EURASIP Journal on Advances in Signal Processing
Volume 2008 (2008), Article ID 529879, 16 pages
doi:10.1155/2008/529879

Copyright © 2008 Francis Minhthang Bui and Dimitrios Hatzinakos. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Abstract

As electronic communications become more prevalent, mobile and universal, the threats of data compromises also accordingly loom larger. In the context of a body sensor network (BSN), which permits pervasive monitoring of potentially sensitive medical data, security and privacy concerns are particularly important. It is a challenge to implement traditional security infrastructures in these types of lightweight networks since they are by design limited in both computational and communication resources. A key enabling technology for secure communications in BSN's has emerged to be biometrics. In this work, we present two complementary approaches which exploit physiological signals to address security issues: (1) a resource-efficient key management system for generating and distributing cryptographic keys to constituent sensors in a BSN; (2) a novel data scrambling method, based on interpolation and random sampling, that is envisioned as a potential alternative to conventional symmetric encryption algorithms for certain types of data. The former targets the resource constraints in BSN's, while the latter addresses the fuzzy variability of biometric signals, which has largely precluded the direct application of conventional encryption. Using electrocardiogram (ECG) signals as biometrics, the resulting computer simulations demonstrate the feasibility and efficacy of these methods for delivering secure communications in BSN's.

1. Introduction

Security is a prime concern of the modern society. From a local house-hold setting to a more global scope, ensuring a safe and secure environment is a critical goal in today's increasingly interconnected world. However, there are still outstanding obstacles that have prevented the realization of this objective in practical scenarios, despite many technological advances. Recently, body sensor networks (BSNs) have shown the potential to deliver promising security applications [1–3]. Representing a fast-growing convergence of technologies in medical instrumentation, wireless communications, and network security, these types of networks are composed of small sensors placed on various body locations. Among the numerous advantages, this BSN approach permits round-the-clock measurement and recording of various medical data, which are beneficial compared to less frequent visits to hospitals for checkup. Not only there is convenience for an individual, but also more data can be collected to subsequently aid reliable diagnoses. In other words, a BSN helps bridge the spatio-temporal limitations in pervasive medical monitoring [4, 5].

Aside from medical applications, analogous scenarios may be considered with a general network of wearable devices, including cell phones, headsets, handheld computers, and other multimedia devices. However, the incentive and urgency for inter-networking such multimedia devices may be less obvious and imminent (more on the convenience side), compared to those in medical scenarios (more on the necessity side).

The objectives of this work are to: (1) examine the various nascent BSN structures and associated challenges, (2) establish a flexible high-level model, encompassing these assumptions and characteristics, that is conducive to future research from a signal-processing perspective, (3) propose signal processing methods and protocols, in the context of a high-level model, that improve upon existing schemes for providing security in BSNs. More specifically, the last objective (3) is two-fold: (a) we construct a secure key distribution system that is shown to be more resource-efficient than the current scheme based on fuzzy commitment; (b) we propose and study a data scrambling method that has the potential to supplant conventional encryption, in securing certain types of data using biometrics [3].

The remainder of this paper is organized as follows. In Section 2, we provide a survey of the existing research on BSNs, highlighting the salient features and assumptions. This is followed by a high-level summary of our methodologies and objectives of research on BSNs in Section 3. Detailed descriptions are next given for a resource-efficient key management system, including key generation and distribution, in Section 4. Then, we present the INTRAS framework for data scrambling in Section 5. And, in order to evaluate the system performance, simulation results are summarized in Section 6. Lastly, concluding remarks for future directions are given in Section 7.

2. Literature Survey

2.1. BSN Structure and Assumptions

Even though BSN is a comparatively new technology, it has garnered tremendous interest and momentum from the research community. This phenomenon is easy to understand when one remarks that a BSN is essentially a sensor network, or to a broader extent an ad hoc network [6, 7], with characteristics peculiar to mobile health applications.

So far, the current trend in BSN research has focused mainly on medical settings [4]. As an ad hoc network, a typical BSN consists of small sensor devices, usually destined to report medical data at varying intervals of time. Figure 1(a) shows a typical high-level BSN organization. Each BSN consists of a number of sensors, dedicated to monitoring medical data of the wearer. As noted in [1, 4], for implanted sensors, wireless communication is by far the preferred solution since wired networking would necessitate laying wires within the human body; and for wearable devices, wireless networking is also desirable due to user convenience.

There are many possible variations on the BSN structure, especially with respect to the network topologies formed from various BSNs. A very simple topology is given in Figure 1(b), depicting a mobile-health network and organizing several BSNs under one server. As explored in [5], a more sophisticated organization can involve elected leader nodes within a BSN, which allow for more specialized communication requirements. For instance, certain nodes have higher computational capabilities than others in order to perform more sophisticated tasks. This hierarchical organization is needed for a scalable system, especially with a fixed amount of resources.

2.2. Resource Constraints in BSNs

As in a typical ad hoc network, there is a large range of variations in resource constraints. From the proposed prototypes and test beds found in the existing literature, the computational and bandwidth limitations in BSNs are on par with those found in the so-called microsensor networks [6, 7]. While relatively powerful sensors can be found in a BSN, the smaller devices are destined to transmit infrequent summary data, for example, temperature or pressure reported every 30 minutes, which translates to transmissions of small bursts of data on the order of only several hundred, or possibly thousand, bits.

The computational and storage capabilities of these networks have been prototyped using UC Berkeley MICA2 motes [5], each of which provides an 8-MHz ATMega-128 L microcontroller with 128 KB of programmable flash, and 4-Kbytes of RAM. In fact, these motes may exceed the resources found in smaller BSN sensors. As such, to be safe, a proposed design should not overstep the capabilities offered by these prototype devices.

With energy at a premium, a study of the source of energy consumption in a BSN has been performed by evaluating the amount of energy dispensed per bit of information, similar to the analysis in [6]. The conclusion is that [1, 2, 4, 8], while computational and communication resources are both constrained in a BSN, the most expensive one is the communication operation. The computational costs are typically smaller so much that they are almost negligible compared to the cost of communication. Moreover, recall that the payload data for a scheduled transmission session in a BSN are on the order of a few hundred bits, which means that even a typical 128-bit key employed for encryption would be substantial by comparison. As such, only information bits that are truly necessary should be sent over the channel. This guideline has profound repercussions for the security protocols to be adopted in a BSN.

2.3. Security and Biometrics in BSNs

While the communication rate specifications in BSN are typically low, the security requirements are stringent, especially when sensitive medical data are exchanged. It should not be possible for sensors in other BSNs to gain access to data privy to a particular BSN. These requirements are difficult to guarantee due to the wireless broadcasting nature of a BSN, making the system susceptible to eavesdroppers and intruders.

In the BSN settings evaluated by [1, 4, 5, 8], the prototypes show that traditional security paradigms designed for conventional wireless networks [9] are in general not suitable. Indeed, while many popular key distribution schemes are asymmetric or public-key- based systems, these operations are very costly in the context of a BSN. For instance, it was reported that to establish a 128-bit key using a Diffie-Hellman system would require 15.9-mJ, while symmetric encryption of the same bit length would consume merely 0.00115-mJ [1]. Therefore, while key distribution is certainly important for security, the process will require significant modifications in a BSN.

By incorporating the body itself and the various physiological signal pathways as secure channels for efficiently distributing the derived biometrics, security can be feasibly implemented for BSN [1, 2]. For instance, a key distribution scheme based on fuzzy commitment is appropriate [1, 10]. A biometric is utilized for committing, or securely binding, a cryptographic key for secure transmission over an insecure channel. More detailed descriptions of this scheme will be given in Section 2.5. Essentially, for this construction, the biometric merely serves as a witness. The actual cryptographic key, for symmetric encryption [9], is externally generated, (i.e., independent from the physiological signals). This is the conventional view of biometric encryption [11]. The reasons are two-fold: (1) good cryptographic keys need to be random, and methods for realizing an external random source are quite reliable [9]; moreover, (2) the degree of variations in biometrics signals is such that two keys derived from the same physiological traits typically do not match exactly. And, as such, biometrically generated keys would not be usable in conventional cryptographic schemes, which by design do not tolerate even a single-bit error [9, 11].

2.4. The ECG As a Biometric

While many physiological features can be utilized as biometrics, the ECG has been found to specifically exhibit desirable characteristics for BSN applications. First, it should be noted that for the methods to be examined, the full-fledged ECG signals are not required. Rather, it is sufficient to record only the sequence of R-R wave intervals, referred to as the interpulse interval (IPI) sequence [4]. As a result, the methods are also valid for other cardiovascular signals, including phonocardiogram (PCG), and photoplethysmogram (PPG). What is more, as reported in [1, 4, 5], there are existing sensor devices for medical applications, manufactured with reasonable costs, that can record these IPI sequences effectively. That is, the system requirements for extracting the IPI sequences can be essentially considered negligible.

2.4.1. Time-Variance and key Randomness

At this point, it behooves us to distinguish between time-invariant and time-variant biometrics. In most conventional systems, biometrics are understood and required to be time-invariant, for example, fingerprints or irises, which do not depend on the time measured. This is so that, based on the recorded biometric, an authority can uniquely identify or authenticate an individual in, respectively, a one-to-many and one-to-one scenario [11]. By contrast, ECG-based biometrics are time-variant, which is a reason why they have not found much prominence in traditional biometric applications. Fortunately, for a BSN setting, it is precisely the time-varying nature of the ECG that makes it a prime candidate for good security. As already mentioned, good cryptographic keys need a high degree of randomness, and keys derived from random time-varying signals have higher security, since an intruder cannot reliably predict the true key. This is especially the case with ECG, since it is time-varying, changing with various physiological activities [12]. More precisely, as previously reported in [13], heart rate variability is characterized by a (bounded) random process.

2.4.2. Timing Synchronization and key Recoverability

Of course, key randomness is only part of the security problem. An ECG biometric would not be of great value unless the authorized party can successfully recover the intended cryptographic key from it. In other words, the second requirement is that the ECG-generated key should be reproducible with high fidelity at various sensor nodes in the same BSN.

To expose the feasibility of accurate biometric reproducibility at various sensors, let us consider typical ECG signals from the PhysioBank [14], as shown in Figure 2. For the present paper, it suffices to focus on the so-called QRS-complexes, particularly the R-waves, which represent usually the highest peaks in an ECG signal [12, 15]. The sequence of R-R intervals is termed the interpulse interval (IPI) sequence [4] and essentially represents the time intervals between successive pulses. In this case, three different ECG signals are measured simultaneously from three different electrode or lead placements (I, AVL, VZ [12, 14]). What is noteworthy is that, while the shapes of specific QRS complexes are different for each signal, the sequences of IPI for the three signals, with proper timing synchronization, are remarkably identical. Physiologically, this is because the three leads measure three representations of the same cardiovascular phenomenon, which originates from the same heart [12]. In particular, the IPI sequences capture the heart rate variations, which should be the same regardless of the measurement site.

Therefore, in order to recover identical IPI sequences at various sensors, accurate timing synchronization is a key requirement. While the mechanism of timing synchronization is not directly addressed in this paper, one possible solution is to treat this issue from a network broadcast level [1, 4, 5]. Briefly stated, in order that all sensors will ultimately produce the same IPI, they should all listen to an external broadcast command that serves to reinitialize, at some scheduled time instant, the ECG recording and IPI extraction process. This scheduling coordination also has a dual function of implementing key refreshing [4, 5, 9]. Since a fresh key is established in the BSN with each broadcast command for re-initialization, the system can enforce key renewal as frequently as needed to satisfy the security demand of the envisioned application: more refreshing ensures higher security, at the cost of increased system complexity.

2.5. Single-Point Fuzzy key Management with ECG

So far, various strategies in the literature have exploited ECG biometrics to bind an externally generated cryptographic key and distribute it to other sensors via fuzzy commitment [1, 2, 5, 16]. The cryptographic key intended for the entire BSN is generated at a single point, and then distributed to the remaining sensors. In addition, the key is generated independently from the biometric signals, which merely act as witnesses. For these reasons, we will henceforth refer to this scheme as single-point fuzzy commitment.

Figure 3 summarizes the general configuration of the single-point key management. The data structures of the signals at various stages are as follows:

(i) : the sequence of IPI derived from the heart, represented by a sequence of numbers, the range and resolution of which are dependent on the sensor devices used. (ii) : obtained by uniform quantization of , followed by conversion to binary, using a PCM code [17]. (iii) , : the corresponding quantities to the nonprime versions, which are derived from the receiver side. (iv) : an externally generated random key to be used for symmetric encryption in the BSN. It needs to be an error correction code, as explained in the sequel. (v) : the recovered key, with the same specifications as . (vi) : the commitment signal, generated using a commitment function defined as(1) where is a one-way hash function [9], and is the XOR operator.

Therefore, the commitment signal to be transmitted is a concatenation of the hashed value of the key and an XOR-bound version of the key. With the requirement of being a codeword of an error correcting code, with decoder function , the receiver produces a recovered key , using a fuzzy knowledge of , as(2)If is a -bit error-correcting decoder (i.e., can correct errors with a Hamming distance of up to ), then(3)Hence, as long as and are sufficiently similar, so that , the key distribution should be successful. This can be verified using the included check-code : checking whether . However, if the check-code is also corrupted, a false verification failure may occur.

3. Our Contributions

The existing research in BSN using ECG biometric can be classified into two major categories: network topology (via clustering formation), and key distribution (via fuzzy commitment). We will not address the first topic in this paper (the interested reader can refer to [5] and the references therein). However, in the previous section, we have reviewed in some detail the second challenge of key distribution, since one part of our contribution will focus on extending this approach. Furthermore, we also see the need for a third area of research: the data encryption stage, which is of course the raison d'être for secure key distribution in the first place.

In the BSN context, the use of conventional encryption is hampered by the key variability inherent in biometric systems. Biometric signals are typically noisy, which inevitably lead to variations, however minute, in the recovered cryptographic keys. The problem is that, however minute the variation, a single-bit error is sufficient to engender a decryption debacle with conventional cryptography. It is possible to employ extremely powerful error-correcting coders and generous request-resend protocols to counteract these difficulties. Of course, the amount of accrued energy consumption and system complexity would then defeat the promise of efficient designs using biometrics.

A more practical alternative would be to employ an encryption scheme that is inherently designed to rectify the inevitable key variations. One such alternative is the fuzzy vault method [11], the security of which is based on the intractable polynomial root finding problem. However, this choice may not be practical, since the scheme requires high computational demands, which can defy even conventional communication devices, let alone the more resource-scarce BSN sensors.

With the above challenges in mind, we propose two flexible methodologies for improving resource consumption in BSN. First, we present a key management scheme that consumes less communication resources compared to the existing single-point fuzzy key method, by trading off processing delay and computational complexity for spectral efficiency, which is the effective data rate transmitted per available bandwidth [17]. This represents more efficient use of bandwidth and power resources.

Second, to accommodate the key mismatch problem of conventional encryption, we propose a data scrambling framework known as INTRAS, being based on interpolation and random sampling. This framework is attractive not only for its convenient and low-complexity implementation, but also for its more graceful degradations in case of minor key variations. These characteristics accommodate the limited processing capabilities of the BSN devices and reinforce INTRAS as a viable alternative candidate for ensuring security in BSN based on physiological signals.

In order to be feasibly implementable in a BSN context, a design should not impose heavy resource demands. To ensure this is the case, we will adhere to the precedents set by the existing research. Only methods and modules which have been deemed appropriate for the existing prototypes would be utilized. In this sense, our contributions are not in the instrumentation or acquisition stages, rather we propose modifications in the signal processing arena, with new and improved methodologies and protocols that are nonetheless compatible with the existing hardware infra- structure.

4. Multipoint Fuzzy Key Management

As discussed above, only information bits that are truly essential should be transmitted in a BSN. But, by design, the minimum number of bits, required by the COM sequence, in single-point key management scheme is the length of the cryptographic key (no check-code transmitted). Motivated by this design limitation, we seek a more flexible and efficient alternative. The basic idea is to send only the check-code and not a modified version of the key itself over the channel. At each sensoring point in a BSN, the cryptographic key is regenerated from the commonly available biometrics. As such, this scheme is referred to as multipoint fuzzy key management.

With respect to key generation, the possibility of constructing from the biometric signal has been explored in [4, 16], with the conclusion that the ECG signals have enough entropy to generate good cryptographic keys. But note that this generation is only performed at a single point. In other words, the only change in Figure 3 is that itself is now some mapped version of .

However, because of the particular design of BSN, other sensor nodes also have access to similar versions of . As explained above, the generated biometrics sequences from sensors within the same BSN are remarkably similar. For instance, it has been reported that for a 128-bit sequence captured at a particular time instant, sensors within the same BSN have Hamming distances less than 22; by contrast, sensors outside the BSN typically result in Hamming distances of 80 or higher [18]. Then, loosely speaking, it should be possible to reliably extract an identical sequence of some length less than 106 bits from all sensors within a BSN.

It should be noted that these findings are obtained for a normal healthy ECG. Under certain conditions, the amount of reliable bits recovered may deviate significantly from the nominal value. But note that these cited values are for any independent time segments corresponding to 128 raw bits derived from the continually varying IPI sequence. In other words, even if the recoverability rate is less, it is possible to reliably obtain an arbitrary finite-length key, by simply extracting enough bits from a finite number of nonoverlapping 128-bit snapshots derived from the IPI sequences. This possibility is not available with a time-invariant biometric, for example, a fingerprint biometric, where the information content or entropy is more or less fixed.

In a multipoint scheme, a full XOR-ed version of the key no longer needs to be sent over the channel. Instead, only the check-code needs to be transmitted for verification. Furthermore, the amount of check-code to be sent can be varied for bandwidth efficiency, depending on the quality of verification desired.

4.1. Multipoint System Modules

The basic hardware units supporting the following modules are already present in a single-point system. Thus, the innovation is in the design of the roles that these blocks take at various points in the transmission protocol. A high-level summary of the proposed multipoint scheme is depicted in Figure 4.

4.1.1. Binary Encoder

Similar to a single-point key management, the first step involves signal conditioning by binary encoding (i.e., quantization and symbol mapping).

4.1.2. Error-Correcting Decoder

The next step seeks to remove just enough (dissimilar) features from a signal so that, for two sufficiently similar input signals, a common identical signal is produced. This goal is identical to that of an error-correcting decoder, if we treat the signals and as if they were two corrupted codewords, derived from a common clean codeword, of some hypothetical error-correcting code.

For an error-correcting encoder with -bit codewords, any -bit binary sequence can be considered as a codeword plus some channel distortions. This concept is made more explicit in Figure 5. Here, we have conceptually modeled the ECG signal-generation process to include a hypothetical channel encoder and a virtual distorting channel. In an analogous formulation, many relevant similarities are found in the concept of the so-called superchannel [19]. A superchannel is used to model the equivalent effect of all distortions, not just the fading channel typical of the physical layer, but also other nonlinearities in other communication layers, with the assumption of cross-layer interactions.

An analogous study of the various types of codes and suitable channel models, in the BSN context, would be beyond the scope of this paper. Instead, the goal of the present paper is to establish the general framework for this approach. In addition, while the optimal coding scheme for a BSN may not be a conventional error-correcting code [17, 19], we will limit our attention to a conventional BCH code family, to evaluate the feasibility of this superchannel formulation.

In practical terms, for Figure 4, a conventional BCH error-correcting decoder is used to encode a raw binary sequence, treated as a corrupted codeword of a corresponding hypothetical BCH encoder. This means that the error-correcting decoder in Figure 4 is used to reverse this hypothetical encoding process, generating hopefully similar copies of the pre-key at various sensors, even though the various -sequences may be different. In essence, the key idea of this error-correction decoder module is to correct the errors caused by the physiological pathways. The equivalent communication channels consist of the nonidealities and distortions existing between the heart and the sensor nodes.

In the following, we analyze the practical consequences, in terms of the required error-correcting specification, of the above conceptual model. Let us assume that ideal access to the undistorted IPI sequence originates directly from the heart. Then, each sensor receives a (possibly) distorted copy of . For example, consider sensors with copies:(4)where represents the distorting channel from the heart to each sensor .

Next, approximating the binary-equivalent channels as additive-noise channels [17], we can write(5)where is the binary-encoded sequence of , and represents the equivalent binary channel noise between the heart and sensor .

Furthermore, consider an error-correcting code with parameters , where is the bit-length of a codeword, is the bit-length of a message symbol, and is the number of correctable bit errors. Let the encoder and decoder functions of be and , respectively. Define the demapping operation as the composite function . In other words, for a particular -bit sequence , the operation should demap to the closest -bit codeword .

Then, suppose the bit-length of is and apply the demapper to obtain: , where is the Hamming distance from to the nearest codeword . Similarly, after demapping the other sensor sequences:(6)The preceding relations imply that correct decoding is possible if . Moreover, the correct demapped codeword sequence is , which is due to the original ideal sequence directly from the heart. If error-correction is successful at all nodes according to the above condition, then the same pre-key sequence, will be available at all sensors.

The above assessment is actually pessimistic. Indeed, it is accurate for the case where the channels 's have not distorted the sensor signals too far away from the ideal sequence . However, when all the sensor channels carry the signals further away from the ideal case, the same code sequence can still be obtained from all sensors. But in this case, the decoded sequence will no longer be , as examined next.

Let the codeword closest to all sequences be . The condition that all signals have moved far away from the ideal case is more precisely defined by requiring the Hamming distance between and to be strictly greater than (sensor sequences no longer correctable to by the error-correcting decoder). Let(7)where represents the respective Hamming distance. Then, the same key sequence, namely , is recoverable at all sensors provided that . In other words, the signals may depart significantly from the ideal case but will still be suitable for key generation, provided that they are all close enough to some codeword .

4.1.3. Morphing Encoder and Random Set Optimization

The relevant data structures for this module are:

(i) , : pre-key sequences, with similar structures as the session keys in the single-point scheme. (ii) , : respectively, the morphing function and a morphing index, which is a short input sequence, for example, 2 to 4 bits. Here, we use the cryptographic hash function SHA-1 [9] for the morphing function . (iii) : morphed versions of the pre-key sequences to accommodate privacy issues. Since the output of the SHA-1 function is a 160-bit sequence, for an intended 128-bit key, one can either use the starting or the ending 128-bit segment.

From a cryptographic perspective, the generated pre-key is already suitable for a symmetric encryption scheme; as such, this morphing block can be considered optional. However, one of the stated goals is to ensure user privacy and confidentiality. As noted in [11], for privacy reasons, any signals, including biometrics, generated from physiological data should not be retraceable to the original data. The reason is because the original data may reveal sensitive medical conditions of the user, which is the case for the ECG. Therefore, a morphing block serves to confidently remove obvious correlations between the generated key and the original medical data.

In addition, due to the introduction of a morphing block, there is an added advantage that ensues, especially for the INTRAS framework to be presented in Section 5. First, suppose that we can associate a security metric (SM) to a pair of input data and its encrypted version , which measures in some sense the dissimilarity as . Then, we can optimize the level of security by picking an appropriate key sequence. Deferring the details of INTRAS to the next section, we examine this idea as follows. Let be a sequence of data to be scrambled, using a key sequence . The scrambled output is(8)Then, for the sequence , the best key should be(9)In other words, is a data-dependent sequence that maximizes the dissimilarity between and the scrambled version . Of course, implementing this kind of “optimal” security may not be practical. First, solving for can be difficult, especially with nonlinear interpolators. In addition, since the optimal key is data-dependent, the transmitter would then need to securely exchange this key with the receiver, which defeats the whole purpose of key management.

A more suitable alternative is to consider the technique of random set optimization. Essentially, for difficult optimization problems, one can perform an (exhaustive) search over some limited random set from the feasible space. If the set is sufficiently random, then the constrained solution can be a good estimate of the optimal solution.

Combining the above two goals of data hiding and key optimization, a morphing block, denoted by , can be suitably implemented using a keyed hash function [9]. With this selection, the first goal is trivially satisfied. Furthermore, a property of a hash function is that small changes in the input results in significant changes in the output (i.e., the avalanche effect [9]). In other words, it is possible to generate a pseudorandom set using simple indexing changes in a morphing function, starting from a pre-key . Specifically, consider the generation of the key sequence for INTRAS:(10)with being the available index set for the morphing index . The cardinality of should be small enough that (e.g., a short sequence of 2 to 4 bits) can be sent as side information in . The input to the morphing function is the concatenation of and the morphing index . Due to the avalanche effect, even small changes due to the short morphing index would be sufficient to generate large variations in the output sequence .

Then, corresponding to Figure 4, the appropriate is the one generated from using , where(11)In the above equation, is defined as in (10). This optimization can be exhaustively solved, since the cardinality of is small. As shown in Figure 4, can be transmitted as plain-text side-information as part of , that is, without encryption. This is plausible because, without knowing , knowing does not reveal information about .

It should also be noted that only the transmitting node needs to perform the key optimization. Therefore, if computational resource needs to be conserved, this step can be simplified greatly (e.g., selecting a random index for transmission) without affecting the overall protocol.

The selection of an appropriate SM is an open research topic, which needs to take into account various operating issues, such as implementation requirements as well as the statistical nature of the data to be encrypted. For the present paper, we will use as an illustrative example the mean-squared error (MSE) criterion for the SM. In general, the MSE is not a good SM, since there exist deterministically invertible transforms that result in high MSE. However, the utility of the MSE, especially for multimedia data, is that it can provide a reasonable illustration of the amount of (gradual) distortions caused by typical lossy compression methods. An important argument to be made in Section 5 is that, in the presence of noise and key variations, the recovered data suffer a similar gradual degradation. Therefore, the use of the MSE to assess the difference between the original and recovered images is especially informative. In other words, there is a dual goal of investigating the robustness of the INTRAS inverse, or recovery process.

4.1.4. Transmission and Error Detection

(i) and : the error-detection bits, and the function used to generate these bits, respectively. For simplicity, the same hash function SHA-1 is used for . (ii) : the commitment signal actually transmitted over the channel.

Note that is the concatenation of the morphing index and part of . Being the output of SHA-1, is a 160-bit sequence. However, since error detection—as opposed to correction in the single-point scheme—is performed, it is not necessary to use the entire sequence. Therefore, depending on the bandwidth constraint or the desired security performance, only some segment of the sequence is partially transmitted, for example, the first 32 or 64 bits as done in the simulation results. The length of this partial sequence determines the confidence of verification and can be adapted according to the envisioned application.

The receiver should already have all the information needed to regenerate the pre-key . Possible key mismatches are detected based on the partial bits transmitted. If verification fails, a request for retransmission needs to be sent, for example, using an ARQ-type protocol.

4.2. Performance and Efficiency

The previous sections show that the most significant advantage of a multipoint scheme, in a BSN context, involves the efficient allocation of the scarce communication spectrum. With respect to spectral efficiency, the number of bits required for the original single-point scheme is at least the length of the cryptographic key. By contrast, since the proposed system only requires the transmitted bits for error detection, the number can be made variable. Therefore, depending on the targeted amount of confidence, the number of transmitted bits can be accordingly allocated for spectral efficiency.

However, this resource conservation is achieved at the expense of other performance factors. First, as in the single-point key management scheme, the success of the proposed multipoint construction relies on the similarities of the physiological signals at the various sensors. Although the requirements in terms of the Hamming distance conditions are similar, there are some notable differences. For the single-point management, from (3), the tolerable bit difference is quantifiable completely in terms of the pair of binary features and . By contrast, for the multipoint management, from (6), the tolerable bit difference is also dependent on the distance of the uncorrupted binary IPI sequence from the closest codeword. In other words, the closer the IPI sequence is from a valid codeword, the less sensitive it is from variations in multiple biometric acquisitions.

This preceding observation provides possible directions to reinforce the robustness and improve the performance of the multipoint approach. For instance, in order to reduce the potential large variations in Hamming distances, Gray coding can be utilized in the binary encoder. This allows for incremental changes in the input signals to be reflected as the smallest possible Hamming distances [17]. Moreover, in order to improve the distances between the obtained IPI sequences and the codewords, an error-correcting code that takes into account some prior knowledge regarding the signal constellation is preferred. In other words, this is a superchannel approach, that seeks an optimal code that is most closely matched to the signal space. Of course, additional statistical knowledge regarding the underlying physiological processes would be needed.

Therefore, in the present paper, the performance results without these possible modifications will be evaluated, delivering the lower-bound benchmark upon which future designs can be assessed. It is expected that the false-rejection rates will demonstrate more significant gains. This is because, by design, the multipoint scheme can detect variations and errors with good accuracy (i.e., providing good false-acceptance rates). However, it is less robust in correcting the errors due to coding mismatches. And it is in this latter aspect that future improvements can be made.

In either scheme, there is also an implicit requirement of a buffer to store the IPI sequences prior to encoding. Consider the distribution of a 128-bit cryptographic key in a BSN, obtained from multiple time segments of nonoverlapping IPI sequences with the BCH code (63, 16, 11). Then, the number of IPI raw input bits to be stored in the buffer would be bits.

To assess the corresponding time delay, consider a typical heart rate of 70 beats per minute [15]. Also, each IPI value is used to generate 8 bits. Then, the time required to collect the 504 bits is approximately seconds. In fact, this value should be considered a bare minimum. First, additional computational delays would be incurred in a real application. Furthermore, the system may also need to wait longer, for the recorded physiological signal to generate sufficient randomness and reliability for the key generation. While the heart rate variations are a bounded random process [13], the rate of change may not be fast enough for a user's preference. In other words, a 504-bit sequence obtained in 54 seconds may not be sufficiently random. To address this inherent limitation, in trading off the time delay for less bandwidth consumption, a compromise is made in the next section.

4.3. Multipoint Management with key Fusion Extension

In the system considered so far, the sole random source for key generation is the ECG. Without requiring an external random source, a multipoint strategy has enabled a BSN to be more efficient with respect to the communication resources, at the expense of computational complexity and processing delay. As discussed in Section 2.2, this is generally a desirable setup for a BSN [1, 2]. However, in operating scenarios where the longer delays and higher computational complexity become prohibitive, it is possible to resort to an intermediate case.

Suppose the security requirements dictate a certain key length. Then, the key can be partitioned into two components: the first constructed by an external random source, while the second derived from the ECG. The total number of bits generated equals the required key length. Evidently, for a system with severe bandwidth restriction, most of the key bits should be derived from the ECG. Conversely, when transmission delay is a problem, more bits should be generated by an external source.

A high-level summary of a possible key fusion approach is depicted in Figure 6. The key is a concatenation of two components, that is, (, ). The first component is distributed using fuzzy commitment, while the second is sent using the multipoint scheme.

In order to ensure that the overall cryptographic key is secured using mutually exclusive information, it is necessary to partition the output from the binary encoder properly. As a concrete example, let us consider generating a 128-bit key, half from a fuzzy commitment and half from a multipoint distribution, using a BCH (63, 16, 11) code. Then, the first bits from the raw binary output are used to bind the externally generated 64-bit sequence. The remaining 64 bits need to be generated from the next raw input bits. In other words, this scheme requires waiting for bits to be recorded, as opposed to 504 bits in the nonfusion multipoint case.

Therefore, from an implementation perspective, this fusion system allows a BSN to adaptively modify its key construction, depending on the delay requirements. But the disadvantage is the sensors need to be sufficiently complicated to carry out the adaptation in the first place. For instance, additional information needs to be transmitted for proper transceiver synchronization in the key construction. Furthermore, some form of feedback is needed to adjust the key length for true resource adaption. These requirements are conceptually represented by the key length partitioning control block in Figure 6. It can be practically implemented by embedding additional control data bits into the transmitted sequence to coordinate the receiver. As with most practical feedback methods, there is some inevitable delay in the system adaptive response.

Nonetheless, whenever implementable, a key fusion approach is the most general one, encompassing both the single-point and multipoint schemes as special cases, in addition to other intermediate possibilities.

5. Intras Data Scrambling

In the previous section, the general infrastructure and several approaches for generating and establishing common keys at various nodes in a secure manner have been described. The next straightforward strategy would be to utilize these keys in some traditional symmetric encryption scheme [9]. However, in the context of a BSN, this approach has several shortcomings. First, since conventional encryption schemes are not conceived with considerations of resource limitations in BSN, a direct application of these schemes typically implies resource inefficiency or performance loss in security. Second, operating at the bit-level, conventional encryption schemes are also highly sensitive to mismatching of the encryption/decryption keys: even a single-bit error, by design, results in a nonsense output.

Addressing the above limitations of conventional encryption in the context of a BSN, we propose an alternative method that operates at the signal-sample level. The method is referred to as INTRAS, being effectively a combination of interpolation and random sampling, which is inspired by [20, 21]. The idea is to modify the signal after sampling, but before binary encoding.

5.1. Envisioned Domain of Applicability

The proposed method is suitable for input data at the signal-level (nonbinary) form, which is typical of the raw data transmitted in a BSN. There are two fundamental reasons for this constraint.

First, for good performance in terms of security with this scheme, the input needs to have a sufficiently large dynamic range. Consider the interpolation process (explained in more detail in the next section): binary inputs would produce interpolated outputs that have either insufficient variations (e.g., consider linear interpolation between 1 and 1, or 0 and 0) or result in output symbols that are not in the original binary alphabet (e.g., consider linear interpolation between 1 and 0). More seriously, for a brute force attack, the FIR process (see (14)) can be modeled as a finite-state machine (assuming a finite discrete alphabet). Then, in constructing a trellis diagram [17], the comparison of a binary alphabet versus a 16-bit alphabet translates to branches versus (potentially) branches in each trellis state. Therefore, working at a binary level would compromise the system performance. In other words, we are designing a symbol recoder. As such the method draws upon the literature in nonuniform random sampling [21].

Second, the scheme is meant to tolerate small key variations (a problem for conventional encryption), as well as to deliver a low-complexity implementation (a problem for fuzzy vault). However, the cost to be paid is a possibly imperfect recovery, due to interpolation diffusion errors with an imperfect key sequence. It will be seen that in the presence of key variations, the resulting distortions are similar to gradual degradations found in lossy compression algorithms, as opposed to the all-or-none abrupt recovery failure exhibited by conventional encryption. Therefore, similar to the lossy compression schemes, the intended input should also be the raw signal-level data.

5.2. INTRAS High-Level Structure

The general structure of an INTRAS scrambler is shown in Figure 7, with an input sequence . At each instant , the resampling block simply re samples the interpolated signal using a delay to produce the scrambled output . Security here is obtained from the fact that, by properly designing the interpolating filter, the input cannot be recovered from the scrambled output , without knowledge of the delay sequence .

In a BSN context, the available (binary) encryption key is used to generate a set of sampling instants , by multilevel symbol-coding of [17]. This set of sampling instants is then used to resample the interpolated data sequence. Note that, when properly generated, is a random key, and that the derived inherits this randomness. In other words, the resampling process corresponds effectively to random sampling of the original data sequence. Without knowledge of the key sequence, the unauthorized recovery of the original data sequence, for example, by brute-force attack, from the resampled signal is computationally impractical. By contrast, with knowledge of , the recovery of the original data is efficiently performed; in some cases, an iterative solution is possible. Therefore, the proposed scheme satisfies the main characteristics of a practical cryptographic system. More importantly, it not only requires less computational resources for implementation, but also is more robust to small mismatching of the encryption and decryption keys, which is often the case in biometrics systems.

5.3. INTRAS with Linear Interpolators

While Figure 7 shows an intermediate interpolated analog signal, , this is more or less a convenient abstraction only. Depending on the filter used and the method of resampling, we can in fact bypass the continuous-time processing completely.

First, the window size or memory length needs to be selected, determining the range of time instants over which the resampling can occur. For a causal definition, the window needs to span only the previous data symbols. Then, the current output symbol is obtained as a linear combination of the previous symbols.

Consider a simple linear interpolator with , so that the window size is two symbols, consisting of the current symbol and one previous one. Then, the resampled signal can be obtained in discrete-time form as(12)where . The rationale for this definition is illustrated in Figure 8. When , the output is the previous symbol. When , it is the current symbol. And for , the filter interpolates between these values. This is precisely what a linear interpolator does but implemented entirely in discrete-time. The iterative definition (12) needs initialization to be complete: a virtual pre-symbol can be defined with an arbitrary value .

Also, observe that computing actually corresponds to computing a convex combination of two consecutive symbols and , that is, weighting coefficients , satisfy(13)for each . A convex combination is sufficient to maintain the full dynamic range (in fact, a more generalized linear combination is redundant, since it leads to unbounded output value).

The INTRAS structure is a scrambler because, depending on the random sequence , the output signal can differ significantly from the input. However, it is not encryption in the conventional sense, since knowing the input data and encrypted output is equivalent to knowing the key. Moreover, small mismatches in the decryption key do not lead immediately to nonsense output but rather represent a more graceful degradation, characterized by an increasing mean-squared error (MSE). This is in stark contrast to the all-or-none criterion of conventional encryption and is thus more suitable for biometric systems.

As the memory length is increased, a number of possibilities can be applied in interpolation. For example, (i) the simplest approach is to simply interpolate between every two successive samples (graphically, joining a straight line). Then, the sampling delay determines which line should be used to pick the scrambled output. Or, (ii) linear regression can be first performed over the symbols spanning the window of interest [22]. Then, the sampling delay is applied to the best-fit regression line to produce the output. Alternatively, (iii) by revisiting the form of (12), which recasts interpolation as a convex combination, we can expand the formulation to incorporate a multiple-symbol combination as follows:(14)where the convex combination condition, for a proper output dynamic range, requires that(15)Therefore, the cryptographic key is used to encode sequences of random coefficients. (Actually, because of the convex-combination requirement, there is a loss of degree of freedom, and only sequences of this set are independent). Equivalently, the operation corresponds to a time-varying FIR filter [17] (with random coefficients).

This previous construction can be recast as a special case of the classical Hill cipher [9] as follows. Consider an input sequence of length . For the purpose of illustration, let us select , which implies that we need to initialize the first 2 virtual pre-symbols, with assumed secret values, known to the intended receiver. One straight-forward approach would be to generate these symbols from the available cryptographic key .

For notational simplicity, let us denote the coefficient sequences as . Then, the remaining scrambled output symbols are computed for as(16)which can be expressed in a matrix form:(17)An expanded version of this equation is shown in Table 1. Here, we have rearranged the equations and augmented the last two rows with the virtual pre-symbols, so that the final form is explicitly recognized as a row-echelon matrix [22].

The obtained linear matrix representation is reminiscent of the Hill cipher, which is also a linear map modulo 26 (for 26 letters in the alphabet). However, there are some basic differences to be remarked here. First, the Hill cipher does not restrict the form of , which can consist of any numbers. This means that the dimension of the mapping matrix needs to be small, otherwise matrix inversion would be prohibitively expensive. However, keeping the dimension small is equivalent to low security. Moreover, the Hill cipher is also unusable whenever is singular.

In our proposed scheme, the above disadvantages are largely avoided. From the row-echelon form in Table 1, as long as for all , then has full-rank. Thus, the matrix equation will always have a solution, which is also unique. This shows that during the generation of random coefficients, the coefficient sequence should be kept nonzero. In addition, the dimension of is . For a typical signal sequence, this represents a large matrix, which would not be practical with a standard Hill cipher. But in this case, direct matrix inversion does not need to be performed. Instead an iterative solution can be obtained. Starting from the first symbol, we solve for , given and the knowledge of the coefficient sequences and virtual pre-symbols. For , we start with(18)More generally, we have(19)Therefore, with the knowledge of the coefficient sequences and the virtual pre-symbols, the signal can be descrambled efficiently in an iterative manner.

Furthermore, the row-echelon representation also shows that without complete knowledge of the coefficient sequences, or the virtual pre-symbols, the original data sequence cannot be uniquely solved. Indeed, a linear system either has: (1) a unique solution, (2) no solution, or (3) infinitely many solutions [22]. Missing any of the coefficients is tantamount to incomplete knowledge of a row of the echelon matrix, which then implies either case (2) or (3) only. And assuming that the echelon matrix is properly constructed with for all , then the incomplete (with a deleted row whenever the corresponding delay symbol is unknown) still has full rank [22]. This then implies that case (3) is true: an intruder without knowledge of the delay sequences would need to guess from infinitely many possible choices in the solution space.

However, there is a catastrophic case in the current form (17): when contains long runs of constant values, then the corresponding segment in in fact does not change at all. This is because each row of creates a convex combination. A simple fix involves using the bits from to create a premasking vector that randomly flips the signs of elements in . This is achieved by directly remapping the sequence of 0 and 1 in to and 1, which is called the sequence . Since the goal here is to simply prevent long runs of a single constant value, rather than true randomness, it is permissible to stack together a number of sequences to create a longer (column) vector as follows:(20)Enough of the sequences should be concatenated (with a possible truncation of the last sequence) to make the dimension of exactly (an -element column vector, with elements being either or 1). Then, a sign-perturbed input sequence is computed as(21)where the last vector is augmented to account for virtual pre-symbols (which should not have long runs of constant values, being created from a random key), and denotes element-wise multiplication. Then, the modified scrambling operation(22)is no longer limited by the above catastrophic case, since there are now deliberate signal perturbations even when the original input is static.

5.4. INTRAS with Higher-Order Interpolators

As in conventional cryptography, the security of the system can be improved simply by assigning more bits to the key. However, this implies further resource consumption. An alternative, which offers a tradeoff with computational requirements, is to employ higher-order interpolators. This approach can be connected to Shamir's polynomial secret sharing scheme [23].

From the basic idea in Figure 7, the interpolating filter used is of a higher-order family. For illustration, we focus specifically on the class of Lagrange interpolators [21]. Note that such an approach has been previously applied for security, for example, in Shamir's scheme. However, there are a number of differences. First, in Shamir's approach, the secret is hidden as a particular polynomial coefficient, with the remaining coefficients being random. Moreover, there is no implication of a sliding-window type of interpolation. By contrast, the secret in the present paper is derived from a random sampled value, once the complete polynomial has been constructed. Second, the interpolation is applied sequentially over a limited sliding-window of values. These two characteristics make the implementation simpler and more appropriate for a BSN.

A Lagrange interpolator essentially constructs a polynomial of degree that passes through points of the form and can be expressed as a linear combination of the Lagrange basis polynomials:(23)where the basis polynomials are computed as(24)For a set of points, it can be shown from the fundamental theorem of algebra that is unique. Therefore, the degree of the interpolator used in secret sharing needs to be one less than the number of available shares in order for a secret to be properly concealed. This can be explained alternatively by Blakley's related secret sharing scheme, which essentially states that hyperplanes in an -dimensional space intersect at a specific point. And therefore, a secret may be encoded as any single coordinate of the point of intersection.

The construction for the present BSN context is as follows. For clarity, we illustrate the construction for a system with memory length .

(1) In creating a new scrambled symbol, the focus is on the values within a limited window including 3 previous values. In other words, there are 4 values of interest at the current sampling index , where denotes the time value corresponding to sampling index . (2) These values constitute the available shares and are pooled together to construct a third-degree polynomial, that is, for the current window. (3) A new secret share is created corresponding to a random time value of , where represents the current range of the window. The current share is replaced with the new share in the output signal. (4) The construction moves to the next point similarly, until the whole sequence has been processed.

The descrambling operation by a receiver proceeds sequentially in the reverse manner.

(1) Due to the particular design of INTRAS, at each instant , a total of previous shares are available (in the initial step, these are the virtual pre-symbols). (2) Therefore, with an incoming new share, , and knowledge of provided from the biometrics, the polynomial for the current window can be completely reconstructed by the receiver. (3) The original symbol or share can then be recovered. (4) This recovered share then participates in the next sliding window. The process can thus be repeated until the entire sequence has been recovered.

Due to the similar construction based on Lagrange interpolators, the security of INTRAS is at least as good as Shamir's scheme for each sliding window. Furthermore, note that a new random delay for a new secret share needs to recovered, from the biometrics, for the next sliding window. Therefore, suppose a previous window was compromised, an intruder would still need to repeat the process for the next iteration, albeit the process is now easier, since at least shares of the required shares have been previously compromised.

While the application of INTRAS with higher-order interpolation delivers improved security and flexibility, the disadvantage is a large increase in computational complexity, especially when the size of the memory is substantial. Therefore, a sensible strategy would be to apply linear interpolation for the links between weaker sensors, whereas higher-order interpolation would be used for more capable sensors.

6. Simulation Results

Even though the proposed methods should be applicable to other types of cardiovascular biometrics, ECG-based biometrics are the focus of performance assessment, since ECG data are widely available in various public databases. In the simulations, the ECG data, with R-R annotations, archived at the publicly available PhysioBank database are used [14]. These signals are sampled at 1 KHz with 16-bit resolution. In order to simulate the placements of various sensors in a BSN, ECG records that include multichannel signals, recorded by placing leads at various body locations, are specifically selected. Since these leads are simultaneously recorded, timing synchronization is implicitly guaranteed.

6.1. Key Generation and Distribution

Several key distribution scenarios, which are meant to illustrate the possible improvement in terms of communication resources, as measured by the corresponding spectral efficiency, are demonstrated. Table 2 summarizes the simulation parameters and resulting findings for a targeted 128-bit cryptographic key.

The coding rate for error-correcting coding as well as the number of bits used for channel error detection is varied. Note that, compared to the single-point scheme, the amount of information actually transmitted over the channel for key distribution is lower. The results illustrate that the error-correcting stage is crucial. If key regeneration fails at the receiver, then no amount of additional transmitted bits can make a difference, since no error correction is performed. On the other hand, if key regeneration is successful, then a smaller number of bits only negligibly degrade the key verification. The results without and with key fusion are shown for comparisons. Here, half of the key bits are derived from the biometrics, while the remaining from an external source.

The performance metrics utilized for comparison are the standard false rejection rate (FRR) and the false acceptance rate (FAR) [4, 11]. In each case, we experimentally optimize (by a numerical search) the Hamming distance threshold of the DET bit sequence in order to give the smallest FAR, and recorded the corresponding FRR. In other words, a minimum FAR is the objective, at the expense of a higher FRR. Note that this goal is not always appropriate; depending on the envisioned application a different, more balanced operating point, may be more suitable. In this case, the relevant operating point is contrived instead for a particular application: to supply the cryptographic key for a conventional encryption method. Evidently, for this scenario, if accepted as a positive match, the receiver-generated cryptographic key needs to be an exact duplicate of the original key. Otherwise, the conventional encryption and decryption procedure, which is mostly an all-or-none process, will fail even for a single-bit mismatch in the cryptographic key. This disastrous case is prevented by imposing a very small FAR. Therefore, the reported results show what can be correspondingly expected for the FRR. A more tolerant alternative to data scrambling is examined in the next section, where the feasibility of INTRAS is assessed.

The results for the key fusion scheme show only a minor changes compared to key distribution from only the biometrics. This is an indication that the biometrics are already providing a good degree of randomness for key generation. If this was not the case, the external random source (which is forced to generate statistically reliable random keys) would have resulted in significant improvement, since it would provide a much improved source of randomness for the key. But according to the obtained results, only slight changes are observed in the FAR.

6.2. Data Scrambling

Using the MSE as a performance metric, Figure 9 shows the results for INTRAS that combines two consecutive symbols () and a key sequence constructed from a 128-bit key. In this case, the input symbols are simulated as an i.i.d. sequence of integers, ranging from to 10. The distortions are modeled using a simple additive white Gaussian noise (AWGN) channel. Recall that, without any channel distortion, the INTRAS scheme can be summarized as follows. The scrambling step is(25)with input and key sequence . The corresponding descrambling step for ideal recovery of the original signal is(26)To account for the channel distortion, the signal seen at the input to the descrambler or receiver side is(27)where is the AWGN. The associated channel signal-to-noise ratio (SNR) is computed as(28)where represents the statistical expectation operator.

Depending on the key used for scrambling, there are 4 recovery strategies shown in the results. Let , , , be, respectively, the original key sequence used for scrambling, a key sequence from a device in the same BSN, a key sequence from an intruder outside of the intended BSN, without and with key optimization. Then, the four corresponding MSE performances, between the original signal and the signal recovered using one of these key sequences, can be computed. For example, when the original key is known as(29)

As shown in Figure 9, without knowledge of the key, the signal recovered by an intruder differs significantly from the genuine signal. Moreover, an increase in the signal-to-noise ratio does not lead to a significant improvement with an incorrect key. By contrast, with the correct key, the receiver performance improves as expected with better operating environments. The gradual change in MSE is analogous to the effect caused by varying the degree of compression in a lossy compression scheme.

With respect to key optimization, there appear to be only insignificant changes for the case with a correct key. However, with an incorrect key, there is a pronounced difference. This is an indication of improved security. An intruder would have more difficulty compromising a system with key optimization.

Next, in order to further improve security (for the same key length), additional processing cost is added by combining 4 symbols (with memory length = 3). As shown in Figure 10, the additional processing not only helps further separate the distinction of sensors inside and outside the BSN, it also improves the performance at high-noise situation for the authorized receiver. This is because each input symbol is now contained in a wider window of output symbols, so that the advantage of diversity is achieved.

7. Concluding Remarks

In this paper, methods using biometrics for efficiently providing security in BSNs have been proposed. Two complementary approaches addressing, respectively, the key management issues and the fuzzy variability of biometric signals are examined. One of the goals has been to allow for flexibility in each method. Depending on the actual application, a system can be accordingly reconfigured to be best suited for the required resource constraints. To this end, the proposed methods have built-in adjustable parameters that allow for varying degrees of robustness versus complexity.

While the proposed multipoint key management strategy and the INTRAS framework have specifically targeted relevant issues for a BSN, there remain important considerations that need to be addressed for practical deployment. Since a BSN is envisioned as a wireless network, the effects of channel fading and distortions should be considered. The robustness of the system needs to be evaluated in these practical scenarios. Furthermore, while the ECG and related signals have been touted as the most appropriate biometrics for a BSN, there is of course a wide range of sensors and devices that do not have access to the body's cardiovascular networks. Therefore, methods that allow for some form of interactions and management of these devices need to be considered for a BSN. In this manner, a BSN would be integrated more easily into other existing network systems without severe security compromises.

Acknowledgments

This work was supported by the Natural Sciences and Engineering Research Council of Canada (NSERC). Some of the material in this paper appears in the proceedings of Biometrics Symposium 2007, Baltimore, Maryland, USA.

References

1. S. Cherukuri, K. K. Venkatasubramanian, and S. K. S. Gupta, “Biosec: a biometric based approach for securing communication in wireless networks of biosensors implanted in the human body,” in Proceedings of the 32nd International Conference on Parallel Processing (ICPP '03), p. 432, Kaohsiung, Taiwan, October 2003.
2. S.-D. Bao, L.-F. Shen, and Y.-T. Zhang, “A novel key distribution of body area networks for telemedicine,” in Proceedings of IEEE the International Workshop on Biomedical Circuits and Systems, p. 1, Singapore, December 2004.
3. F. M. Bui and D. Hatzinakos, “Resource allocation strategies for secure and efficient communications in biometrics-based body sensor networks,” in Proceedings of the Biometrics Symposium (BSYM '07), Baltimore, Md, USA, September 2007.
4. C. C. Y. Poon, Y.-T. Zhang, and S.-D. Bao, “A novel biometrics method to secure wireless body area sensor networks for telemedicine and m-health,” IEEE Communications Magazine, vol. 44, no. 4, 73 pages, 2006.
5. K. K. Venkatasubramanian and S. K. S. Gupta, “Security for pervasive health monitoring sensor applications,” in Proceedings of the 4th International Conference on Intelligent Sensing and Information Processing (ICISIP '06), p. 197, Bangalore, India, December 2006.
6. W. R. Heinzelman, A. Chandrakansan, and H. Balakrishnan, “Energy-efficient communication protocol for wireless microsensor networks,” in Proceedings of the 33rd Annual Hawaii International Conference on System Sciences (HICSS '00), vol. 2, p. 3005, Maui, Hawaii, USA, January 2000.
7. M. Ilyas, Ed., The Handbook of Ad Hoc Wireless Networks, CRC Press, Boca Raton, Fla, USA, 2003.
8. V. Shankar, A. Natarajan, S. K. S. Guptar, and L. Schwiebert, “Energy-efficient protocols for wireless communication in biosensor networks,” in Proceedings of the 12th IEEE International Symposium on Personal, Indoor and Mobile Radio Communications (PIMRC '01), vol. 1, p. 114, San Diego, Calif, USA, September 2001.
9. W. Stallings, Cryptography and Network Security: Principles and Practice, Prenticall Hall, Upper Saddle River, NJ, USA, 4th edition, 2006.
10. A. Juels and M. Wattenberg, “A fuzzy commitment scheme,” in Proceedings of the 6th ACM Conference on Computer and Communications Security (CCS '99), p. 28, Singapore, November 1999.
11. A. Cavoukian and A. Stoianov, “Biometric encryption: a positive-sum technology that achieves strong authentication, security and privacy,” March 2007, Information and Privacy Commissioner/Ontario.
12. J. Malmivuo and R. Plonsey, Bioelectromagnetism: Principles and Applications of Bioelectric and Biomagnetic Fields, Oxford University Press, New York, NY, USA, 1995.
13. S. Lu, J. Kanters, and K. H. Chon, “A new stochastic model to interpret heart rate variability,” in Proceedings of the 25th Annual International Conference of the IEEE Engineering in Medicine and Biology Society (EMBS '03), vol. 3, p. 2303, Cancun, Mexico, September 2003.
14. A. L. Goldberger, L. A. N. Amaral, L. Glass, et al., “PhysioBank, physioToolkit, and physioNet: components of a new research resource for complex physiologic signals,” Circulation, vol. 101, no. 23, 215 pages, 2000.
15. D. Bruce Foster, Twelve-Lead Electrocardiography: Theory and Interpretation, Springer, New York, NY, USA, 2nd edition, 2007.
16. S. D. Bao, Y. T. Zhang, and L. F. Shen, “A new symmetric cryptosystem of body area sensor networks for telemedicine,” in Proceeding of the 6th Asian-Pacific Conference on Medical and Biological Engineering (APCMBE '05), Tsukuba, Japan, April 2005.
17. J. G. Proakis, Digital Communications, McGraw Hill, New York, NY, USA, 4th edition, 2001.
18. S.-D. Bao, Y.-T. Zhang, and L.-F. Shen, “Physiological signal based entity authentication for body area sensor networks and mobile healthcare systems,” in Proceedings of the 27th Annual International Conference of the IEEE Engineering in Medicine and Biology Society (EMBS '05), p. 2455, Shanghai, China, September 2005.
19. G. Kabatiansky, E. Krouk, and S. Semenov, Error Correcting Coding and Security for Data Networks: Analysis of the Superchannel Concept, John Wiley & Sons, New York, NY, USA, 2005.
20. V. Valimaki, T. Tolonen, and M. Marjalainen, “Signaldependent nonlinearities for physical models using time-varying fractional delay filters,” in Proceedings of the International Computer Music Conference (ICMC '98), p. 264, Ann Arbor, Mich, USA, October 1998.
21. F. Marvasti, Nonuniform Sampling: Theory and Practice, Springer, New York, NY, USA, 2001.
22. B. Noble and J. Daniel, Applied Linear Algebra, Prentice Hall, Englewood Cliffs, NJ, USA, 3rd edition, 1987.
23. A. Shamir, “How to share a secret,” Communications of the ACM, vol. 22, no. 11, 612 pages, 1979.