Date: Thu, 21 Mar 2002 15:57:17 -0800 (PST) From: Bigby Findrake <bigby@ephemeron.org> To: <security@FreeBSD.ORG> Subject: Re: Safe SSH logins from public, untrusted Windows computers Message-ID: <Pine.BSF.4.33.0203211551080.98942-100000@home.fake.net> In-Reply-To: <20020319175854.N14039-100000@cithaeron.argolis.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 19 Mar 2002, Matt Piechota wrote:
> On Tue, 19 Mar 2002, Roelof Osinga wrote:
>
> > So you take, say, 'Mary had a little lamb' as test sentence and then both
> > that sentence as well as the timing digest or even the individual samples
> > get transmitted as the "user ID".
>
> The only problem I see is keyboards being different. I personally type
> much quicker on IBM101 (the old-school ones) than my laptop.
I've thought about this, and here is a problem I see. If you're using
this across a network, you can't accurately measure time between strokes
because of unpredictable network latency. This means that you would have
to run special software on the client (java or otherwise) to calculate the
"timing signature" and the pass that along to the server. To my thinking,
this signature would be succeptable to replay attacks, and so you're back
to square one.
While not novel, I think it's a wonderful idea, a new twist on biometrics.
I'm just not sure how valuable it would be in an untrusted environment.
/-------------------------------------------------------------------------/
If all else fails, immortality can always be assured by spectacular
error.
-- John Kenneth Galbraith
https://home.ephemeron.org/~bigby/pgp_key.txt
/-------------------------------------------------------------------------/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.33.0203211551080.98942-100000>