Passwording Your Programs using Keystroke Dynamics
By Tim Surtell
Keystroke Dynamics is a method of making computer passwords harder to crack by recording not only the user's password but also the way that the user types it.
An article in 'Electronics -- the Maplin Magazine' entitled "Access control" describes several ways of stopping unauthorized entry into computer systems including signature, hand and eye recognition, but keystroke dynamics is the only method that does not require special equipment.
Because the only thing needed to implement Keystroke Dynamics is a new design of software I decided to experiment and write the necessary program in BBC BASIC for the NC100/200.
Two programs are needed -- one to record the user's entry of the password, and one that can be put in the program that needs to be passworded. The listings of both are shown below. (To see them as text files click on the titles.)
Recording the password
Password recorder ... 1.8kb
10 DIM kd(3,20),pass(20)
40 PRINTCHR$19"Keystroke dynamics password file generator"CHR$20
50 PRINT'"* Create password -- type in password three times..."
60 FORP=1 TO 3
70 PRINT'"Password ";P;" : ";
100 PRINT''"Calculating average keystroke intervals... "
110 FORI=1 TO kdpos-2 STEP 2
120 pass(I)=(kd(1,I)+kd(2,I)+kd(3,I)) DIV 3
150 PRINT:FORI=1 TO kdpos-2 STEP 2:PRINT;pass(I);",";pass(I+1);" ";:NEXT
160 PRINT''"Password saved in 'PASSWORD.TXT'."
180 FORI=1 TO kdpos-1
220 PRINT'"* Test password. Threshold is ";thres;"%..."'
230 PRINT"Type in your password : ";
260 FORI=1 TO kdpos-2 STEP 2
270 IF kd(0,I)=pass(I) OR kd(0,I)-1=pass(I) OR kd(0,I)+1=pass(I) match=match+1
280 IF kd(0,I+1)<>pass(I+1) match=-1:I=kdpos-2
300 IF match=-1 percent=0 ELSE percent=INT((match/((kdpos-1)/2))*100)
310 PRINTTAB(40)percent;"% -- Access ";:IF percent>320 GOTO230
350 DEF PROCenter_password(N)
360 FORI=1 TO 20:kd(N,I)=0:NEXT
390 IF G=-1 GOTO380
400 IF G=13 ENDPROC
420 IF kdpos=1 kd(N,kdpos)=0:kd(N,kdpos+1)=G:kdpos=kdpos+2:TIME=0:GOTO380
Using the password
PROCkeystroke_dynamics ... 1kb
10 REM ************************
20 REM Keystroke dynamics
30 REM PROCkeystroke_dynamics
40 REM Developed by Tim Surtell
50 REM ************************
60 REM NC100/200 Version 2 70 REM Downloaded from Tim's NC Users' Site
80 REM http://www.gre.ac.uk/~st702/index.htm
90 DIM kd(20):thres=70
100 DEF PROCkeystroke_dynamics 110 PRINT "Type in your password : ";
120 FORI=1 TO 20:kd(I)=0:NEXT
150 IF G=-1 GOTO140
160 IF G=13 GOTO200
180 IF kdpos=1 kd(kdpos)=0:kd(kdpos+1)=G:kdpos=kdpos+2:TIME=0:GOTO140
220 FORI=1 TO kdpos-2 STEP 2
240 IF kd(0,I)=time OR kd(0,I)-1=time OR kd(0,I)+1=time match=match+1
250 IF kd(0,I+1)<>key match=-1:I=kdpos-2
270 IF match=-1 percent=0 ELSE percent=INT((match/((kdpos-1)/2))*100)
280 PRINT"Access ";:IF percent thres PRINT;"denied.":GOTO110 ELSE PRINT;"granted."
I will now describe the operation of the password recorder program. The other program (PROCkeystroke_dynamics) is similar to PROCenter_password in the password recorder program.
As each key is pressed two things need to be recorded:
- The first is the ASCII code of the character pressed.
- The second is the time interval that elapsed before the key was pressed. For the first key this will be 0 since a key was not pressed previously.
Subsequent blocks of two cells in the arrays hold the data for the following characters.
||Sets two arrays; kd(n,l) holds the data received when you first set up the password by typing it in three times. n determines which of these sets of data is used. 'pass' holds the final average values.
||Sets the 'password correct' threshold as a percentage. You can change this if you need to.
|Lines 60 to 90
||Call PROCenter_password three times so that the password can be defined. Changing P from 1 to 3 means the data is placed in different parts of array 'kd'.
|Lines 110 to 140
||Take average values of the three sets of time intervals found in 'kd' and place the results in array 'pass'. The ASCII code values are left unchanged.
|Lines 170 to 210
||Save the array 'pass' to "PASSWORD.TXT" so it can be used in PROCkeystroke_dynamics.
||Calls PROCenter_password again and the results are put in kd(0,l).
|Lines 250 to 290
||Test this password against that in 'pass' by checking that the time intervals are the same, plus or minus 1 (line 270) and that the correct keys were pressed (line 280). Each time the interval test is true 'match' is increased by one. If a wrong key is pressed 'match' is made equal to -1.
||Produces a 'percentage correct' figure from 'match'.
||Compares this to 'thres' and prints 'Access granted' or 'Access denied', plus the percentage.
||In PROCenter_password deletes the previous data in kd(n,l).
|Lines 380 to 430
||Let the user input the password. INKEY is used to get an input from the keyboard (line 380). If no key is pressed, line 390 makes the program loop. If there is an input, line 400 tests to see if it was ENTER. If so the procedure ends. Line 420 puts theASCII value and TIME into kd(n,l) and adds two to kdpos (the pointer for array 'kd'.)
Access Control by Frank Booty, Electronics -- The Maplin Magazine, Issue 97 January 1996 Page 22-23/45 (http://www.maplin.co.uk)