|
Passwording Your Programs using Keystroke Dynamics
By Tim Surtell
Keystroke Dynamics is a method of making computer passwords harder to crack by recording not only the user's password but also the way that the user types it.
An article in 'Electronics -- the Maplin Magazine' entitled "Access control" describes several ways of stopping unauthorized entry into computer systems including signature, hand and eye recognition, but keystroke dynamics is the only method that does not require special equipment.
Because the only thing needed to implement Keystroke Dynamics is a new design of software I decided to experiment and write the necessary program in BBC BASIC for the NC100/200.
Two programs are needed -- one to record the user's entry of the password, and one that can be put in the program that needs to be passworded. The listings of both are shown below. (To see them as text files click on the titles.)
Recording the password
Password recorder ... 1.8kb
10 DIM kd(3,20),pass(20) 20 CLS 30 thres=70 40 PRINTCHR$19"Keystroke dynamics password file generator"CHR$20 50 PRINT'"* Create password -- type in password three times..." 60 FORP=1 TO 3 70 PRINT'"Password ";P;" : "; 80 PROCenter_password(P) 90 NEXT 100 PRINT''"Calculating average keystroke intervals... " 110 FORI=1 TO kdpos-2 STEP 2 120 pass(I)=(kd(1,I)+kd(2,I)+kd(3,I)) DIV 3 130 pass(I+1)=kd(1,I+1) 140 NEXT 150 PRINT:FORI=1 TO kdpos-2 STEP 2:PRINT;pass(I);",";pass(I+1);" ";:NEXT 160 PRINT''"Password saved in 'PASSWORD.TXT'." 170 K=OPENOUT("PASSWORD.TXT") 180 FORI=1 TO kdpos-1 190 PRINT#K,pass(I) 200 NEXT 210 CLOSE#0 220 PRINT'"* Test password. Threshold is ";thres;"%..."' 230 PRINT"Type in your password : "; 240 PROCenter_password(0) 250 match=0 260 FORI=1 TO kdpos-2 STEP 2 270 IF kd(0,I)=pass(I) OR kd(0,I)-1=pass(I) OR kd(0,I)+1=pass(I) match=match+1 280 IF kd(0,I+1)<>pass(I+1) match=-1:I=kdpos-2 290 NEXT 300 IF match=-1 percent=0 ELSE percent=INT((match/((kdpos-1)/2))*100) 310 PRINTTAB(40)percent;"% -- Access ";:IF percent>320 GOTO230 330 PRINTpercent 340 END 350 DEF PROCenter_password(N) 360 FORI=1 TO 20:kd(N,I)=0:NEXT 370 kdpos=1 380 G=INKEY(1) 390 IF G=-1 GOTO380 400 IF G=13 ENDPROC 410 PRINTCHR$G; 420 IF kdpos=1 kd(N,kdpos)=0:kd(N,kdpos+1)=G:kdpos=kdpos+2:TIME=0:GOTO380 430 kd(N,kdpos)=TIME:kd(N,kdpos+1)=G:kdpos=kdpos+2:TIME=0:GOTO380
Using the password
PROCkeystroke_dynamics ... 1kb
10 REM ************************ 20 REM Keystroke dynamics 30 REM PROCkeystroke_dynamics 40 REM Developed by Tim Surtell 50 REM ************************ 60 REM NC100/200 Version 2 70 REM Downloaded from Tim's NC Users' Site 80 REM http://www.gre.ac.uk/~st702/index.htm 90 DIM kd(20):thres=70 100 DEF PROCkeystroke_dynamics 110 PRINT "Type in your password : "; 120 FORI=1 TO 20:kd(I)=0:NEXT 130 kdpos=1 140 G=INKEY(1) 150 IF G=-1 GOTO140 160 IF G=13 GOTO200 170 PRINTCHR$G; 180 IF kdpos=1 kd(kdpos)=0:kd(kdpos+1)=G:kdpos=kdpos+2:TIME=0:GOTO140 190 kd(kdpos)=TIME:kd(kdpos+1)=G:kdpos=kdpos+2:TIME=0:GOTO140 200 K=OPENIN("PASSWORD.TXT") 210 match=0 220 FORI=1 TO kdpos-2 STEP 2 230 INPUT#K,time,key 240 IF kd(0,I)=time OR kd(0,I)-1=time OR kd(0,I)+1=time match=match+1 250 IF kd(0,I+1)<>key match=-1:I=kdpos-2 260 NEXT 270 IF match=-1 percent=0 ELSE percent=INT((match/((kdpos-1)/2))*100) 280 PRINT"Access ";:IF percent thres PRINT;"denied.":GOTO110 ELSE PRINT;"granted." 290 CLOSE#K 300 ENDPROC
Program analysis
I will now describe the operation of the password recorder program. The other program (PROCkeystroke_dynamics) is similar to PROCenter_password in the password recorder program.
As each key is pressed two things need to be recorded:
- The first is the ASCII code of the character pressed.
- The second is the time interval that elapsed before the key was pressed. For the first key this will be 0 since a key was not pressed previously.
Subsequent blocks of two cells in the arrays hold the data for the following characters.
Line 10 |
Sets two arrays; kd(n,l) holds the data received when you first set up the password by typing it in three times. n determines which of these sets of data is used. 'pass' holds the final average values. |
|
Line 30 |
Sets the 'password correct' threshold as a percentage. You can change this if you need to. |
|
Lines 60 to 90 |
Call PROCenter_password three times so that the password can be defined. Changing P from 1 to 3 means the data is placed in different parts of array 'kd'. |
|
Lines 110 to 140 |
Take average values of the three sets of time intervals found in 'kd' and place the results in array 'pass'. The ASCII code values are left unchanged. |
|
Lines 170 to 210 |
Save the array 'pass' to "PASSWORD.TXT" so it can be used in PROCkeystroke_dynamics. |
|
Line 240 |
Calls PROCenter_password again and the results are put in kd(0,l). |
|
Lines 250 to 290 |
Test this password against that in 'pass' by checking that the time intervals are the same, plus or minus 1 (line 270) and that the correct keys were pressed (line 280). Each time the interval test is true 'match' is increased by one. If a wrong key is pressed 'match' is made equal to -1. |
|
Line 300 |
Produces a 'percentage correct' figure from 'match'. |
|
Line 310 |
Compares this to 'thres' and prints 'Access granted' or 'Access denied', plus the percentage. |
|
Line 360 |
In PROCenter_password deletes the previous data in kd(n,l). |
|
Lines 380 to 430 |
Let the user input the password. INKEY is used to get an input from the keyboard (line 380). If no key is pressed, line 390 makes the program loop. If there is an input, line 400 tests to see if it was ENTER. If so the procedure ends. Line 420 puts theASCII value and TIME into kd(n,l) and adds two to kdpos (the pointer for array 'kd'.) |
Access Control by Frank Booty, Electronics -- The Maplin Magazine, Issue 97 January 1996 Page 22-23/45 (http://www.maplin.co.uk) |