Introduce randommess in keypress timings
It is surprising to know that Javascript is fast enough not to have an impact on system performance when monitoring the keystroke timing!
Well it does have an impact, but not enough to ruin things. Of course it's not just js itself, but the browser, which swaps things in and out to do lots of things whenever it feels like it. As requested, here are some details. This is more technical than political, but may be of interest. This concerns keystroke dynamics on a phrase known by the auth server, not the general background stuff. So we are not really talking about the passive spying/monitoring here, but rather a potential product. So after I wrote my keystroke dynamics proof-of-concept I discovered that the statistical technique had been patented 25 years before (the patent had expired), which validated my approach... Mine had some extra twizzlers though. At Web browser-based initialization, the user sets a reference challenge word, say, "foobar". She must then enter some samples. For each sample, a vector of 12 time values is created, one for each keyDown and keyUp event. Some subtlety is needed in the programming, as keyUp on F might occur before keyDown on O on one sample, but after on the next. We would like to compare apples to apples. So we have a sample from the population of vectors as generated by the human. When authentication is checked, we must measure the distance of our trial vector, from the population. For this I used the Mahalanobis distance. Mahalanobis was a well-known Indian statistician who in the 1930s designed a test in order to help anthropologists decide whether skull fragments found in caves matched each other. This test measures the distance between each pair of entries in a vector. So F-down and F-up are compared, and also F-down and A-down are compared. Crucially, the distributions for each pair are normalized. The vectors can have any numerical data in the components. It can be used in botany with leaf area, weight, rainfall, etc. It works beautifully for typing patterns. Notice that we don't need to extract "dwell" times for keys, but all the same info is there in the more primitive array. I set a configurable threshold of 20 for the distance triggering secondary authentication. If I typed with proper focus, I would get distance of say around 4. If someone else typed they would get say 70 or 150. These are just typical examples. It worked fine. Here are some things I learned. 1. It's very hard to test objectively to make a business case. Why? Well if you go around the cubicles asking people to try it, you might get some people testing it on a laptop they don't normally use, or using some sort of random typing, on a string that they don't have an established pattern for. I realized that KD is not magic. Just as you would not expect to type a normal password "123456" by mashing the keys randomly, you have to consciously type in your official pattern for KD to work. It is well-known that the best words for KD are things like your own name, for which you have a well-established pattern. Now you see one of the reasons that this stuff has not taken off. You might assiduously set the samples (or have passive background capturing working) on your usual desktop. Then it will fail when you hunt-and-peck on your laptop. 2. I had a mobile developer add in touchscreen events for an iPhone test. This uses character and time, and also x and y co-ordinates for both press and release (there is some drag). The future will bring force. The beauty of Mahalanobis is that these just go right in and work immediately. Well, the stats does. Dealing with these big fat vectors is not trivial. I proved that it would work (actually it could not fail), but did not complete the mobile version. 3. I hacked the stats out in C. Interestingly, for me it was harder getting the online demo going with the Web page, jQuery, PHP, and MySQL, than implementing the actual Mahalanobis test. Maybe I should set the demo up for folks to try. 4. Twizzlers. One is that I allowed arbitrary shifty characters in my phrase. So in fact our user could simply tap her favorite rhythm on the Ctrl key, for her authentication factor. Worked fine. 5. Hope the above was of interest... mn
On 07/10/15 17:48, Michael Nelson wrote:
It is surprising to know that Javascript is fast enough not to have an impact on system performance when monitoring the keystroke timing!
Well it does have an impact, but not enough to ruin things. Of course it's not just js itself, but the browser, which swaps things in and out to do lots of things whenever it feels like it.
As requested, here are some details. This is more technical than political, but may be of interest.
Technical is fine, there are a lot of Political discussions on here but I don't think it's by design, just a side effect :)
This concerns keystroke dynamics on a phrase known by the auth server, not the general background stuff. So we are not really talking about the passive spying/monitoring here, but rather a potential product. So after I wrote my keystroke dynamics proof-of-concept I discovered that the statistical technique had been patented 25 years before (the patent had expired), which validated my approach... Mine had some extra twizzlers though.
At Web browser-based initialization, the user sets a reference challenge word, say, "foobar". She must then enter some samples. For each sample, a vector of 12 time values is created, one for each keyDown and keyUp event. Some subtlety is needed in the programming, as keyUp on F might occur before keyDown on O on one sample, but after on the next. We would like to compare apples to apples.
So we have a sample from the population of vectors as generated by the human. When authentication is checked, we must measure the distance of our trial vector, from the population. For this I used the Mahalanobis distance. Mahalanobis was a well-known Indian statistician who in the 1930s designed a test in order to help anthropologists decide whether skull fragments found in caves matched each other. This test measures the distance between each pair of entries in a vector. So F-down and F-up are compared, and also F-down and A-down are compared. Crucially, the distributions for each pair are normalized. The vectors can have any numerical data in the components. It can be used in botany with leaf area, weight, rainfall, etc. It works beautifully for typing patterns. Notice that we don't need to extract "dwell" times for keys, but all the same info is there in the more primitive array.
I set a configurable threshold of 20 for the distance triggering secondary authentication. If I typed with proper focus, I would get distance of say around 4. If someone else typed they would get say 70 or 150. These are just typical examples. It worked fine. Here are some things I learned.
1. It's very hard to test objectively to make a business case. Why? Well if you go around the cubicles asking people to try it, you might get some people testing it on a laptop they don't normally use, or using some sort of random typing, on a string that they don't have an established pattern for. I realized that KD is not magic. Just as you would not expect to type a normal password "123456" by mashing the keys randomly, you have to consciously type in your official pattern for KD to work. It is well-known that the best words for KD are things like your own name, for which you have a well-established pattern. Now you see one of the reasons that this stuff has not taken off. You might assiduously set the samples (or have passive background capturing working) on your usual desktop. Then it will fail when you hunt-and-peck on your laptop.
2. I had a mobile developer add in touchscreen events for an iPhone test. This uses character and time, and also x and y co-ordinates for both press and release (there is some drag). The future will bring force. The beauty of Mahalanobis is that these just go right in and work immediately. Well, the stats does. Dealing with these big fat vectors is not trivial. I proved that it would work (actually it could not fail), but did not complete the mobile version.
3. I hacked the stats out in C. Interestingly, for me it was harder getting the online demo going with the Web page, jQuery, PHP, and MySQL, than implementing the actual Mahalanobis test. Maybe I should set the demo up for folks to try.
4. Twizzlers. One is that I allowed arbitrary shifty characters in my phrase. So in fact our user could simply tap her favorite rhythm on the Ctrl key, for her authentication factor. Worked fine.
5. Hope the above was of interest...
Definitely, thanks for writing it up.
mn
On Wed, Oct 7, 2015 at 12:48 PM, Michael Nelson
4. Twizzlers. One is that I allowed arbitrary shifty characters in my phrase. So in fact our user could simply tap her favorite rhythm on the Ctrl key, for her authentication factor. Worked fine.
Is there anything that tells us how many bits of entropy are found in the brainsong (rhythm, melody) of random users? Such that such a song could be read into passphrase data via software and the PC keyboard controller. What are the requirements of a strong song to reach 80/128/256 bits? Note that it is not necessarily specific keys, but also, or primarily depress length, multiple press, interpress timing, etc.
Dnia środa, 7 października 2015 16:48:49 Michael Nelson pisze:
This is more technical than political, but may be of interest.
This has to be the best comment on the content of this list. -- Pozdrawiam, Michał "rysiek" Woźniak Zmieniam klucz GPG :: http://rys.io/pl/147 GPG Key Transition :: http://rys.io/en/147
On 08/10/15 15:51, rysiek wrote:
Dnia środa, 7 października 2015 16:48:49 Michael Nelson pisze:
This is more technical than political, but may be of interest.
This has to be the best comment on the content of this list.
Yep, lets of political stuff on this list but may I bring to your attention sir... Introduce Randomm[n]ess in Keypress timings How to buy a root CA certificate Cryptome has been leaking its user logs for over a year Cyber Guerilla Warefare, OPSEC, etc... These have been useful threads and are just a recent selection :) But since when has privacy, anonymity and cryptography been devoid of Politics.
Dnia czwartek, 8 października 2015 16:22:06 oshwm pisze:
On 08/10/15 15:51, rysiek wrote:
Dnia środa, 7 października 2015 16:48:49 Michael Nelson pisze:
This is more technical than political, but may be of interest.
This has to be the best comment on the content of this list.
Yep, lets of political stuff on this list but may I bring to your attention sir...
Introduce Randomm[n]ess in Keypress timings How to buy a root CA certificate Cryptome has been leaking its user logs for over a year Cyber Guerilla Warefare, OPSEC, etc...
These have been useful threads and are just a recent selection :) But since when has privacy, anonymity and cryptography been devoid of Politics.
You do realise I was being a mild troll right there, right? ;) -- Pozdrawiam, Michał "rysiek" Woźniak Zmieniam klucz GPG :: http://rys.io/pl/147 GPG Key Transition :: http://rys.io/en/147
participants (4)
-
grarpamp -
Michael Nelson -
oshwm -
rysiek