Two interesting items from Per Thorsheim, founder of the PasswordsCon conference that we’re hosting here in Cambridge this December (you still have one month to submit papers, BTW).
First, the Password Hashing Competition “have selected Argon2 as a basis for the final PHC winner”, which will be “finalized by end of Q3 2015”. This is about selecting a new password hashing scheme to improve on the state of the art and make brute force password cracking harder. Hopefully we’ll have some good presentations about this topic at the conference.
Second, and unrelated: Per Thorsheim and Paul Moore have launched a privacy-protecting Chrome plugin called Keyboard Privacy to guard your anonymity against websites that look at keystroke dynamics to identify users. So, you might go through Tor, but the site recognizes you by your typing pattern and builds a typing profile that “can be used to identify you at other sites you’re using, were identifiable information is available about you”. Their plugin intercepts your keystrokes, batches them up and delivers them to the website at a constant pace, interfering with the site’s ability to build a profile that identifies you.
Since the Tor browser bundle uses Firefox, it would be good to have a plugin for that too.
@Nicholas Bohm: good point.
It’s a bad idea to use Chrome with Tor, because Chrome has many anonymity leakages which are only fixed in the patched version of Firefox distributed in the Tor Browser Bundle. Tor Browser does reduce the precision of the Javascript timers available for fingerprinting, but Runa’s experiment shows that this is not sufficient to defeat the attack. In the meantime setting the Tor Browser security slider to the highest level will disable Javascript by default and so defeat the attack at the cost of breaking some websites.
http://arstechnica.com/security/2015/07/how-the-way-you-type-can-shatter-anonymity-even-on-tor/
— A recent article I read on this subject suggested that Thorsheim and Moore’s Chrome plugin delivers the keystrokes at a PSEUDO-RANDOM rate, rather than a constant rate, as you suggest here.
This article also suggests positive uses for the fist-identification technology:
“So far, Thorsheim and Moore say, several banking websites appear to be using keystroke profiling to perform an additional layer of authentication on site users. In theory, such an approach could allow the sites to detect account hijackings, even when the attacker enters the correct username and password. Given the potential benefit of behavioral biometrics, the Chrome plugin can whitelist specific websites that are using it for good.”
I sometimes read articles about Tor, anonymity and privacy protection; and I sometimes read other articles about authentication (verification of identity); and both strong anonymity and strong authentication are regarded as “good things” by the cryptography community; yet I rarely come across any articles that deal with the tension/ balance between the two!
I realise that anonymity may be directed differently to authentication (that one might identify & authenticate oneself to a service via an encrypted & anonymised network transport, without identifying oneself to third parties on the network), and that this may be the point of it all; however, for some applications (such as banking), it could be seen as undesirable to permit authentication by Tor users, or by those using certain other privacy-protection tools: it is sensible to include analysis of HTTP_USER_AGENT, network address and GeoIP trends in an authentication system. (Without knowing how to set up my server to authenticate the real end-user address of a TOR user visiting my site, I have programmed my systems to reject authentication attempts by anyone browsing via a TOR node. Is there a better way to reconcile anonymity with identification+authentication?)
this project http://leoneckert.com/deceitboard_and_keyprints.html might be of interest