CF .NET Signature Biometric

http://www.brains-N-brawn.com/bioSign 10/11/2002 casey chesnut

A dead guy said something to the effect "The greatest inventor of all time ... 'Accident'". Not that this article is going to end in a great invention, its just that this article came about because of an accident (Aside: This article really exists because of my own 'Stupidity' ... but humor me with 'Accident' for my prides sake. Nor could I think of a quote about 'Stupidity', except from George Carlin, but that would require foul-language editing to the point of losing its true meaning). Was standing in a bookstore looking for some interesting books. Skipping over the complete saturation of .NET books and looking to steal (reuse) ideas from other platforms, industries, etc... to apply with .NET. Specifically was looking for the keyword 'Nano'. Repeatedly saw news snippets about nanotechnology, gained interest, and want to know more. Preconception being that nanotechnology will ultimately allow me to overclock myself. Saw the Wiley press book 'Biometrics' and assumed that 'Bio' and 'Nano' were in the same realm, so I grabbed it. Get home and start reading it and discover that its about security. H3LL! I hate security because it slows down progress. Throw the book down in disgust and read about Mobile development instead; until I fall asleep dreaming about revolutionizing drug deals, radar detectors, and stalking with Location Based Services (/noSink ). Then, when I'm leaving work (NOTE off contract now, and looking for something cool) the next day (after beer:30), I realize my phone is not on me. Think to myself "oh well, no booty calls this weekend" and head off to continue the weak brain cell slaughter. Then, the next morning I pick up the Mobile book and start realizing that I cannot develop any of those cool apps because I dont have my phone. No location. No walking up to a coke machine with just my phone and without change. Nothing. Then it hits me 'Fight Club' style: "the phone does not define me". Everything that is needed to identify me is with me all the time. Go dig the discarded Biometrics book out of the corner and start reading. It can be seen somewhere in the 'already read' book stack pic (/gutenberg)


There are 2 main flavors of biometrics: Physiological and Behavioral. Physiological is when you use some body part: thumbprint, hand, iris, face, voice, etc... Whereas behavioral biometrics might be recognizing a persons typing patterns, their signature, the gait when they walk (serious). Physiological is out because they require some physical hardware like a thumb/hand/eye scanner, which done come standard on Pocket PCs. Face scan can be done with just software using existing hardware, but my PPC does not have a camera either ... although some will in the future, so this should be revisited. I know there are some web cams that provide this for desktop PCs. Also, PPCs have a microphone for voice scan, but the quality is probably not good enough to differentiate between voices. Why voice scan wont work great on current cell phones either. As far as behavioral, the 2 main ones are keyboard and signature scan. PPCs dont have a (non virtual) keyboard ... so that is out. The blackberry-esque keyboards probably wont have enough deviation between users to work either. PPCs have a stylus ... so signature scan is all that is left

1st work experience (co-op out of high school) was actually on a biometric system for making the ID badges for Argentina (Wiley p.215). Used thumbprints, signature images, and facial images. Not to mention magnetic stripes and barcodes. They would not let me code back then ... I was the printer-boy. NOTE we never referred to it as a biometrics back then ... else, maybe they only spoke in layman terms for the printer-boy. I would get behind a 21-inch monitor (rare back then) at the end of the corridor; have one window using a video cam as surveillance to show my boss approaching and have another window playing a mod'd version of Nibbles (qbasic snake game) without pc speaker sound and some other tricks ... else, Gorilla with the exploding bananas


Dont like being a copycat, so I scanned for pre-existing material 1st. Found a commercial product, but it was not .NET. Found some stuff on CF .NET newsgroups where people were saving images of signatures. Used to prove that somebody signed, but not a biometric. Found a great article on DevBuzz.com in which he doesnt save the signature as an image, but as a textual representation instead; closer, but still not a biometric. Did not find any other prior art, so I continued

Signature Scan

You immediately think signature scan wont work because signatures can be forged. Not so fast, signature scan does not just rely on the resulting scribble we call a signature, it also relies on time related metadata collected when the signature was made. The line from Wiley (p.126) "Specific details recorded by signature-scan may include the total time taken to sign, the ration of pen-up to pen-down time, the speed of the strokes, the pressure applied, the number and direction of the strokes, and the total size of the signature, among other variables". So a forger would have to recreate your signature within some window of time while applying the correct pressure. All of this template metadata can be obtained on a Pocket PC, except for 'pressure applied'. This metadata is then recorded, so when somebody wants to access some secured feature, they are prompted with a signature box. They sign, and if the signature falls within the thresholds of the metadata, then the signature is verified and they are granted access. More secure than a password; especially if what is being signed is a top secret password, instead of just somebody's name. The saboteur would have to know the password, how it was signed, and how quickly to sign the password. This is common in the biometric field, to stack biometrics together (e.g. thumb scan and voice scan to gain access through a secured door). Faking one is possible, but faking two becomes exponentially more difficult. The other benefit I see, is that this would keep me from operating my PPC while I am drunk; cause I have no problems recalling passwords, but looking at past bar tabs show that my signature goes to cr4p. That is the problem with PPCs, you can carry them in to drinking establishments


Before a persons signature can be verified, they have to register. Registration consists of them signing a couple times in a row. These signatures should be somewhat similar. If a user signs 'ABC', then '123', then 'X'; the system should see that their is too much variation and make the user re-register. Since a users signature can vary, you might have them sign once a day over a couple day period. To record this metadata of the signature, I started from the Scribble sample in Beta 1 of CF .NET. This had the code for getting stylus interactions with the screen. Then all I did was record the raw signature data to a DataSet. The DataSet has 3 tables: RawSignature - Strokes - Points. The user will have many registration signatures. A Signature can have many Strokes. Strokes have a begin and an end time. A Stroke can have many Points. A Point has an x and y value. That's it. Obviously, pressure applied would be recorded here too if that was possible. NOTE: initally used DateTime.Now (DateTime) for the timing data, but it was not granular enough on the PPC, so ended up using DataTime.Now.Ticks (long). This is the raw signature data of me signing 'K C' 3 times: registration.xml 


From the raw data, a template is generated. It would have the metadata values of your average signature. I deviated a little from this (for no particular reason) and made one template per raw signature, to allow people to have radically different signature styles. The metadata is all obtained from the raw signature data. Added 2 more tables to the DataSet to hold this data: SigTemplate - StrokeTemplate. For the Signature, the metadata collected includes: total signing time, pen up time, pen down time, height, width, number of strokes, number of points, length, direction, and speed. Direction is obtained by doing some fake trig logic between points to figure out the basic angle at which a user signs (e.g. slanting to the left or to the right). Length is a metric I made up, by adding the distance between all points. Assumed Wiley meant height and width when saying signature size. For Strokes, I collected stroke time, length, direction, speed, and number of points. Keeping the individual stroke metadata would allow for a stronger verification algorithm, although I end up not using it. NOTE some of the metadata I collect could be derived and I duplicate it for simplicity. This is the template metadata from me signing 'K C' above: template.xml


Finally, we have the metadata to compare against, so now we need somebody to sign on the dotted line. When you sign, the metadata for that signature is generated, and then it is compared to the template(s) that was generated from registration. For each metadatum (is that a word?), if the new datum falls within some defined threshold (e.g. + or - 1 stroke for number of strokes OR + or - 1 second for total signing time), then the signature is deemed valid. Since I have multiple templates, I compare it against all of them globally (not individually). A stronger algorithm would have one template OR compare against templates atomically. Also, I dont compare against all of the data collected, not to mention the thresholds could be lowered. The following videos show how some signatures might fail verification AND then how a signature is registered and then verified

verification signature
videos of bioSign in use


C# source Worked on it over 3 days. Feel free to clean this up and make it into an actual control, please contribute back if you do. I would like to be signing passwords in my PPC anyday now. It actually feels more natural then jotting a password


Might revisit for face scan and voice scan on the Pocket PC. As far as nanotechnology, I have a book by my bed about 'Bioinformatics' ... so hopefully that will end up being closer? Read a I18N a G10N book, so I'm thinking of making my pr0n site (offline) multi-lingual (not that the pics arent descriptive enough) for its inevitable return. Finally, the next couple weeks/month are going to be spent grok'ing the WSDK and associated specs. Later