Date: Thu, 21 Mar 2002 15:57:17 -0800 (PST) From: Bigby Findrake <bigby@ephemeron.org> To: <security@FreeBSD.ORG> Subject: Re: Safe SSH logins from public, untrusted Windows computers Message-ID: <Pine.BSF.4.33.0203211551080.98942-100000@home.fake.net> In-Reply-To: <20020319175854.N14039-100000@cithaeron.argolis.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 19 Mar 2002, Matt Piechota wrote: > On Tue, 19 Mar 2002, Roelof Osinga wrote: > > > So you take, say, 'Mary had a little lamb' as test sentence and then both > > that sentence as well as the timing digest or even the individual samples > > get transmitted as the "user ID". > > The only problem I see is keyboards being different. I personally type > much quicker on IBM101 (the old-school ones) than my laptop. I've thought about this, and here is a problem I see. If you're using this across a network, you can't accurately measure time between strokes because of unpredictable network latency. This means that you would have to run special software on the client (java or otherwise) to calculate the "timing signature" and the pass that along to the server. To my thinking, this signature would be succeptable to replay attacks, and so you're back to square one. While not novel, I think it's a wonderful idea, a new twist on biometrics. I'm just not sure how valuable it would be in an untrusted environment. /-------------------------------------------------------------------------/ If all else fails, immortality can always be assured by spectacular error. -- John Kenneth Galbraith https://home.ephemeron.org/~bigby/pgp_key.txt /-------------------------------------------------------------------------/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.33.0203211551080.98942-100000>