Enhancing heart-beat-based security for mHealth applications
Journal article, 2017
In heart-beat-based security, a security key is derived from the time difference between two consecutive heart beats (the Inter-Pulse-Interval, IPI) which may, subsequently, be used to enable secure communication. While heart-beatbased security holds promise in mobile health (mHealth) applications, there currently exists no work that provides a detailed characterization of the delivered security in a real system. In this paper, we evaluate the strength of IPI-based security keys in the context of entity authentication. We investigate several aspects which should be considered in practice, including subjects with reduced heart-rate variability, different sensor-sampling frequencies, inter-sensor variability (i.e., how accurate each entity may measure heart beats) as well as average and worst-caseauthentication time. Contrary to the current state of the art, our evaluation demonstrates that authentication using multiple, lessentropic keys may actually increase the key strength by reducing the effects of inter-sensor variability. Moreover, we find that the maximal key strength of a 60-bit key varies between 29.2 bits and only 5.7 bits, depending on the subject's heart-rate variability. To improve security, we introduce the Inter-multi-Pulse Interval (ImPI), a novel method of extracting entropy from the heart by considering the time difference between two non-consecutive heart beats. Given the same authentication time, using the ImPI for key generation increases key strength by up to 3.4x (+19.2 bits) for subjects with limited heart-rate variability, at the cost of an extended key-generation time of 4.8x (+45 sec).