On Thu, Jun 29, 2000 at 09:12:42AM -0400, Benjamin M. Brewer wrote:
>
>
>
> On Thu, 29 Jun 2000, John Young wrote:
>
> > The NY Times reports today on an encryption product
> > which has a biometric password set by typing rhythm -- speed,
> > key-hit impact, pattern, maybe a few more. Developed by Net
> > Nanny, the producer claims no two people type exactly the
> > same way. Its called BioPassword. The product is to be used
> > by Musicrypt.com to protect music files.
There's no way to determine key impact (how hard you hit
tthe keys) with normal keyboards. Music keyboards measure
key velocity, but computer keyboards don't.
Normal computer keyboards send make/break info to the OS. There is
a keycode that's sent when the key is pressed down hard enough to close
the switch, and a keycode sent when the switch is released.
between key strikes and the length of time that the keys are held down.
Some keys share the same keycodes, depending on the keyboard.
They're always the less commonly used keys (i.e. scroll lock) on
the 101 key layout, and most people don't use them for passwords.
Most normal keyboards use dedicated simple chips like the 8051 and
do nothing but process keystrokes in real time and accept a few PS/2
commands. Some keyboards that also do other things (like read smartcards)
use more sophisticated chips, may be doing other things at the same time
and may not report the keycodes in 100% real time.
Biopassord's marketing litterature contains some howlers, notably the
prices they claim for competing technology... fingerprint scanners cost
$1200? More like 1/10th of that. Their explanation of false accept
vs false reject is good except where they say that in a high-security
application you would want to tune the false reject to 30-40% to get the
false accept below 1%. This tells me that the basic technology has a
pretty high false reject rate and also would cause a problem when combined
with their recommendation to lock the machine after three rejects...
having the workstation lock up on 5%+ of logins would be unacceptable
in most production environments (but hey, it's secure!).
They also require you to type in your password 15-18 times for enrollment.
An advatage to that is that in the process of typing the same word in
many times you develop a pattern, and hopefully you will type in the same
pattern in the future. That would increase the accuracy of the biometric.
> I'm not sure about you, but I know for sure that I don't always type the
> same. If I am pissed, I'll end up hitting the keys harder than if I
> wasn't (even though I do not mean to). Pattern? If a word (or
> phrase) needs to be typed, people have to do it in the 'correct order' or
> it makes no sense - The only pattern (that I can think of) is the number
> of "Backspace" VS. "productive keys".
>
> Another thing to note, is that although these seems really secure - people
> can 'train' themselves on how to type. We all originally learned (well,
> _most_ of us) at one point in time - why couldn't someone muster up the
> concentration to learn to type like their friend (or boss)?
Learning how someone types and repeating it well enough to fool the
algorithm might be easier to 'shoulder surf' than getting the keys
themselves, especially for people who are hunt and peck typists.
I think it'd be pretty hard for fast typists and longer passphrases.
Biopassword/NetNanny says that they bought the patents from SRI.
There's possibly a DOS attack by loading the OS down to make the
timing of the keycode arrivals inaccurate.
I don't think that it's as wonderful as their marketing litterature
says (no suprise there, hype is what marketing litterature is for)
but it still would be a good way to increase the entropy of passwords.
Easily-guessable passwords are still very common after all these years
of running crack and trying to educate users, so anything that increases
the entropy is good.
A final note is that since the keystroke biometric s/w has to run in
the low-level driver, this can't be used for remote authentication, only
local.
--
Eric Murray www.lne.com/~ericm ericm at the site lne.com PGP keyid:E03F65E5
Security consulting: security models, reviews, protocols, crypto.
