usign—a security enhanced electronic consent model yanyan li 1 mengjun xie 1 jiang bian 2 1...
TRANSCRIPT
USign—A Security Enhanced Electronic Consent Model
Yanyan Li1 Mengjun Xie1 Jiang Bian2
1University of Arkansas at Little Rock2University of Arkansas for Medical Sciences
August 29, 2014
University of Arkansas at Little Rock Electronic Consent Model August 29, 2014 1 / 25
Outline
IntroductionRelated WorkDesign and Implementation of USignSystem EvaluationConclusion
University of Arkansas at Little Rock Electronic Consent Model August 29, 2014 2 / 25
Why electronic consent?Improve efficiency and quality• E.g. recruit more subjects and save time and money in
clinical trails
Problems in electronic consentLack of considerations in security and privacy• Most focus on improving participant comprehension of
consent
Collected signatures are only for archival purpose
Proposed solution – USignCollects signatures for authentication purposeGuarantees the signer is the person he/she claim to be
University of Arkansas at Little Rock Electronic Consent Model August 29, 2014 4 / 25
Electronic ConsentGive researchers greater access to rural populations
Captured signature is only used as a record
Electronic SignatureUse predefined signature styles, not real ones
Not for verifying a signer’s identity
Signature VerificationSignatures are commonly accepted
High accuracy (low error rate) has been achieved
University of Arkansas at Little Rock Electronic Consent Model August 29, 2014 6 / 25
Design and Implementation of USign
University of Arkansas at Little Rock Electronic Consent Model August 29, 2014 7 / 25
Motivation
Enhance the security of the existing eConsent system
University of Arkansas at Little Rock Electronic Consent Model August 29, 2014 8 / 25
Existing eConsent System
Existing eConsent
SystemUSign
Security Enhanced eConsent System
Your identity could be impersonated by others
Only genuine users can login / sign document
Comparison between existing and proposed system
University of Arkansas at Little Rock Electronic Consent Model August 29, 2014 9 / 25
Identity Verification in User Login
Identity Verification in Document Signing
Existing eConsent system Weak No
USign-based eConsent system model Strong Yes
Design of USign systemPrototype system follows client-server model
University of Arkansas at Little Rock Electronic Consent Model August 29, 2014 10 / 25
Android Client Tomcat Server
MySQL database
HTTPS
SOCKETOperates
User
Client Side Server Side
Login interface of the client application
University of Arkansas at Little Rock Electronic Consent Model August 29, 2014 11 / 25
Signature VerificationDynamic Time Warping (DTW) method is used
University of Arkansas at Little Rock Electronic Consent Model August 29, 2014 12 / 25
Workflow of user identity verification
Data Acquisition step
Users’ signature data are obtained via tablet/smartphone
Collected many features related to the signature itself
X and Y Coordinates, timestamp, pressure, touch area
Preprocessing is not included in this systemCause information loss
University of Arkansas at Little Rock Electronic Consent Model August 29, 2014 13 / 25
Feature Selection step
Extract ∆x and ∆y from original X and Y coordinates
Difference of X and Y coordinates between two consecutive points
Pressure and touch area features are not selected
Studies show these features are not effective
Selected features: ∆x and ∆y
University of Arkansas at Little Rock Electronic Consent Model August 29, 2014 14 / 25
Pairwise Alignment step
Calculate DTW distances of all reference signatures
Create a matrix to record all calculated distance values
Calculate the minimum distance for each row
Derive the average minimum value, avg(dmin(RID))
University of Arkansas at Little Rock Electronic Consent Model August 29, 2014 15 / 25
Distance Normalization step
To restrict the distance values in a certain range of variation
University of Arkansas at Little Rock Electronic Consent Model August 29, 2014 16 / 25
Genuine Training Sigs
Reference Sigs
dmin(GTr, RID)
dmin(FTr, RID)
Forged Training Sigs
avg(dmin(R
ID))
dmin(GTr, RID)/avg(dmin(RID))
dmin(FTr, RID)/avg(dmin(RID))
Separating Boundary
Verification step
Login signatures go through all aforementioned steps
Including distance calculation and normalization
Normalized value will be compared with boundary value
If smaller than boundary --> authentic
Otherwise --> forgery signature
University of Arkansas at Little Rock Electronic Consent Model August 29, 2014 17 / 25
System Evaluation
University of Arkansas at Little Rock Electronic Consent Model August 29, 2014 18 / 25
Experiment Methodology
Use SVC2004 Task1 dataset as the data source40 writers, 40 signatures for each writer
The first 20 are genuine sigs, and the rest are forgery sigs
University of Arkansas at Little Rock Electronic Consent Model August 29, 2014 19 / 25
Data Set Type Each User Total Size
Reference Genuine 12 480
Training Genuine/Forgery 2/2 160
Test 1 Genuine 6 240
Test 2 Forgery 18 720
Error Rate
False Rejection Rate (FRR) / False Acceptance Rate (FAR)Equal Error Rate (EER)
EER for this DTW method with the given data source is close to 5.6%
University of Arkansas at Little Rock Electronic Consent Model August 29, 2014 20 / 25
Separating Boundary FRR FAR
1.20 11.7% 4.2%
1.25 5.83% 5.4%
1.30 4.17% 7.2%
1.35 4.17% 10.3%
System Usability
10 students are randomly recruited to test this system
Q1: Is this eConsent system easy to use?
Q2: Would you like to use it in the future?
Q3: Do you feel secure using your signature to login the system?
Q4: Do you have some concerns regarding it?
University of Arkansas at Little Rock Electronic Consent Model August 29, 2014 21 / 25
Questions # of Yes # of No
Question 1 8 2
Question 2 9 1
Question 3 9 1
Question 4 2 8
System Usability
Two concernsC1: Somebody may forge my signature to log into the system
C2: Troublesome registration
Our future planConduct more extensive usability evaluation in a larger scale to understand those user concerns we may not be aware of
Improve the system usability based on the evaluation feedback
University of Arkansas at Little Rock Electronic Consent Model August 29, 2014 22 / 25
Present a security enhanced eConsent model, USign
Strengthening the identity protection and authentication
Develop a prototype of USign
Conduct preliminary evaluation on system accuracy/usability
Evaluation results show the feasibility of proposed model
University of Arkansas at Little Rock Electronic Consent Model August 29, 2014 24 / 25