination of identity data according to the present

20 invention. More specifically, on registration, the subscriber may be required to undergo a process to determine the physiological signature or statistical model to be stored and used for subsequent determination of identity data. By generating a plurality of test original sound signals and receiving the corresponding interacted signals a single average physiological signature or a

381

Appendix I : Patent Material

17 more detailed statistical model indicating a normal range for the subscriber's physiological signature may be derived . Preferably, the test signals generated are sufficiently numerous so that an accurate average physiological signature or statistical model may be determined. Optionally, the test signals may comprise

5 signals of dififerent sound signatures corresponding to the different soimd signatures that may be selected by the authenticating entity on subsequent determination of identity data.

Furthermore, because the topography of the inner ear and auditory canal may change gradually over time, especially with children and through ill health,

10 the pre-stored signature or statistical model for a subscriber may be varied gradually over time in dependence on data determined during normal authentication procedures. For example, whilst a user presenting a radically different physiological topography will be rejected since the difference will exceed the predetermined level of tolerance, a gradual and consistent change

15 within the predetermined level of tolerance may be interpreted as a normal change in the topography of the inner ear and auditory ^inal, and the pre-stored signature or statistical model for that subscriber altered accordingly.

Figure 4 is a schctnatic diagram showing the process of determining identity data for a user in a second mode where the mobile station generates the

20 original sound. Mobile station 10 is the standard mobile station as described with reference to Figure 1. The processes for determining identity data arc as described above for the first mode where the mobile station generates the original sound, save that the interacted sound signal 48 is received by the standard microphone 20 located at the mouthpiece of mobile station 10 rather

382

Appendix I : Patent Material

18 than by microphone 32 located at the earpiece. Thus, after lotidspeaker 18 has generated an original sound signal 44, the interacted sotmd signal 48 is received by mioophone 20 having traversed through the skull and soft tissues of the head of the user, and a signature is derived corresponding to the physiological

5 topography of bone and soft tissues forming the user's head.

Optionally, sound signals transmitted from loudspeaker 18 to miCTophone 20 directly dirough the body of mobile station 10 may be cancelled from the received sound signal using signal processing techniques. For a given make and model of mobile station, the physical arrangement of components of

10 the mobile station in normal operation is fixed. Thus, for a given original sound signal, a cancellation signal corresponding to the sound transmitted directly through the body of mobile station 10 tnay be dctcntuned and subtracted from the signal received by microphone 20. Thus a sound signal corresponding to the interaction of the original soimd signal with substantially only the head of

IS the user of mobile station 10 may be determined. In embodiments using handsfree equipment, the effect of sound transmission through the body of the mobile station is greatly reduced and cancellation may not be necessary.

Figure 5 is a schematic diagram showing the process of detennining identity data for a user in a third mode where the user generates the original

20 sound. Mobile station 10 is an adapted mobile station as described with reference to Figure 2. Whilst it has been described above how mobile station

10 may be used to generate the original sound for determining identity data for a user, in this alternate embodiment, the original soimd signal is generated by the user of mobile station 10 - i.e. the original sound is the voice or speech 50

383

Appendix I : Patent Material

19 of the user. This original sound signal is received directly by microphone 20, located at the mouthpiece* and indirectly, having traversed the head of the user, by microphone 32, located at the earpiece. From these two received signals, a signature corresponding to the physiological topography of the bone and soft

5 tissue of the user's head may be determined and the determination of identity data carried out as described above.

When generating the pre-stored signature or statistical model for an authorised subscriber, rather than the mobile station generating a series of test soimd signals, as described above, the user is required to speak into the mobile

10 station. Preferably, the user is required to recite a standard training passage of text of sufficient length and vocal variety to provide an accurate signature or model for the user.

Whilst preferred embodiments of the present invention using mobile stations of a mobile telecommunications network have been described above, it

15 will be fl^reciated that the present invention has application to fixed or mobile telecommunications stations, for example telephone stations in networks such as the public switched telephone network ^STN), fixed or mobile terminals or computing devices for access to private or public data networks, such as an intranet or the Internet, and in general to any electronic device v^ere user

20 authentication is needed, ^A^ether the device is capable of telecommunications or not. Furthermore, whilst it has been described that the physiological characteristics used for determining identity data are the topography of the inner ear and auditory canal, or the head of the user, it will be apparent that other physiological characteristics may be used, such as the iopogrq)hy of other pans

384

Appendix I : Patent Material

20 of the body of the user or other physiological characteristics measurable using sound

385

Appendix I : Patent Material

21

CLAIMS:

1. A method of determining identity data in respect o f a user of an electronic device, the method comprising the steps of:

5 a) receiving an interacted sound signal resulting from an original sound signal interacting with a part of the body of the user, b) deriving a signature from at least the interacted sound signal, the signature being representative of a physiological characteristic of the user, the physiological characteristic not being a characteristic of the voice or speech of

10 die user, c) determining the identity data in dependence on the signatme.

2. A method according to claim 1, wherein the electronic device generates the original soxmd signal.

15

3. A method according to claim 2, wherein the original sound signal is undetectable or non-intrusive to the user.

4. A method according to claim 2 or 3, wherein the frequency

20 range of the original sound signal is substantially within the hurrmn auditory frequency range.

386

Appendix I : Patent Material

22

5. A method according to any of claims 2 to 4, wherein the frequency range of the original sound signal is substantially outside the human auditory frequency range.

5 6. A method accordmg to any of claims 2 to S, wherein the original sound signal has a pre-selected characteristic, and the step of determining the identity data in dependence on the signature is dependent on the pre*setected characteristic.

10 7. A method according to claim 6, wherein, in a first determination of identity data, the original soimd signal has a Erst pre-selected characteristic and in a second determination of identity data, the original sound signal has a second pre-selectcd characteristic different to the frrst pre-selected characteristic.

15

8. A method according to claim 6 or 7, wherein the pre-selected characteristic is selected on a random or pseudo-random basis.

9. A method according to any of claims 6 to 8, wherein the pre-

20 selected characteristic is selected by a process performed externally to the electronic device.

387

Appendix I : Patent Material

23

10. A method according to any of claims 6 to 9. wherein the preselected characteristic is selected in dependence on an identity or characteristic of on authorised user of the electronic device.

S 11. A method according to any of claims 6 to 10, wherein the preselected characteristic is selected m dependence on an identity or characteristic of an authorised user of a service accessible via the electronic device.

12. A method according to any of claims 6 to 11, wherein the prc-

10 selected characteristic is selected in dependence on the identity or characteristic of a provider of a service accessible via the electronic device.

13. A method according to claim 1, comprising the step of: aa) receiving the original sound signal;

15 wherein the original sound signal is produced by the user and the signature is derived firom the interacted and original sound si^ials.

20

14. A method according to claim 13. wherein the original sound signal is the voice or speech of the user.

15. A method according to any preceding claim, wherein the electronic device is capable of telephony and comprises an earpiece for generating sound signals and a mouthpiece for receiving sound signals.

388

Appendix I : Patent Material

24

16. A method according to claim 15, wherein the interacted sound signal is received at the earpiece.

17. A method according to claim IS, wherein the interacted sound

S signal is received at the mouthpiece.

18. A method according to any of claims 15 to 17, when dependent on any of claims 2 to 12, wherein the original sound signal is generated at the earpiece.

10

19. A method according to any of claims 15 to 17, when dependent on any of claims 2 to 12, wherein the original sound signal is generated at the mouthpiece.

15 20. A method according to any preceding claim, wherein the physiological characteristic relates to the physiology of the head o f the user.

20

21. A method according to claim 20, wherein the physiological characteristic relates to the physiology of the auditory apparatus of the user.

22. Apparatus for performing the method of any preceding claim.

23. A computer program or computer programs for performing the method of any of claims 1 to 21.

389

Appendix I : Patent Material

25

24. A teleconununications network comprising an electronic device connectable over a teleconununications link to one or more network nodes, the telecommunications netwoik being arranged to perform the method of any of claims 1 to 21.

5

25. A telecommunications network according to claim 24, wherein the electronic device performs step a) and the one or more nodes perform steps b)andc).

10 26. A telephony device arranged to perform the method of any of claims 15 to 21.

15

28. A telecommunications network comprising a telephony device and one or more network nodes, the telecommunications network being arranged to perform the method of any of claims 15 to 21 wherein the telephony device performs step a) and the one or more nodes perform steps b) and c).

20

27. A mobile station of mobile communications network arranged to perfomi the method of any of claims 15 to 21.

29. A telephony device arranged to process sound signals for use in determining identity data in respect of a user, the telephony device comprising audio signal coding/decoding apparatus arranged to use a first data coding format for coding or decoding the voice or speech of a user and a second

390

Appendix I : Patent Material

26 different data coding format for coding or decoding sound signab for use in deteimining identity data of a user.

30. A telephony device comprising a locally accessible data store,

S the data store storing data representing one or more original sound signals, the telephony device being controllable by a remote device to generate an original sound signal using data stored in the data store and to receive an interacted sound signal resulting from the original sound signal interacting with a pait of the body of a user for use in determining identity data in respect of the user.

10

31. A telephony device comprising a loudspeaker for generating an original sound signal and a microphone for receiving an interacted sound signal resulting firom an original sound signal having interacted with a part of the body of a user of the telephony device, the telephony device being arranged so that,

IS when in normal operation by a user, the loudspeaker and microphone are located adjacent to an ear of the user.

32. An earpiece or headpiece for use with a telephony device, the earpiece or headpiece comprising a loudspeaker for generating an original

20 sound signal and a microphone for receiving an interacted sound signal resulting &om an original sound signal having interacted with a part of the body of a user of the telephony device, the earpiece or headpiece being arranged so that, when in normal operation by a user, the loudspeaker and microphone are located adjacent to an ear of the user.

391

Appendix I : Patent Material

27

33. A method of detemiming identity data in r^pect o f a user of an electronic device, the method comprising: a) receiving a sound signal resulting from an original sound signal

5 having interacted with a part of &e body of the user; b) deternuning the identity data in dependence on a charact^stic derived from the received interacted sound signal

34. Apparatus substantially as hereinbefore described with reference to

10 Figures l o r 2.

392

Appendix I ; Patent IVlaterial

28

ABSraACT:

According to the present invention there is provided a method of; apparatus for> and computer programs for determining identity data in respect

5 of a user of an electronic device, the method comprising the steps of: a) receiving an interacted sound signal resulting from an original sound signal interacting with a part of the body of the user; b) deriving a signature from at least the interacted sound signal, the signature being representative of a physiological characteristic of the user, the

10 physiological characteristic not being a characteristic of the voice or speech of the user, c) determining the identity data in dependence on the signature.

393

Appendix I : Patent Material

1/5

20

12

•if.

.'0

T

2 *

2 Z

3 0

FIG. 1

394

zls

Appendix I : Patent Material

30

FIG. 2

395

LL

396

Appendix I : Patent Material

4 U

Appendix I : Patent Material

397

5/5

Appendix I : Patent Material

CM

L i -

398

Appendix I: Patent Material

13 US Patent Application - no. 10/476,588

Copy of US Patent Assignment: ''Determining Identity Data for a User "

399

Appendix I : Patent Material

ASSIGNMENT

WHEREAS, wc.

Philip M . RodweU, a citizen of Great Britain with an address at 17 Lower Fairfield, St Germans.

Cornwall PL12 5NH. Great Britain, and Paul Reynolds, a citizen of Great Britain with an address of SL

James Court, Great Park Road, Almondsbury Parte, Bradley Stoke, Bristol BS12 4QJ, Great Britain,

ASSIGNORS, are die inventors of the invcnUon in DETERMINING IDENnXY DATA FOR A USER, for which we have executed an application for a Patent of the United States, which was filed in the United

States on October 31.2003 as application no. 10/476.588.

WHEREAS, ORANGE PERSONAL COMMUNICATIONS SERVICES U M I T E D , a

British company having a place of business at St James Court. Great Parte Road. Almondsbury Parte,

Bradley Stoke, Bristol BS12 4QJ, Great Britain, ASSIGNEE, is desirous of obtaining our entire right, title and interest in, to and under the said invention and the said application:

NOW, THEREFORE, in consideration of the sum of One Dollar ($1.00) to us in hand paid, and other good and valuable consideration, the receipt of which is hereby acknowledged, wc, the said

ASSIGNORS, have sold, assigned, transferred and set over, and by these presents do hereby sell, assign, transfer and set over, unto the said ASSIGNEE, its successors, legal representatives and assigns, the entire right, title and interest in, to and under the said invention, and the said United States application and all divisions, renewals and continuations thereof, and all Patents of the United States which may be granted thereon and all reissues and extensions thereof;

AND WE HEREBY authorize and request the Commissioner of Patents and Trademarks of the

United States, to issue the same to the said ASSIGNEE, its successors, legal representatives and assigns, in accordance with the terms of this instnmient;

AND WE HEREBY covenant and agree that we have full right to convey the entire interest herein assigned, and that we have not executed, and will not execute, any agreement in conflict herewith;

AND WE HEREBY further covenant and agree that we will communicate to the said

ASSIGNEE, its successors, legal representatives and assigns, any facts known to us respecting said invention, and testify in any legal proceeding, sign all lawful papers, execute all divisional, continuing, and reissue applications, make all rightful oaths, and generally do everything possible to aid the said

ASSIGNEE, its successors, legal representatives and assigns, to obtain and enforce proper protection for said invention.

IN WITNESS WHEREOF, the undersigoa^ invcptgj? hayp^affixed tb<i?5iJ!natures.

26^ MAY 2O0it

Date PhUjpM.RodwcU

On this 2 6 day of ^^^V 2004, before me appeared PhlUp M. RodwcU. to me known and known to me to be the person of that name, who signed and sealed the foregoing instrument, and acknowledged the same to be his free act and deed.

Date O Witness

DocictND. 59015-00601 I o f 2

400

Appendix I : Patent Material

BIS • ^

PauK&oynolds

On this .day of; known and known'lo me to be the person of that name,^ who ^gricd and sraled the foregoing instrument, and acknowledged the same to be his free act and deed.

Date

Witness

Docket No. 59015-00601

.or

2 of 2

401

Appendix I : Patent Material

tnvrxo us.

t>i*ufiM«

«f c « «

PMemuidTndeiiwVOfTict: UiDEPARTMETfTOF C0BO4ERCE

Attorney Dodot KuiDba S9015-00601

COMBINED DECLARATION (37 CFR

1.63) AND POWER OF ATTORNEY

FOR UTILITY OR DESIGN

PATENT APPLICATION

Fim Ntmcd Inventu-

PhUip IM. RodweD

COMPLETE IF IWOWN

AppLicatioa Numba

Filing Date

October 31.2003

Group An Unit

Unknown

1 1 DccUraiioD OR | X | Declaration

Submitted SutHniocd after with Initial FiltnR Initiil Filtnfl

Eummcr Name

Unknown

As a below named inventor, I hereby declare that

My residence, naiUng address, and citizenship are as stated bekw next to iny name.

1 believe 1 am the original, fust aod sole inventor (if only one name is listed betow) or an original, first and joint inventor (if phiral names are listed betow) of the sobject matter which is claimed and for which a patent is sought on the invention entitled:

DETERMDSTNG TDENTITY DATA FOR A USER the specification of which

I 1 is attached hereto

OR

{Tale of the Invention)

| X | TO filed on 03MavI002

.as United States Application Number or PCX International

Application Number PCT/GB02/02074 and was amended on (MMyDD/YYYY) |

J (if applicable).

I hereby state that I have reviewed and understand the contents of the above identified spcdfication. including the claims, as amended by any amendment specifically refenxd to above.

I acknowledge the duty to disclose infonnatim which is material to patentability as dcfiiKd in Title 37 Code o f Federal

Regulations. § 1.S6.

I hereby cUim foreign priority benefits under Tide 35, United States Code § 119 (aHd) or § 365(b) of any foreign applicaiion(8) for patent or inventor's certificate, or fi 365 (a) of any POT international application which designated u least one country other than the United Stales of America, listed below and have also idcntified below, by checking the box. any foreign application for patent or invemoi's certificate, or of any POT international application having a filing date before that of the application on which ^ o r i t y is chimed.

Prior Foreign

Application

Numbcr<s>

011093U

CCmntiy

Great BriUin

Foreign Filing Date

(MMrt)D/YYYY)

OS/03/2001

Priority

Not Chimed

1

j

( I

Certified Copy Anached?

YES NO

[ 1

I X 1

1 1

1 1

11

» I

I 1 Additional foreign application numbers arc listed on a supplemental priority sheet attached hereto

1

I

[Page 1 of 31

402

Appendix I : Patent Material

DECLARATION

Pace I

I hereby cUim the bcneOt under T i i k 35, Uniicd States Code § 119(c) of any United States provisional appli below.

Apptotion Number(») Filing Date (MM/DD/YYYY) itioo(s) listed

I Additional pnvisioDal apphcatioa numbcn arc listed on a supplemenlal shed atucbed bereto.

I hereby claim the benefit under Title 33, United States Code § 120 of any United Slates applicatioiKs), or § 365(c) of any

PCT inlcmdonal applicatitm designating the United States of America, listed below znd. insofar as the subject matter of each of the claims of this applicaticm is not disclosed in the pnor United States or PCT inteniational application in the manner provided by the fint paragraph of Title 35. Uniicd States Code § 112,1 acknowledge the duty to disclose infonnation which is maerial to patentability as defined in Title 37, Code of Federal Regulations § 1.56 which became available between the filing date of the prior application and the national or PCT inteniational filing date o f this application.

U.S. Parent Application

Ninnbcr p e r Parent

Nuniba-

Parcnl Filmg Date

(MMmP/YYYY)

Parcia Patent Number

(l/flpp/iCfl&fe)

I I Additional U.S. or PCT intcmariMBl application mmriben are listed op a 5 ^

As a named inventor, I hereby appoint the following attomey(s) and/or agent(s) to prosecute this application and to transact all business m the Patent and Trademait Office connected therewith:

Name Registration

Number

Name Registration

Number

David R. Yohannon

John N . Coulby

Seth A.Watldns

37,480

43,565

47,169

Christopher M . Tobin

MarkW.Ryglel

Gregory M . Murphy

1 I Addinonal attorQe>'(B) and/or aKent(s) named on a supplemenal sheet attached hereto.

40^90

45371

52^494

Please direct all coirespondence to:

Telephone | (202) 342-8508

Christopher M . Tobin

Collier Shannon Scott, PLLC

30S0 K Street NW, Suite 400

Wasbfneton,D.C 200D7 U.SA.

1 Fax 1 (202) 342-8451

I hereby declare that all statements made herein of my own knowledge are tiuc and that all statements node on information and belief are believed to be true; and ftirtbcr that ihese suicments were made with the knowledge that willful false autemcnts and the like so made arc punishable by Hnc or inqirisonmcnt, or boib, under Section 1001 of Title 18 of the

United States Code and that such wiMtl false statements may jeopardize the validity of the application or any patent issued thereon.

Name of Sole or First Inventor:

Given

Name

PbUlp

I I 1 A petition has been filed for this unsigned inventor

Middle

^Initial

M .

Family

RodwcU

Sufiix

Inventors

Signature

XG. HAY. looU-

Cornwall

Great Bntain Great Britain

Mailmg Address

17 Lower Falrneld

Mailing Address S L Germans

CornwBU

PL12SNH Country Great Britain

I X I Additiooal im.-eniors are bcina named on supplemental sheetfs) attached hereto

[Page 2 of 3]

403

Appendix I: Patent Material

DECLARATION

Name of Additional Joint Inventor, if any:

Given

Name Paul

Middle

Initial

InvcDtort

Signature

Residence: City Brbtol State

Mailing Addieu

St.

JanKS

Court, Great Park Road

ADDITIONAL INVENTOR(S)

SDppIfTTifntal Sheet

I A petition has betnfOai for thiaimsigttdinveDiOT

Fainfly

Name

Reynolds

Suffix

Date

Country I Grcmt Britain Citizenship at Britain

Mailing Address Almondsbury Park, Bradley Stoke

City Bristol State Zip BS124QJ

Country

Name of Additional Joint Inventor, If any:

Given

Name

Middk

I n i r i i l

Invemoi's

Signature

Residence; City State

Mailing Address

Mailing Address

aty

State

] A perition has been filed for this onsigped inventor

Fanily

Suflix

Name

Date

Country

Citizenship

Zip

Coontiy

NameofAdditlonaJ Joint Inventor, tf any: | | | A petition has been filed for this muigped invcntOT

Given

Name

Invenior^

Signature

Middle

Initial

Family

Name

Date

SufTnt

Residence: City State

Coumry Citizenship

Muling Address

Mailing Address

City State Zip

I I Additional inventors are being nairgd on supplemental sheet(s) attached hereto

[Page 3 of 3|

Country

404

405

Notes

Notes

(Notes)

Tabic A-4: Thesis Statistics

Chapter

Abstract

Chapter 1

Chapter 2

Chapter 3

Chapter 4

Chapter 5

Chapter 6

Chapter 7

Chapter 8

Total (Core)

Total (Thesis)

Pages

Words

Figures

Tables |

1

30

46

40

7

10

36

20

41

397

2575

8335

4474

9599

6905

6791

6837

2143 n/a

1

9

13

13

12

47

32

0 n/a

0

3

1

0

2

0

5

1

231

437

48056

80034

127

131

12

15

Table A-5'. Development System

Hardware

Processor

Memory

Harddisk

Graphics cord

Soundcard

Monitor

Printer

Mouse

Description

AMD Athlon XP2400+ (2000MHz)

1GB Corsair TwinX 3200C2PT (133)

Hitachi 250Gb, WD 200GB; 7200rpm

Asus A9600 (ATI core)

Creative Audigy2

Sony CPD-4201G (19")

Epson Stylus Photo 950

Logitech MXIOOO (laser)

406

Notes

Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement