Springer Nature is making SARS-CoV-2 and COVID-19 research free. View research | View latest news | Sign up for updates

Using trusted computing for privacy preserving keystroke-based authentication in smartphones


Smartphones are increasingly being used to store personal information as well as to access sensitive data from the Internet and the cloud. Establishment of the identity of a user requesting information from smartphones is a prerequisite for secure systems in such scenarios. In the past, keystroke-based user identification has been successfully deployed on production-level mobile devices to mitigate the risks associated with naïve username/password based authentication. However, these approaches have two major limitations: they are not applicable to services where authentication occurs outside the domain of the mobile device—such as web-based services; and they often overly tax the limited computational capabilities of mobile devices. In this paper, we propose a protocol for keystroke dynamics analysis which allows web-based applications to make use of remote attestation and delegated keystroke analysis. The end result is an efficient keystroke-based user identification mechanism that strengthens traditional password protected services while mitigating the risks of user profiling by collaborating malicious web services. We present a prototype implementation of our protocol using the popular Android operating system for smartphones.

This is a preview of subscription content, log in to check access.


  1. 1.

    Card, S., Moran, T., & Newell, A. (1987). Computer text-editing: An information-processing analysis of a routine cognitive skill. San Francisco: Morgan Kaufmann.

  2. 2.

    Joyce, R., & Gupta, G. (1990). Identity authentication based on keystroke latencies. Communications of the ACM, 33(2), 168–176.

  3. 3.

    Clarke, N., & Furnell, S. (2007). Authenticating mobile phone users using keystroke analysis. International Journal of Information Security, 6(1), 1–14.

  4. 4.

    Karatzouni, S., & Clarke, N. (2007). Keystroke analysis for thumb-based keyboards on mobile devices. International Federation for Information Processing Publications IFIP, 232, 253.

  5. 5.

    Zahid, S., Shahzad, M., Khayam, S., & Farooq, M. (2009). Keystroke-based user identification on smart phones. In 12th international symposium on recent advances in intrusion detection (RAID).

  6. 6.

    Cubrilovic, N. (2009). The anatomy of the twitter attack. Available at: http://www.techcrunch.com/2009/07/19/the-anatomy-of-the-twitter-attack/.

  7. 7.

    Kennedy, J., & Eberhart, R. (1995). Particle swarm optimization. In IEEE international conference on neural networks, Proceedings (Vol. 4).

  8. 8.

    Goldberg, D. (1989). Genetic algorithms in search, optimization and machine learning. Boston: Addison-Wesley.

  9. 9.

    AdMob Mobile Metrics (2010). January 2010 mobile metrics report available at: http://metrics.admob.com/wp-content/uploads/2010/02/AdMob-Mobile-Metrics-Jan-10.pdf. Accessed on 10 May 2010.

  10. 10.

    Freier, A., Karlton, P., & Kocher, P. (1996). Secure socket layer 3.0. IETF draft, November.

  11. 11.

    Internet2: Shibboleth: A project of Internet2 middleware initiative (2010). Available at: http://shibboleth.internet2.edu/.

  12. 12.

    TCG (2004). TCG specification architecture overview v1.2 (pp. 11–12). Technical report, Trusted Computing Group, April 2004.

  13. 13.

    TCG (2010). Trusted Computing Group. http://www.trustedcomputinggroup.org/.

  14. 14.

    Pearson, S. (2002). Trusted computing platforms: TCPA technology in context. Upper Saddle River: Prentice Hall.

  15. 15.

    Challener, D., Yoder, K., Catherman, R., Safford, D., & Van Doorn, L. (2008). A practical guide to trusted computing.

  16. 16.

    Sailer, R., Zhang, X., Jaeger, T., & van Doorn, L. (2004). Design and implementation of a TCG-based integrity measurement architecture. In SSYM’04: Proceedings of the 13th conference on USENIX security symposium.

  17. 17.

    Shacham, H. (2007). The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In Proceedings of the 14th ACM conference on computer and communications security (CCS’08) (pp. 552–561). New York: ACM.

  18. 18.

    Buchanan, E., Roemer, R., Shacham, H., & Savage, S. (2008). When good instructions go bad: generalizing return-oriented programming to RISC. In Proceedings of the 15th ACM conference on computer and communications security (CCS’08) (pp. 27–38). New York: ACM.

  19. 19.

    Sadeghi, A. R., & Stüble, C. (2004). Property-based attestation for computing platforms: caring about properties, not mechanisms. In NSPW ’04: Proceedings of the 2004 workshop on new security paradigms (pp. 67–77). New York: ACM.

  20. 20.

    Lyle, J. (2009). Trustable remote verification of web services. In Trusted computing: second international conference on trusted computing, trust 2009, Proceedings, Oxford, UK, April 6–8, 2009 (p. 153). London: Springer.

  21. 21.

    Nauman, M., Alam, M., Ali, T., & Zhang, X. (2009). Remote attestation of attribute updates and information flows in a UCON system. In Trust’09: proceedings of the second international conference on technical and socio-economic aspects of trusted computing (pp. 63–80). Berlin: Springer.

  22. 22.

    Mobile Phone Work Group. Mobile trusted module overview document: http://www.trustedcomputinggroup.org/resources/mobile_phone_work_group_mobile_trusted_module_overview_document.

  23. 23.

    IAIK (2010). About IAIK/OpenTC PrivacyCA. Available at: http://trustedjava.sourceforge.net/index.php?item=pca/about.

  24. 24.

    Google (2009). Android—an open handset alliance project. http://code.google.com/android/.

  25. 25.

    Google (2010). Android reference: Application fundamentals—components. Available at: http://developer.android.com/guide/topics/fundamentals.html.

  26. 26.

    Ekberg, J. E., & Bugiel, S. (2009). Trust in a small package: minimized MRTM software implementation for mobile secure environments. In STC ’09: Proceedings of the 2009 ACM workshop on scalable trusted computing (pp. 9–18). New York: ACM.

  27. 27.

    NSA (2010). Security-Enhanced Linux (SELinux). Available at: http://www.nsa.gov/selinux/.

  28. 28.

    Wright, C., Cowan, C., Morris, J., Smalley, S., & Kroah-Hartman, G. (2002). Linux security module framework. In Ottawa Linux symposium, Citeseer.

  29. 29.

    Google (2010). Android PathClassLoader. Available at: http://developer.android.com/reference/dalvik/system/PathClassLoader.html. Accessed on 10 May 2010.

  30. 30.

    Bouncy Castle (2010). The Bouncy Castle Crypto APIs for Java. Available at: http://www.bouncycastle.org/.

  31. 31.

    Nauman, M., Khan, S., & Zhang, X. (2010). Beyond kernel-level integrity measurement: enabling remote attestation for the android platform. In Trust’10: proceedings of the third international conference on trust and trustworthy computing. Berlin: Springer.

  32. 32.

    The WebKit Open Source Project. Available at: http://www.webkit.org.

  33. 33.

    Google (2009). Android market. Available at: http://www.android.com/market.html.

  34. 34.

    Gu, L., Ding, X., Deng, R., Xie, B., & Mei, H. (2008). Remote attestation on program execution. In STC ’08: proceedings of the 2008 ACM workshop on scalable trusted computing. New York: ACM.

  35. 35.

    Hall, M., Frank, E., Holmes, G., Pfahringer, B., Reutemann, P., & Witten, I. (2009). The WEKA data mining software: An update. ACM SIGKDD Explorations Newsletter, 11(1), 10–18.

  36. 36.

    Lippmann, R., Fried, D., Graf, I., Haines, J., Kendall, K., McClung, D., Weber, D., Webster, S., Wyschogrod, D., Cunningham, R., et al. (2000). Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation. In DARPA information survivability conference and exposition, 2000. DISCEX’00. Proceedings (Vol. 2).

Download references

Author information

Correspondence to Tamleek Ali.

Rights and permissions

Reprints and Permissions

About this article

Cite this article

Nauman, M., Ali, T. & Rauf, A. Using trusted computing for privacy preserving keystroke-based authentication in smartphones. Telecommun Syst 52, 2149–2161 (2013). https://doi.org/10.1007/s11235-011-9538-9

Download citation


  • Authentication
  • Smartphones
  • Android
  • Trusted computing
  • Remote attestation