 |
 |
 |
 |
 |
 |
 |
 |
 |
Passwording Your Programs using Keystroke Dynamics
By Tim Surtell
Keystroke Dynamics is a method of making computer passwords harder to crack by recording not only the user's password but also the way that the user types it.
An article in 'Electronics -- the Maplin Magazine' entitled "Access control" describes several ways of stopping unauthorized entry into computer systems including signature, hand and eye recognition, but keystroke dynamics is the only method that does not require special equipment.
Because the only thing needed to implement Keystroke Dynamics is a new design of software I decided to experiment and write the necessary program in BBC BASIC for the NC100/200.
Two programs are needed -- one to record the user's entry of the password, and one that can be put in the program that needs to be passworded. The listings of both are shown below. (To see them as text files click on the titles.)
Recording the password
Password recorder ... 1.8kb
10 DIM kd(3,20),pass(20)
20 CLS
30 thres=70
40 PRINTCHR$19"Keystroke dynamics password file generator"CHR$20
50 PRINT'"* Create password -- type in password three times..."
60 FORP=1 TO 3
70 PRINT'"Password ";P;" : ";
80 PROCenter_password(P)
90 NEXT
100 PRINT''"Calculating average keystroke intervals... "
110 FORI=1 TO kdpos-2 STEP 2
120 pass(I)=(kd(1,I)+kd(2,I)+kd(3,I)) DIV 3
130 pass(I+1)=kd(1,I+1)
140 NEXT
150 PRINT:FORI=1 TO kdpos-2 STEP 2:PRINT;pass(I);",";pass(I+1);" ";:NEXT
160 PRINT''"Password saved in 'PASSWORD.TXT'."
170 K=OPENOUT("PASSWORD.TXT")
180 FORI=1 TO kdpos-1
190 PRINT#K,pass(I)
200 NEXT
210 CLOSE#0
220 PRINT'"* Test password. Threshold is ";thres;"%..."'
230 PRINT"Type in your password : ";
240 PROCenter_password(0)
250 match=0
260 FORI=1 TO kdpos-2 STEP 2
270 IF kd(0,I)=pass(I) OR kd(0,I)-1=pass(I) OR kd(0,I)+1=pass(I) match=match+1
280 IF kd(0,I+1)<>pass(I+1) match=-1:I=kdpos-2
290 NEXT
300 IF match=-1 percent=0 ELSE percent=INT((match/((kdpos-1)/2))*100)
310 PRINTTAB(40)percent;"% -- Access ";:IF percent>320 GOTO230
330 PRINTpercent
340 END
350 DEF PROCenter_password(N)
360 FORI=1 TO 20:kd(N,I)=0:NEXT
370 kdpos=1
380 G=INKEY(1)
390 IF G=-1 GOTO380
400 IF G=13 ENDPROC
410 PRINTCHR$G;
420 IF kdpos=1 kd(N,kdpos)=0:kd(N,kdpos+1)=G:kdpos=kdpos+2:TIME=0:GOTO380
430 kd(N,kdpos)=TIME:kd(N,kdpos+1)=G:kdpos=kdpos+2:TIME=0:GOTO380
Using the password
PROCkeystroke_dynamics ... 1kb
10 REM ************************
20 REM Keystroke dynamics
30 REM PROCkeystroke_dynamics
40 REM Developed by Tim Surtell
50 REM ************************
60 REM NC100/200 Version 2 70 REM Downloaded from Tim's NC Users' Site
80 REM http://www.gre.ac.uk/~st702/index.htm
90 DIM kd(20):thres=70
100 DEF PROCkeystroke_dynamics 110 PRINT "Type in your password : ";
120 FORI=1 TO 20:kd(I)=0:NEXT
130 kdpos=1
140 G=INKEY(1)
150 IF G=-1 GOTO140
160 IF G=13 GOTO200
170 PRINTCHR$G;
180 IF kdpos=1 kd(kdpos)=0:kd(kdpos+1)=G:kdpos=kdpos+2:TIME=0:GOTO140
190 kd(kdpos)=TIME:kd(kdpos+1)=G:kdpos=kdpos+2:TIME=0:GOTO140
200 K=OPENIN("PASSWORD.TXT")
210 match=0
220 FORI=1 TO kdpos-2 STEP 2
230 INPUT#K,time,key
240 IF kd(0,I)=time OR kd(0,I)-1=time OR kd(0,I)+1=time match=match+1
250 IF kd(0,I+1)<>key match=-1:I=kdpos-2
260 NEXT
270 IF match=-1 percent=0 ELSE percent=INT((match/((kdpos-1)/2))*100)
280 PRINT"Access ";:IF percent thres PRINT;"denied.":GOTO110 ELSE PRINT;"granted."
290 CLOSE#K
300 ENDPROC
Program analysis
I will now describe the operation of the password recorder program. The other program (PROCkeystroke_dynamics) is similar to PROCenter_password in the password recorder program.
As each key is pressed two things need to be recorded:
- The first is the ASCII code of the character pressed.
- The second is the time interval that elapsed before the key was pressed. For the first key this will be 0 since a key was not pressed previously.
Subsequent blocks of two cells in the arrays hold the data for the following characters.
| Line 10 | Sets two arrays; kd(n,l) holds the data received when you first set up the password by typing it in three times. n determines which of these sets of data is used. 'pass' holds the final average values. |
| Line 30 | Sets the 'password correct' threshold as a percentage. You can change this if you need to. |
| Lines 60 to 90 | Call PROCenter_password three times so that the password can be defined. Changing P from 1 to 3 means the data is placed in different parts of array 'kd'. |
| Lines 110 to 140 | Take average values of the three sets of time intervals found in 'kd' and place the results in array 'pass'. The ASCII code values are left unchanged. |
| Lines 170 to 210 | Save the array 'pass' to "PASSWORD.TXT" so it can be used in PROCkeystroke_dynamics. |
| Line 240 | Calls PROCenter_password again and the results are put in kd(0,l). |
| Lines 250 to 290 | Test this password against that in 'pass' by checking that the time intervals are the same, plus or minus 1 (line 270) and that the correct keys were pressed (line 280). Each time the interval test is true 'match' is increased by one. If a wrong key is pressed 'match' is made equal to -1. |
| Line 300 | Produces a 'percentage correct' figure from 'match'. |
| Line 310 | Compares this to 'thres' and prints 'Access granted' or 'Access denied', plus the percentage. |
| Line 360 | In PROCenter_password deletes the previous data in kd(n,l). |
| Lines 380 to 430 | Let the user input the password. INKEY is used to get an input from the keyboard (line 380). If no key is pressed, line 390 makes the program loop. If there is an input, line 400 tests to see if it was ENTER. If so the procedure ends. Line 420 puts theASCII value and TIME into kd(n,l) and adds two to kdpos (the pointer for array 'kd'.) |
 |
|
|
Access Control by Frank Booty, Electronics -- The Maplin Magazine, Issue 97 January 1996 Page 22-23/45 (http://www.maplin.co.uk)
|
|
|
| © 1997 – 2024 Tim Surtell | Tim's Amstrad NC Users' Site |
|
|
|
| Home | Features | Data Sheets | Questions | BBC BASIC | Software |