Project Overview
Nader Mehdizadeh
Ognjen Petrovic
A Biometrics Security Research and Proposal
Bio Security
Nader Mehdizadeh
Ognjen Petrovic
1. The cell phone you can’t live with, and can’t live
without!
To store a phone number, one is forced to use the 10-button numeric keypad to simulate a 36
or more button alphanumeric keyboard. Calendaring, To Do lists, and even reminder features
available on most cell phones, out of necessity have given birth to $25 micro keyboard
gadgets to facilitate data entry.
Furthermore, despite availability of a number of incompatible technologies such as SIM
CARDS, information stored on cell phones remains volatile and in most cases impossible to
recover in case of serious damage or loss.
PDAs partially solved the data entry and data safety problems through a companion desktop
application. Although these data management desktop application (e.g. Palm desktop)
accelerated the popularity of PDAs to become highly used PIMs, they came at a price: they
require proximity to the PC where the desktop application and the actual information reside.
Worse yet, even smart phones with PALM OS, ironically require a cradle to the PC where the
desktop application runs! Microsoft Pocket PC based devices are similarly designed.
General trend among users shows that they highly value cell phones and PDAs as long as the
user interface is not too cumbersome. Having your phone book, calendar, and notes on your
cell phone or PDA is useful for business and every day life. The information is secure as long
as you do not lose the device. To secure the information the user protects the device from
theft and other such occurrences.
This personal information is stored in a digital form on the cell phone or PDA. The information
stored often exceeds the value of the device. For example, is the value of your personal data
on your credit card more valuable than the card itself? Or is your PDA more valuable then the
passwords and files you store on it? Even cell phones have phone book information that you
want to keep but you do not want to share with others.
In all the examples above the valuable information is embedded in the device it self. Losing
the device means the information is at least temporarily unavailable. Generally, it is hard to
transact information between devices. These restrictions limit your ability to have the most
use of your valuable information.
Imagine now that you can transact information from your phone or handheld PDA painlessly,
and securely from one device to another. You can keep your settings, calendars, phone books,
and also more sophisticated items like private medical records, and credit card information.
In other words, you are becoming the master of your information.
Two options are available for depositing your information. In the first scenario, data is
located on a remote server accessible via Internet or dial in line. Whenever the user needs
the data, the date comes from the remote server. The second possibility is to have the data
COEN 150
Page 2
Bio Security
Nader Mehdizadeh
Ognjen Petrovic
stored on the device. Whenever the user needs the data, the data will come from the device.
A combination of the two approaches is possible as well.
Technical solutions for both scenarios exist today. Remote servers are available through the
Internet while short-range wireless telecommunication (Bluetooth for example) is getting
cheaper and cheaper. The main problem is how to make transactions and access to cell phone
or PDA (turned now more into a digital wallet) secure since the user is not the only one who
touches the information available through his handheld.
A device that retrieves sensitive information from a remote server causes security problems
non-existent on stand-alone devices. Users are often uncomfortable with the fact that their
information is stored ‘out there’ – somewhere outside of their private storage area. Users
notoriously have a hard time authenticating themselves in the field, outside of their homes
and offices. In both cases the problem is the cumbersome way data is inputted into the
handheld devices .The good news is: authentication problems can be solved using biometrics
[1].
With third generation of wireless services and devices already here, wireless appliances will
be even in greater use, however, the techniques for getting information into them remain as
crude or as distant.
In a survey, of 10000-cell phone users were asked a number of realistic questions in realistic
situations such as:



















Do you ever surf the web on your 1sq/inch cell phone screen except for WAP portals?
How quickly and how easily do you save someone’s phone, first and last names, and a
descriptive comment about that person, on your cell phone today?
Do you use the calendar feature of your cell phone? Why not?
Do you use the Alarm feature of your cell phone? Why not?
If you lost the phone can you prevent people from using it?
Do you use the Reminder feature of your cell phone? Why not?
What if you lost your cell phone today?
What if you broke it, and there was no SIM card in that phone?
How did you save your numbers on your cell phone in the first place?
What’s preventing you to upgrade your cell phone today?
Can you synchronize anything (e.g. cell, PDA, etc.) with your online PC, wirelessly?
Does your PDA have same information as your cell phone?
Is your PDA password protected?
Do your PDA and cell phone have the same information as your home phone?
Do you have the same phone-list, everywhere?
Do you play games on your cell phone? For how long? Why not longer?
How easy is it to send SMS from your cell phone? How about sending Email?
Other than calendar, To Do list, notes, and Phone List, what other features of your
loaded PDA do you use? Image viewing? Mp3? Voice recording? How did you get the
information into your PDA?
How often do you load new applications on your handheld, if at all?
COEN 150
Page 3
Bio Security





















Nader Mehdizadeh
Ognjen Petrovic
Do you know of any publicly traded company that develops software for PDA’s?
How similar is your PDA (e.g. Pocket pc/windows CE) to your laptop?
Is your PDA already out of date, out of style?
Did your PDA cost as much as a PC?
Did you have enough battery life to use your PDA like you use your PC/Laptop?
Do you still use a cradle to synchronize your wireless PDA?
How many cradles do you own? One at home, one office, more?
What makes apple’s iPOD such a success?
Do you surf the web on your PDA?
Does your PDA contain sensitive personal or business information?
Do you want to make all information from the PDA sharable?
How often do you play games on your PDA? How long?
Do you know of a publicly traded PDA game developer?
Will you buy a mobile PDA appliance?
Do you own one of these collapse-able keyboards?
Do you have a disk attachment for your PDA?
Do you use yahoo! Calendar? MSN Calendar? ATTBI Calendar? Why not?
How easy was it to add your schedule to yahoo? MSN?
Do you feel overwhelmed when you go to one of these Internet service sites?
Do you trust your data with any portal?
Do you think that someone is recording your phone calls?
An overwhelming number of users admitted that they used their highly sophisticated cell
phones primarily for calling, with younger crowd also favoring SMS, and with all the
technology packed in their cell phones, they mostly used only the address book.
Despite a number of concept phones and handhelds from Nokia and Siemens that are a lot
more slick, more compact, and more powerful information and communication appliances than
any of their predecessors, they remain as crude input devices, if not worse, as their current
and former generations.
It is apparent that these appliances are a great diversion from the powerful and PC-like
handhelds or cell-phones of today. As these images point out, the future is in readily
available, easy to use, limited functionality, simple to synchronize, inexpensive and even
disposable appliances!
By inspecting these devices it is also apparent that it is practically impossible to store a new
number, using most of these devices: With the glove, for instance, your hand is already tied
up. Crudeness in data input also hinders security. Typing a password each time you use a cell
phone is not a good idea. Normal users find password typing an overkill and too long.
The future is in a desktop that makes information management for the current and future
generation of these appliances possible. We see the birth of a new generation of even
simpler, easier to use, and substantially less expensive appliances such as a simple Calendar
Appliance, or a Notes Appliance that is primarily used to look up information, and, is loaded
using a powerful desktop, accessible anywhere.
COEN 150
Page 4
Bio Security
COEN 150
Nader Mehdizadeh
Ognjen Petrovic
Page 5
Bio Security
COEN 150
Nader Mehdizadeh
Ognjen Petrovic
Page 6
Bio Security
Nader Mehdizadeh
Ognjen Petrovic
We have seen the trends for web top productivity services that will enable information
consistency and synchronization at Home, office, on wireless telephones, handheld, and
beyond. Such services are for simple, ubiquitous, and secure management of
personal/professional information:

At the airport, as soon as your boarding pass is scanned through the card reader, your
cell phone is automatically sent a turn-off signal. Your seat-phone is then automatically
instructed to receive all your calls, as you configured your wireless options from your
desktop. The seat-phone now has your phonebook, already loaded, and even remembers
your call history from your personal cell phone, including the last number dialed.
When you land and proceed to exit the plane, the seat phone is
completely reset, erasing the local copy of your phone list, including the
dialed numbers, etc. A copy of your phonebook was never saved.

The moment you insert the key to get into your rental car, the seat, the mirror, the
temperature, and the internet radio onboard the car, are automatically set to your
favorite settings, all downloaded from your personal profile, privately and securely
maintained online, only accessible by you. The car cell phone is set similarly.
The personal information arrived on none of the devices will persist
when the ignition is turned off.

As soon as you acquire a new cell phone to replace your outdated, broken, or lost cell
phone, you’ll be able to download your phone book, calendar, to do list, phone history, even
the clock and alarm setting to your new phone – No information will be lost.
There are several different secure connections/logins to PANera
servers. From the web, a login and a password will be entered and
checked against the database over SSL.
From a cell phone, identification is established by calling a number, and
entering the appropriate pin# and password.
From micro appliances with limited input, the identification is
established on the server side. In other words the owner will be
required to access the server using either a phone or via Internet to
identify the new appliance as the legitimate recipient of soon to be
downloaded Personal Information … in case of the airline seat, it will be
the ticket number and the seat phone serial number for instance.
COEN 150
Page 7
Bio Security
Nader Mehdizadeh
Ognjen Petrovic

You always have access to your personal information, as long as you are online, or have
access to another cell phone, or a wireless PDA. Identify your information appliance, and
after authentication and proper identification, your required information will be securely
downloaded to that appliance, effortlessly. You may lose a phone, never lose or even
compromise information!

Retrieve, play, and store your cell phone voice mail in your favorite mail client application
(e.g. Outlook, Outlook Express, Eudora, etc.) and on your own computer.

Send SMS from your computer, using a full keyboard.

Start using the calendar feature of your cell phone!

When your appointment changes, and the correct information enter your online calendar,
you are notified, immediately: The information is downloaded to your cell phone and you
get a warning.

If you lose your phone Mr. Phelps, we can immediately destroy all the information on it,
remotely by removing it from the online list of legitimate devices. If found, we add it
back on the list. PANera is the cache-N-Go service. A stolen cell phone, other than a
physical loss, will be no compromise on security, confidentiality, or even information.
When your wireless appliance is turned on, it communicates with the
PANera server, and requests for information download. A calendar
micro-appliance, asks for calendar information. A cell phone, will ask for
phonebook and other information that is supported on the specific
phone. As soon as the phone is turned off, all the information except
for the access login and password will be lost. Once De-listed from the
server, the appliance will be unable to inquire information from the
server any more. We offer a self-destruct command, to purge
information on the target appliance, sent to a device if that device is
de-listed from the server – A device may be removed from the list of
legitimate devices as simply as it was added.
The alternative approach does not use a remote storage server. Why don’t we
often see remote data and information storage for cell phones and PDAs?
Wide Area Networks are readily available, at home, work, even coffee shops,
and airports. Users do not like to have their information stored in unknown
places. There are three concerns for the users. First, the most important
problem is information availability. For instance, it is hard to guarantee access
to all the data all the time. The Internet is unstable due to network
congestions, hardware maintenance, and network attacks reasons. The second
COEN 150
Page 8
Bio Security
Nader Mehdizadeh
Ognjen Petrovic
problem is network confidentiality. The users need high degree of assurance
that somebody will not peek into their cell phone book. Even worse somebody
might succeed changing personal data. This is third, integrity problem.
The solution to users’ desire to keep their private value close by is to store
information in the handheld device itself. The device can self replicate or
transfer portion of valid data to another device. To protect themselves, users
will authenticate and sign all transactions via biometrics [2]. Later we go into
detail about airlines supporting cell phone use during flights. Frequent cell
phone use during flight is dangerous for airplanes. As you will see the user can
transfer the handheld device features to a device more appropriate in the
plane environment.

Your cell phone is your Credit Card, literally. AT&T and Sprint offer credit cards today.
Let’s take it to the next level! Carriers will offer such services not to lose customers to
the competitors.
With cell phones being such an everyday used tool, providers and
manufactures need to offer a service that enables your phone (number)
be transferred over in times when you cannot use your phone, like on an
airplane. With complex navigation and communication devices on
airplanes, cell phones are banned are required to be shut off once you
get on the plane. However, most of us, especially those on business
travel, cannot last minutes let alone hours on end on a plane without our
phones. A service must be developed so that once you slide through
your boarding pass through the machine, and walk towards your
departing aircraft, your cell phone is deactivated but your phone book,
last call log are awaiting you on the phone of your assigned seat. Your
phone number will be forwarded to your seat’s phone and so you are
connected during your flight! Once you deplane the process reverses
itself, your seat’s phone is deactivated, your cell phone is reactivated
with the call log from your flight on it, and an updated phone book (if
you added any new numbers during the flight). This service is simple
and quite useful, however, security is needed, biometric security.
COEN 150
Page 9
Bio Security
Nader Mehdizadeh
Ognjen Petrovic
2. The bottom line
From the introduction above, if some of the technology and services are not already here and
available, they are around the corner and will be here, and widespread soon!
Aside from facilitating communication and improving availability, they promote bandwidth
consumption, which carriers seek.
None of the scenarios described above are far-fetched science fiction fantasies that we
hope to accomplish – They are here, but similar to tap water transformation from private
wells, the information needs to be trusted at information reserves, like water reserves, and
made available as needed.
The information will be stored at one or many central information repositories, which then
gets downloaded, in the proper format, to the appropriate and authorized appliance when
needed.
For instance, in the Airplane example above, the card reader at the airport that scans the
boarding passes sends the “Disable” signal to the passenger cell phone. The cell phone in
return, transmits call records and the address book, if more current than what is at the
center, to this central “Trusted” repository, which then is downloaded to the seat phone as
soon as the plane takes off or as soon as the right “Appliance”, authorized to have that
information, submits a security code or a finger print pattern, etc.
In order for the information to be transferred from the appliances, or transferred to an
appliance, a great deal of security and authorization needs to take place, not to mention the
transmission itself which will have to be encrypted.
Further more, such security also requires a great deal of cooperation between the appliance
(e.g. cell phone), the central information repository (data store), and service providers such
as the airplane, the bank, the credit company, and others involved.
The necessary security and process to protecting yourself from intruders accessing your cell
phone…
Having your cell phone be transferred to your airplane requires the
cooperation between the cell phone manufactures, cellular
providers/carriers, and storage companies. To make your phone secure
and thus guarantee only you are using it, phone manufactures, for both
on the plane and your personal cell phone need to integrate a thermal
fingerprint biometric security feature [3]. Locally using the phone’s
camera (which now-a-days many phones have), the picture it takes of
your finger will also be a thermal scan to make sure it is a live human
finger and not a mold, the picture will then be compared to the one on
COEN 150
Page 10
Bio Security
Nader Mehdizadeh
Ognjen Petrovic
file to verify it is an authentic user [4]. Finally, once the biometric
security phase is complete, a numeric 4-10 digit password will also be
required, allowing users to quickly lock/unlock their phone when they
need to move around the plane or are away from their cell phone for a
short time. The process having these features on cell phones and the
phones on airplanes will roughly take 6 man months for hardware
development, which equals $1/phone sold, the new camera will cost
manufactures $1.50/phone sold, and the manufacturing process with
testing will cost $1/phone sold. This totals an extra $3.50-$5 extra
that the manufactures of cell phones will have to charge for the new
phone. Cellular carriers need to incorporate this feature in users
cellular plans/airtime and this would use GPS satellite communication
when on the aircraft, which is $2/min + the one time charge of having
your phone book and call logs transferred of $5-$7. A storage
company in needed, they are responsible of transferring your phone
book, call logs, and verifies your fingerprint with password [5]. They
get $2-$3 that users are paying their cell provider for the transfer.
Finally, airport gates need to be equipped with necessary device to
enable the deactivation/reactivation of your cell phone to your plane’s
phone. This will cost airports anywhere from $1million-$100 million,
depending on its size. Airports can make up for this cost by having the
users be charged a 2% tax on only their calls while on the aircraft. If
a person uses their aircraft phone for 30 minutes, it would cost them:
30*$2/min cost + $5 transfer fee, which equals $65. Airports would
get 2% of $65, which is $1.30, and if say 100 people on just one flight
used their phone for 30mins, airports would get $130 from just one
plane! The cost of installing the equipment will quickly make up for
itself.
We live in a world now where we must stay connected at all times, but
we must connected securely. Our approach with using a thermal finger
snap shot, a 4-10 digit password will make our approach to having your
phone number, phone book, and call logs be transferred to your
airplane’s seat and back to your cell phone secure from unwanted users.
COEN 150
Page 11
Bio Security
Nader Mehdizadeh
Ognjen Petrovic
REFERENCES
[1] Simon Liu and Mark Silverman, “A Practical Guide to Biometric Security
Technology”, Institute of Electrical and Electronics Engineers, Inc, 2000.
Available:
http://www.computer.org/itpro/homepage/Jan_Feb/security3.htm?SMSESS
ION=NO
[2] Diane Frank,”Feds aim to make biometrics useful”, FCW Media Group,
March 2004, Available:
http://www.fcw.com/fcw/articles/2004/0308/tec-bio-03-08-04.asp
[3] “Why Biometrics Security? – The Fingerprint Reader”, Eyenetwatch.com.
Available:
http://www.eyenetwatch.com/biometric-security.htm
[4] Steven M. Walker ,“Biometric Selection: Body Online”, SANS, 2002.
Available:
http://www.sans.org/rr/papers/index.php?id=139
[5] Andrew Patrick, “Biometric Security Template Storage”, National
Research Council of Canada, January 2004. Available:
http://www.andrewpatrick.ca/biometrics/templates/template.shtml
COEN 150
Page 12