SlashNOT

Jorgen Hansensensen, a noted San Diego cryptographic researcher, has done it again. As reported earlier, Jorgen introduced to the world a new encryption algorithm actually invented by his toddler son, Hans. This time it is his own work, however, that is drawing international attention.

Submitted recently to the Cryptographic Research and Applications Publication, a peer-reviewed journal exploring advances in cryptosystems and their application in society, is his latest paper: The Belly-Button as a Temporally-Limited Biometric Means for Identifying Individuals and for Random Seed Generation in Support of Key Exchange. “Have you ever looked at your own belly-button?” Jorgen asks in the introduction to his paper. “And then have you examined the belly-buttons of others? No two are alike! Sure, there are gross physical similarities, such as innies, and outies, but the folds and contours of each are unique.”

Jorgen goes on to explain how there is sufficent ideosyncratic information in the navel, just as there is in the more-established technologies based on the iris or fingertip, to uniquely identify the belly-button’s owner.

“But it isn’t just about identification,” Jorgan says later in the paper. There are other features that make the belly-button a better fit to modern cryptosystems than fingerprints or eye-scans. One such advanage of my system is that the key is time-limited, because nobody’s belly stays the same shape over time. The user of the system will have to keep his or her belly-button image up-to-date to keep access. Also, people in office-environments typically keep their belly-buttons covered, which increases security. In your typical office it is much easier to look your co-worker in the eye and/or swipe their coffee cup than it is to get access to their tummy.”

The second part of the paper covers the difficulty of random-key generation and how the same apparatus that obtains the biometric information can also be used as a random-number source. “People have trouble keeping their stomach still while lifting their shirt for the camera,” Jorgen explains. “That reminded me of those guys generating randomness from lava-lamps and fish-tanks. I figured the same principle would work here. If you need even more randomness the security prompt could present the user a selection from a joke file or similar humor repository as a part of the authentication process.”

Noted security luminary Bruce Schneier is reported to have said, when presented with an advance copy of the paper, that Jorgen’s system had some interesting aspects to it but that only time would tell if the system is truely secure. “It solves the ‘chop off the finger’ problem that fingerprint-based systems have. The key-space is small, though, and that worries me. Also, I wonder about the physical-world security of the keys… I think you’ll find individuals with particularly important belly-buttons may be stalked and ‘imaged’ when vulnerable (such as in the shower or the restroom) and ‘wargazing’ with high-powered digital cameras at beaches and similar venues may become a common method for indiscriminate collection of private biographic keys. It’s second-order effects like these that you have to worry about when designing a cryptosystem. On the other hand, I can already think of a few things that could improve the strictly technical aspects of the system. Smearing snake-oil over the belly before imaging the button would enhance the contrast of the image, for example.”