Introduce randommess in keypress timings

Michael Nelson nelson_mikel at yahoo.com
Tue Oct 6 13:15:39 PDT 2015 

Alternatively all keystrokes could be done with fixed timing.  The point is that no individual pattern should be discernable.  There are more subtle aspects, such as jitter from perfectly regular timing, which could identify the machine/browser being used.  With added randomness, such jitter would be harder to discern.  Also, you would ideally not want eavesdroppers to know that you are obfuscating your keystrokes, and obfuscating via randomness, as opposed to fixed timing, would help with that.

There are quite a few companies selling keystroke dynamics products as an authentication factor.  There are also various efforts, such as one started at Stanford a few years ago, to monitor all aspects of a person's input, for continuous background authentication.  Not sure how that one's going.  Keystroke dynamics normally works on a short chosen phrase.  The latter stuff is more ambitious and extends that to arbitrarily long text, along with grammatical patterns, etc.  There is nothing new here.


After evaluating several products for a company I worked for, I built a keystroke dynamics product myself -- it was less work than going through the pain of registering for a trial of their software!  It was never used, for the same reason that kd is not used much -- it's more trouble than it's worth. It worked as well as any of the products being sold.

Though a key down or key up event from the Windows operating system has a timestamp in it (the OS will not give you more than a certain accuracy, but it's adequate), that timestamp is discarded and not available in Javascript.  My Javascript solution calls for a new Date as soon as it captures a key event.  People selling this stuff say that as there is too much potential lag between the key event and the time thus associated, Javascript is not good.  The best thing is something like an ActiveX  plugin or a native client in C that can capture the timestamp from the OS.  The next best thing was touted as Flash.  However, mine worked very well.

If anyone is interested I will describe in simple terms how one tests the keystroke vectors, and some of the challenges.

mn

More information about the cypherpunks mailing list