Introduce randommess in keypress timings

oshwm oshwm at openmailbox.org
Wed Oct 7 14:36:50 PDT 2015 

On 07/10/15 17:48, Michael Nelson wrote:
> 
> 
> 
>> It is surprising to know that Javascript is fast enough not to have
>> an impact on system performance when monitoring the keystroke
>> timing!
> 
> Well it does have an impact, but not enough to ruin things.  Of
> course it's not just js itself, but the browser, which swaps things
> in and out to do lots of things whenever it feels like it.
> 
> As requested, here are some details.  This is more technical than
> political, but may be of interest.  

Technical is fine, there are a lot of Political discussions on here but
I don't think it's by design, just a side effect :)

> This concerns keystroke dynamics
> on a phrase known by the auth server, not the general background
> stuff. So we are not really talking about the passive
> spying/monitoring here, but rather a potential product. So after I
> wrote my keystroke dynamics proof-of-concept I discovered that the
> statistical technique had been patented 25 years before (the patent
> had expired), which validated my approach... Mine had some extra
> twizzlers though.
> 
> 
> At Web browser-based initialization, the user sets a reference
> challenge word, say, "foobar". She must then enter some samples.  For
> each sample, a vector of 12 time values is created, one for each
> keyDown and keyUp event.  Some subtlety is needed in the programming,
> as keyUp on F might occur before keyDown on O on one sample, but
> after on the next.  We would like to compare apples to apples.
> 
> So we have a sample from the population of vectors as generated by
> the human.  When authentication is checked, we must measure the
> distance of our trial vector, from the population.  For this I used
> the Mahalanobis distance.  Mahalanobis was a well-known Indian
> statistician who in the 1930s designed a test in order to help
> anthropologists decide whether skull fragments found in caves matched
> each other.  This test measures the distance between each pair of
> entries in a vector.  So F-down and F-up are compared, and also
> F-down and A-down are compared.  Crucially, the distributions for
> each pair are normalized.  The vectors can have any numerical data in
> the components.  It can be used in botany with leaf area, weight,
> rainfall, etc.  It works beautifully for typing patterns.  Notice
> that we don't need to extract "dwell" times for keys, but all the
> same info is there in the more primitive array.
> 
> I set a configurable threshold of 20 for the distance triggering
> secondary authentication.  If I typed with proper focus, I would get
> distance of say around 4.  If someone else typed they would get say
> 70 or 150.  These are just typical examples.  It worked fine.  Here
> are some things I learned.
> 
> 1. It's very hard to test objectively to make a business case.  Why?
> Well if you go around the cubicles asking people to try it, you might
> get some people testing it on a laptop they don't normally use, or
> using some sort of random typing, on a string that they don't have an
> established pattern for.  I realized that KD is not magic.  Just as
> you would not expect to type a normal password "123456" by mashing
> the keys randomly, you have to consciously type in your official
> pattern for KD to work.  It is well-known that the best words for KD
> are things like your own name, for which you have a well-established
> pattern.  Now you see one of the reasons that this stuff has not
> taken off.  You might assiduously set the samples (or have passive
> background capturing working) on your usual desktop.  Then it will
> fail when you hunt-and-peck on your laptop.
> 
> 2. I had a mobile developer add in touchscreen events for an iPhone
> test.  This uses character and time, and also x and y co-ordinates
> for both press and release (there is some drag).   The future will
> bring force.  The beauty of Mahalanobis is that these just go right
> in and work immediately.  Well, the stats does.  Dealing with these
> big fat vectors is not trivial.  I proved that it would work
> (actually it could not fail), but did not complete the mobile
> version.
> 
> 
> 3. I hacked the stats out in C.  Interestingly, for me it was harder
> getting the online demo going with the Web page, jQuery, PHP, and
> MySQL, than implementing the actual Mahalanobis test.  Maybe I should
> set the demo up for folks to try.
> 
> 4. Twizzlers.  One is that I allowed arbitrary shifty characters in
> my phrase.  So in fact our user could simply tap her favorite rhythm
> on the Ctrl key, for her authentication factor.  Worked fine.
> 
> 5. Hope the above was of interest...
> 

Definitely, thanks for writing it up.

> 
> 
> mn
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20151007/5ae8e9a2/attachment-0002.sig>

More information about the cypherpunks mailing list