Telecommunication Systems

, Volume 52, Issue 4, pp 2149–2161 | Cite as

Using trusted computing for privacy preserving keystroke-based authentication in smartphones

  • Mohammad Nauman
  • Tamleek AliEmail author
  • Azhar Rauf


Smartphones are increasingly being used to store personal information as well as to access sensitive data from the Internet and the cloud. Establishment of the identity of a user requesting information from smartphones is a prerequisite for secure systems in such scenarios. In the past, keystroke-based user identification has been successfully deployed on production-level mobile devices to mitigate the risks associated with naïve username/password based authentication. However, these approaches have two major limitations: they are not applicable to services where authentication occurs outside the domain of the mobile device—such as web-based services; and they often overly tax the limited computational capabilities of mobile devices. In this paper, we propose a protocol for keystroke dynamics analysis which allows web-based applications to make use of remote attestation and delegated keystroke analysis. The end result is an efficient keystroke-based user identification mechanism that strengthens traditional password protected services while mitigating the risks of user profiling by collaborating malicious web services. We present a prototype implementation of our protocol using the popular Android operating system for smartphones.


Authentication Smartphones Android Trusted computing Remote attestation 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Card, S., Moran, T., & Newell, A. (1987). Computer text-editing: An information-processing analysis of a routine cognitive skill. San Francisco: Morgan Kaufmann. Google Scholar
  2. 2.
    Joyce, R., & Gupta, G. (1990). Identity authentication based on keystroke latencies. Communications of the ACM, 33(2), 168–176. CrossRefGoogle Scholar
  3. 3.
    Clarke, N., & Furnell, S. (2007). Authenticating mobile phone users using keystroke analysis. International Journal of Information Security, 6(1), 1–14. CrossRefGoogle Scholar
  4. 4.
    Karatzouni, S., & Clarke, N. (2007). Keystroke analysis for thumb-based keyboards on mobile devices. International Federation for Information Processing Publications IFIP, 232, 253. CrossRefGoogle Scholar
  5. 5.
    Zahid, S., Shahzad, M., Khayam, S., & Farooq, M. (2009). Keystroke-based user identification on smart phones. In 12th international symposium on recent advances in intrusion detection (RAID). Google Scholar
  6. 6.
    Cubrilovic, N. (2009). The anatomy of the twitter attack. Available at:
  7. 7.
    Kennedy, J., & Eberhart, R. (1995). Particle swarm optimization. In IEEE international conference on neural networks, Proceedings (Vol. 4). Google Scholar
  8. 8.
    Goldberg, D. (1989). Genetic algorithms in search, optimization and machine learning. Boston: Addison-Wesley. Google Scholar
  9. 9.
    AdMob Mobile Metrics (2010). January 2010 mobile metrics report available at: Accessed on 10 May 2010.
  10. 10.
    Freier, A., Karlton, P., & Kocher, P. (1996). Secure socket layer 3.0. IETF draft, November. Google Scholar
  11. 11.
    Internet2: Shibboleth: A project of Internet2 middleware initiative (2010). Available at:
  12. 12.
    TCG (2004). TCG specification architecture overview v1.2 (pp. 11–12). Technical report, Trusted Computing Group, April 2004. Google Scholar
  13. 13.
    TCG (2010). Trusted Computing Group.
  14. 14.
    Pearson, S. (2002). Trusted computing platforms: TCPA technology in context. Upper Saddle River: Prentice Hall. Google Scholar
  15. 15.
    Challener, D., Yoder, K., Catherman, R., Safford, D., & Van Doorn, L. (2008). A practical guide to trusted computing. Google Scholar
  16. 16.
    Sailer, R., Zhang, X., Jaeger, T., & van Doorn, L. (2004). Design and implementation of a TCG-based integrity measurement architecture. In SSYM’04: Proceedings of the 13th conference on USENIX security symposium. Google Scholar
  17. 17.
    Shacham, H. (2007). The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In Proceedings of the 14th ACM conference on computer and communications security (CCS’08) (pp. 552–561). New York: ACM. CrossRefGoogle Scholar
  18. 18.
    Buchanan, E., Roemer, R., Shacham, H., & Savage, S. (2008). When good instructions go bad: generalizing return-oriented programming to RISC. In Proceedings of the 15th ACM conference on computer and communications security (CCS’08) (pp. 27–38). New York: ACM. CrossRefGoogle Scholar
  19. 19.
    Sadeghi, A. R., & Stüble, C. (2004). Property-based attestation for computing platforms: caring about properties, not mechanisms. In NSPW ’04: Proceedings of the 2004 workshop on new security paradigms (pp. 67–77). New York: ACM. Google Scholar
  20. 20.
    Lyle, J. (2009). Trustable remote verification of web services. In Trusted computing: second international conference on trusted computing, trust 2009, Proceedings, Oxford, UK, April 6–8, 2009 (p. 153). London: Springer. Google Scholar
  21. 21.
    Nauman, M., Alam, M., Ali, T., & Zhang, X. (2009). Remote attestation of attribute updates and information flows in a UCON system. In Trust’09: proceedings of the second international conference on technical and socio-economic aspects of trusted computing (pp. 63–80). Berlin: Springer. Google Scholar
  22. 22.
  23. 23.
    IAIK (2010). About IAIK/OpenTC PrivacyCA. Available at:
  24. 24.
    Google (2009). Android—an open handset alliance project.
  25. 25.
    Google (2010). Android reference: Application fundamentals—components. Available at:
  26. 26.
    Ekberg, J. E., & Bugiel, S. (2009). Trust in a small package: minimized MRTM software implementation for mobile secure environments. In STC ’09: Proceedings of the 2009 ACM workshop on scalable trusted computing (pp. 9–18). New York: ACM. CrossRefGoogle Scholar
  27. 27.
    NSA (2010). Security-Enhanced Linux (SELinux). Available at:
  28. 28.
    Wright, C., Cowan, C., Morris, J., Smalley, S., & Kroah-Hartman, G. (2002). Linux security module framework. In Ottawa Linux symposium, Citeseer. Google Scholar
  29. 29.
    Google (2010). Android PathClassLoader. Available at: Accessed on 10 May 2010.
  30. 30.
    Bouncy Castle (2010). The Bouncy Castle Crypto APIs for Java. Available at:
  31. 31.
    Nauman, M., Khan, S., & Zhang, X. (2010). Beyond kernel-level integrity measurement: enabling remote attestation for the android platform. In Trust’10: proceedings of the third international conference on trust and trustworthy computing. Berlin: Springer. Google Scholar
  32. 32.
    The WebKit Open Source Project. Available at:
  33. 33.
    Google (2009). Android market. Available at:
  34. 34.
    Gu, L., Ding, X., Deng, R., Xie, B., & Mei, H. (2008). Remote attestation on program execution. In STC ’08: proceedings of the 2008 ACM workshop on scalable trusted computing. New York: ACM. Google Scholar
  35. 35.
    Hall, M., Frank, E., Holmes, G., Pfahringer, B., Reutemann, P., & Witten, I. (2009). The WEKA data mining software: An update. ACM SIGKDD Explorations Newsletter, 11(1), 10–18. CrossRefGoogle Scholar
  36. 36.
    Lippmann, R., Fried, D., Graf, I., Haines, J., Kendall, K., McClung, D., Weber, D., Webster, S., Wyschogrod, D., Cunningham, R., et al. (2000). Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation. In DARPA information survivability conference and exposition, 2000. DISCEX’00. Proceedings (Vol. 2). Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2011

Authors and Affiliations

  1. 1.Computer Science Research and Development UnitPeshawarPakistan
  2. 2.Institute of Management SciencesPeshawarPakistan
  3. 3.Department of Computer ScienceUniversity of PeshawarPeshawarPakistan

Personalised recommendations