Keystroke Dynamics

Jarmo Ilonen

Introduction Keystroke dynamics is a biometric based on

assumption that different people type in uniquely characteristic manners

Conceptually close to signature recognition History

19th century telegraph operators Advantages

Completely software based Very high user acceptance

“Reversing” process possible Snooping secure communications Cracking passwords

Features Often used

Latency between keystrokes Duration of keystroke, hold-time

Seldom used Overall typing speed Frequency of errors Habit of using additional keys (numpad…) Capital letters (order of releasing shift and

letter) Force of hitting keys (special keyboard

needed) Global or per keystroke/key-pair statistics

Example

Latencies between keystrokes when writing “password” by three persons

Measuring features Measuring easy

Key Press and Release events Timing them trivial

Challenges Users with widely differing typing skills Affected by alertness (sleepy, drunk, …) Injuries Holding coffee cup or phone at one hand Changing to different keyboard

Verification & identification Verification

User authenticated at log-in time Keystroke dynamics measured when

user writes username and password Identification

Used for continuous user authentication A background process watching the

user Potentially locks down the computer or

alerts the administration

Verification Computers with username/password

authentication Passwords are often easy to guess or find out

Motivation for keystroke dynamics Not enough for attacker to know username

and password Expensive to add key-cards or other

biometric systems Solution: Use keystroke dynamics

Verification Enrollment (new user or changed password)

Write username and password several times Create keystroke dynamics profile

No user-visible changes for login procedure Password and typing pattern must match

Widely studied, differences in used Features Classification method

Verification example… “Computer-access security systems using

keystroke dynamics” by S. Bleha et al. Using only username, no separate

password Username as signature

Based on latency between keystrokes Thirty last valid entries used as template Two classification methods used together

Minimum distance classifier Bayesian classifier User rejected if both fail

… results

Attackers had chance to observe valid users Majority of errors caused by minority of users

Not used to PC keyboards Inexperienced/slow writers easy to imitate

False reject rate False accept rate

(Type I error) (Type II error)

Total attempts 539 768

Errors 44 22

% error 8.1% 2.8%

Another verification example… “Verification of computer users

using keystroke dynamics” by M. S. Obaidat and B. Sadoun

Numerous classification methods tested

Tested with features Latencies between keystrokes Durations of keystrokes Both together

… results Keystroke durations

better than latencies between keystrokes, but both together the best choice

Neural methods better than statistical

0% type I and II errors at best

Identification Not useful replacement for

username/password authentication Background process continuously

identifying user Not too sensitive, but still recognize users fast If likelihood of unauthorized user rises to

certain point, alert administration or lock system

Very few scientific studies Only study found: using only average and

standard deviation of latency between keystrokes ⇒ works for 4 tested users

BioPassword User authentication system by US

company BioNet-systems Better known for NetNanny filtering software

Designed to replace default log-in system in Windows NT/2000/XP Installed on server and workstations Enrollment: write username/password 15

times, template stored on the server No user-visible changes to log-in procedure

BioPassword patent Very much like systems in scientific

studies Uses both latencies between

keystrokes and keystroke durations Classification method not revealed Templates stored in format which

would make continuous authentication simple But not used in real application (yet?)

Reviews of BioPasswordGood Did not generate false

rejects Unless a high security

setting was used Nor false accepts

Unless a very low security setting was used

On the whole, un-obtrusive and works well

Bad Writing username and

password 15 times Possible to by-pass with

RunAs-service Possibility of losing

administrator access in case of injury

Usually there are more than one administrator

Not suitable for heterogeneous systems (other operating systems)

Timing attacks on secure communications Guess what was written based on timings

of packets Information on keystroke dynamics

needed Collect from a specific user Assume they are same for all touch-typists

“Timing Analysis of Keystrokes and Timing Attacks on SSH” by D.X. Song et al. Main interest: cracking passwords

Capturing timing information

SSH sends packets immediately after keystrokes No responses when writing password Relatively easy to notice

Measuring latencies

Key-pairs divided to several classes Written with separate hands or fingers

Latencies between keys in key-pairs measured

Distributions follow Gaussian distribution Gaussian model created for all key-

pairs

Information gain from latency Upper bound for

information gained from latency

Average 1.2bits/character

Entropy 0.6-1.3 bits/character for written English, more for passwords

Relation between latencies and character sequence modeled as Hidden Markov Model

n-Viterbi algorithm used to solve n most likely states of HMM

Password cracking results Tested with real timing data of writing

8-character passwords Success measured by how large part of

password space tested before finding the password 50% without latency information

Results: average 2.7%, median 1.0% 50-fold decrease in needed time Days instead of months for cracking

Conclusions: Verification

Advantages Cheap, completely software based Works quite well in addition to

username/password Possibly also with PIN-codes

No major changes for users Good user acceptance

Mimicking others apparently not easy

Conclusions…

Disadvantages Not a stable biometric

Affected by almost everything “Learning” own password potentially a

problem Hard to implement in “real” computer

environments Too many different ways to log-in Possible to create a fake keyboard and input a

recorded key-sequence as username/password

Conclusions: Identification

Very few scientific studies Potential uses where un-authorized

persons could access computers in open areas Better to lock computer when not

used and/or use locks in doors

Conclusions: EavesdroppingEavesdropping secure communications Using keystroke dynamics in opposite

direction Potentially much faster password cracking Not a serious threat

Probably much easier ways to gain access Works only against good touch-typists

Measuring timings could be harder Adding random delays to packets Sending additional empty packets

Questions?