Voice interactive personalized security (VoIPSEC) protocol: Fortify internet telephony by providing end-to-end security through inbound key exchange and biometric verification

Abstract

Secure end-to-end information exchange is a constant challenge in electronic communications. Novel security architectures and approaches are proposed constantly, to be followed by announcements of sophisticated attack methods that compromise them, while people suspect others, even more sophisticated attack methods never see the daylight. In the present work we propose a novel method for secure end-to-end communication based on biometric evidence to ensure security and integrity of the information exchanged. The traditional approach for securing the communication between two peers is through the use of secret key encryption combined with a public key approach for exchanging the common secret key to be used by the end peers. The public key part of the communication is based on a trusted authority for providing the public keys, a service provided through a Public Key Infrastructure (PKI). Public key infrastructures are vulnerable to man in the middle attacks, among other approaches that compromise their integrity. There has been a lot of work for providing robust PKI infrastructures, the proposed solutions are fairly demanding on network resources, hence public key solutions are not the security approach of choice in several applications that require light weight solutions. Here we propose an approach for providing secure end-to-end communications in environments where it is possible to have biometric based authentication, exploiting the nature of the application; voice communication being the typical example that we use as our paradigm for describing the method. During the establishment of the communication session, the end-peers exchange a challenge/signature token, the integrity of which is confirmed vocally when the voice communication initiates. The security of the method relies on the inability to mechanically impersonate an individual both because of the biometric user specific attributes of the human voice and video as well as the user customized profile of the exchanged information. The method is appropriate for ensuring the security of an encrypted phone conversation, guaranteeing the integrity of the session key exchanged in the beginning of the conversation. It requires minimal resources from the user handsets and no additional support from the network, so it is inherently scalable and readily deployable as it only needs an appropriately enhanced secure handset. ©2006 IEEE.