From owner-freebsd-security  Thu Mar 21 21:16:32 2002
Delivered-To: freebsd-security@freebsd.org
Received: from ephemeron.org (24-205-149-31.riv-dyn.charterpipeline.net [24.205.149.31])
	by hub.freebsd.org (Postfix) with ESMTP id 573F437B404
	for <security@FreeBSD.ORG>; Thu, 21 Mar 2002 21:16:12 -0800 (PST)
Received: from localhost (bigby@localhost)
	by home.fake.net (8.9.3/8.9.3) with ESMTP id PAA47532
	for <security@FreeBSD.ORG>; Thu, 21 Mar 2002 15:57:17 -0800 (PST)
	(envelope-from bigby@ephemeron.org)
Date: Thu, 21 Mar 2002 15:57:17 -0800 (PST)
From: Bigby Findrake <bigby@ephemeron.org>
X-X-Sender:  <bigby@home.fake.net>
To: <security@FreeBSD.ORG>
Subject: Re: Safe SSH logins from public, untrusted Windows computers
In-Reply-To: <20020319175854.N14039-100000@cithaeron.argolis.org>
Message-ID: <Pine.BSF.4.33.0203211551080.98942-100000@home.fake.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Tue, 19 Mar 2002, Matt Piechota wrote:

> On Tue, 19 Mar 2002, Roelof Osinga wrote:
>
> > So you take, say, 'Mary had a little lamb' as test sentence and then both
> > that sentence as well as the timing digest or even the individual samples
> > get transmitted as the "user ID".
>
> The only problem I see is keyboards being different.  I personally type
> much quicker on IBM101 (the old-school ones) than my laptop.

I've thought about this, and here is a problem I see.  If you're using
this across a network, you can't accurately measure time between strokes
because of unpredictable network latency.  This means that you would have
to run special software on the client (java or otherwise) to calculate the
"timing signature" and the pass that along to the server.  To my thinking,
this signature would be succeptable to replay attacks, and so you're back
to square one.

While not novel, I think it's a wonderful idea, a new twist on biometrics.
I'm just not sure how valuable it would be in an untrusted environment.



/-------------------------------------------------------------------------/
If all else fails, immortality can always be assured by spectacular
error.
                -- John Kenneth Galbraith

		https://home.ephemeron.org/~bigby/pgp_key.txt
/-------------------------------------------------------------------------/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message