Security 2002 Paper
[Security '02 Tech Program Index]
|Pp. 283-296 of the Proceedings|
Toward Speech-Generated Cryptographic Keys
Michael K. Reiter2
Daniel P. Lopresti4
Programmable mobile phones and personal digital assistants (PDAs) with
microphones permit voice-driven user interfaces in which a user
provides input by speaking. In this paper, we show how to exploit
this capability to generate cryptographic keys on such devices.
Specifically, we detail our implementation of a technique to generate
a repeatable cryptographic key on a PDA from a spoken passphrase.
Rather than deriving the cryptographic key from merely the passphrase
that was spoken--which would constitute little more than an exercise
in automatic speech recognition--we strive to generate a
substantially stronger cryptographic key with entropy drawn both from
the passphrase spoken and how the user speaks it. Moreover, the
cryptographic key is designed to resist cryptanalysis even by an
attacker who captures and reverse-engineers the device on which this
key is generated. We describe the major hurdles of achieving this on
an off-the-shelf PDA bearing a 206 MHz StrongArm CPU and an
inexpensive microphone. We also evaluate our approach using multiple
data sets, one recorded on the device itself, to clarify the
effectiveness of our implementation against various attackers.
This version differs slightly from the Proceedings of the USENIX Security Symposium, 2002.