Abstract
Smartphones are increasingly being used to store personal information as well as to access sensitive data from the Internet and the cloud. Establishment of the identity of a user requesting information from smartphones is a prerequisite for secure systems in such scenarios. In the past, keystroke-based user identification has been successfully deployed on production-level mobile devices to mitigate the risks associated with naïve username/password based authentication. However, these approaches have two major limitations: they are not applicable to services where authentication occurs outside the domain of the mobile device – such as web-based services; and they often overly tax the limited computational capabilities of mobile devices. In this paper, we propose a protocol for keystroke dynamics analysis which allows web-based applications to make use of remote attestation and delegated keystroke analysis. The end result is an efficient keystroke-based user identification mechanism that strengthens traditional password protected services while mitigating the risks of user profiling by collaborating malicious web services.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Card, S., Moran, T., Newell, A.: Computer text-editing: An information-processing analysis of a routine cognitive skill. Morgan Kaufmann Publishers Inc., San Francisco (1987)
Joyce, R., Gupta, G.: Identity authentication based on keystroke latencies (1990)
Clarke, N., Furnell, S.: Authenticating mobile phone users using keystroke analysis. International Journal of Information Security 6(1), 1–14 (2007)
Karatzouni, S., Clarke, N.: Keystroke Analysis for Thumb-based Keyboards on Mobile Devices. In: International Federation for Information Processing Publications IFIP, vol. 232, p. 253 (2007)
Zahid, S., Shahzad, M., Khayam, S., Farooq, M.: Keystroke-based User Identification on Smart Phones. In: 12th International Symposium on Recent Advances in Intrusion Detection (RAID), Symposium on Recent Advances in Intrusion Detection, RAID (September 2009)
Cubrilovic, N.: The Anatomy of The Twitter Attack, http://www.techcrunch.com/2009/07/19/the-anatomy-of-the-twitter-attack/
Joyce, R., Gupta, G.: Identity authentication based on keystroke latencies. Commun. ACM 33(2), 168–176 (1990)
Clarke, N., Furnell, S.: Authenticating mobile phone users using keystroke analysis. International Journal of Information Security 6(1), 1–14 (2007)
Karatzouni, S., Clarke, N.: Keystroke Analysis for Thumb-based Keyboards on Mobile Devices. International Federation For Information Processing-Publications-IFIP, vol. 232, p. 253 (2007)
Kennedy, J., Eberhart, R.: Particle swarm optimization. In: Proceedings of IEEE International Conference on Neural Networks, vol. 4 (1995)
Goldberg, D.: Genetic algorithms in search, optimization and machine learning. Addison-Wesley Longman Publishing Co., Inc., Boston (1989)
AdMob Mobile Metrics: January 2010, Mobile Metrics Report (2010), http://metrics.admob.com/wp-content/uploads/2010/02/AdMob-Mobile-Metrics-Jan-10.pdf
Freier, A., Karlton, P., Kocher, P.: Secure socket layer 3.0. IETF draft (November 1996)
Internet2: Shibboleth: A Project of Internet2 Middleware Initiative (2010), http://shibboleth.internet2.edu/
TCG: TCG Specification Architecture Overview v1.2. Technical report, Trusted Computing Group, pp. 11–12 (April 2004)
TCG: Trusted Computing Group (2010), http://www.trustedcomputinggroup.org/
Pearson, S.: Trusted Computing Platforms: TCPA Technology in Context. Prentice Hall PTR, Upper Saddle River (2002)
Challener, D., Yoder, K., Catherman, R., Safford, D., Van Doorn, L.: A Practical Guide to Trusted Computing (2008)
Sailer, R., Zhang, X., Jaeger, T., van Doorn, L.: Design and Implementation of a TCG-based Integrity Measurement Architecture. In: SSYM 2004: Proceedings of the 13th conference on USENIX Security Symposium, Berkeley, CA, USA. USENIX Association (2004)
Shacham, H.: The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86). In: Proceedings of the 14th ACM conference on Computer and Communications Security (CCS 2008), pp. 552–561. ACM, New York (2007)
Buchanan, E., Roemer, R., Shacham, H., Savage, S.: When Good Instructions Go Bad: Generalizing Return-oriented Programming to RISC. In: Proceedings of the 15th ACM conference on Computer and Communications Security (CCS 2008), pp. 27–38. ACM, New York (2008)
Sadeghi, A.R., Stüble, C.: Property-based Attestation for Computing Platforms: Caring about Properties, not Mechanisms. In: NSPW 2004: Proceedings of the 2004 Workshop on New Security Paradigms, pp. 67–77. ACM Press, New York (2004)
Lyle, J.: Trustable Remote Verification of Web Services. In: Chen, L., Mitchell, C.J., Martin, A. (eds.) Trust 2009. LNCS, vol. 5471, p. 153. Springer, Heidelberg (2009)
Nauman, M., Alam, M., Ali, T., Zhang, X.: Remote Attestation of Attribute Updates and Information Flows in a UCON System. In: Chen, L., Mitchell, C.J., Martin, A. (eds.) Trust 2009. LNCS, vol. 5471, pp. 63–80. Springer, Heidelberg (2009)
Mobile Phone Work Group Mobile Trusted Module Overview Document, http://www.trustedcomputinggroup.org/resources/mobile_phone_work_group_mobile_trusted_module_overview_document
IAIK: About IAIK/OpenTC PrivacyCA (2010), http://trustedjava.sourceforge.net/index.php?item=pca/about
Google: Android – An Open Handset Alliance Project (2009), http://code.google.com/android/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Nauman, M., Ali, T. (2010). TOKEN: Trustable Keystroke-Based Authentication for Web-Based Applications on Smartphones. In: Bandyopadhyay, S.K., Adi, W., Kim, Th., Xiao, Y. (eds) Information Security and Assurance. ISA 2010. Communications in Computer and Information Science, vol 76. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-13365-7_28
Download citation
DOI: https://doi.org/10.1007/978-3-642-13365-7_28
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-13364-0
Online ISBN: 978-3-642-13365-7
eBook Packages: Computer ScienceComputer Science (R0)