Introduce randommess in keypress timings
oshwm
oshwm at openmailbox.org
Wed Oct 7 14:36:50 PDT 2015
On 07/10/15 17:48, Michael Nelson wrote:
>
>
>
>> It is surprising to know that Javascript is fast enough not to have
>> an impact on system performance when monitoring the keystroke
>> timing!
>
> Well it does have an impact, but not enough to ruin things. Of
> course it's not just js itself, but the browser, which swaps things
> in and out to do lots of things whenever it feels like it.
>
> As requested, here are some details. This is more technical than
> political, but may be of interest.
Technical is fine, there are a lot of Political discussions on here but
I don't think it's by design, just a side effect :)
> This concerns keystroke dynamics
> on a phrase known by the auth server, not the general background
> stuff. So we are not really talking about the passive
> spying/monitoring here, but rather a potential product. So after I
> wrote my keystroke dynamics proof-of-concept I discovered that the
> statistical technique had been patented 25 years before (the patent
> had expired), which validated my approach... Mine had some extra
> twizzlers though.
>
>
> At Web browser-based initialization, the user sets a reference
> challenge word, say, "foobar". She must then enter some samples. For
> each sample, a vector of 12 time values is created, one for each
> keyDown and keyUp event. Some subtlety is needed in the programming,
> as keyUp on F might occur before keyDown on O on one sample, but
> after on the next. We would like to compare apples to apples.
>
> So we have a sample from the population of vectors as generated by
> the human. When authentication is checked, we must measure the
> distance of our trial vector, from the population. For this I used
> the Mahalanobis distance. Mahalanobis was a well-known Indian
> statistician who in the 1930s designed a test in order to help
> anthropologists decide whether skull fragments found in caves matched
> each other. This test measures the distance between each pair of
> entries in a vector. So F-down and F-up are compared, and also
> F-down and A-down are compared. Crucially, the distributions for
> each pair are normalized. The vectors can have any numerical data in
> the components. It can be used in botany with leaf area, weight,
> rainfall, etc. It works beautifully for typing patterns. Notice
> that we don't need to extract "dwell" times for keys, but all the
> same info is there in the more primitive array.
>
> I set a configurable threshold of 20 for the distance triggering
> secondary authentication. If I typed with proper focus, I would get
> distance of say around 4. If someone else typed they would get say
> 70 or 150. These are just typical examples. It worked fine. Here
> are some things I learned.
>
> 1. It's very hard to test objectively to make a business case. Why?
> Well if you go around the cubicles asking people to try it, you might
> get some people testing it on a laptop they don't normally use, or
> using some sort of random typing, on a string that they don't have an
> established pattern for. I realized that KD is not magic. Just as
> you would not expect to type a normal password "123456" by mashing
> the keys randomly, you have to consciously type in your official
> pattern for KD to work. It is well-known that the best words for KD
> are things like your own name, for which you have a well-established
> pattern. Now you see one of the reasons that this stuff has not
> taken off. You might assiduously set the samples (or have passive
> background capturing working) on your usual desktop. Then it will
> fail when you hunt-and-peck on your laptop.
>
> 2. I had a mobile developer add in touchscreen events for an iPhone
> test. This uses character and time, and also x and y co-ordinates
> for both press and release (there is some drag). The future will
> bring force. The beauty of Mahalanobis is that these just go right
> in and work immediately. Well, the stats does. Dealing with these
> big fat vectors is not trivial. I proved that it would work
> (actually it could not fail), but did not complete the mobile
> version.
>
>
> 3. I hacked the stats out in C. Interestingly, for me it was harder
> getting the online demo going with the Web page, jQuery, PHP, and
> MySQL, than implementing the actual Mahalanobis test. Maybe I should
> set the demo up for folks to try.
>
> 4. Twizzlers. One is that I allowed arbitrary shifty characters in
> my phrase. So in fact our user could simply tap her favorite rhythm
> on the Ctrl key, for her authentication factor. Worked fine.
>
> 5. Hope the above was of interest...
>
Definitely, thanks for writing it up.
>
>
> mn
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20151007/5ae8e9a2/attachment-0002.sig>
More information about the cypherpunks
mailing list