Keystroke Timing Analysis of on-the-fly Web Apps

  • Chee Meng Tey
  • Payas Gupta
  • Debin Gao
  • Yan Zhang
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7954)


The Google Suggestions service used in Google Search is one example of an interactivity rich Javascript application. In this paper, we analyse the timing side channel of Google Suggestions by reverse engineering the communication model from obfuscated Javascript code. We consider an attacker who attempts to infer the typing pattern of a victim. From our experiments involving 11 participants, we found that for each keypair with at least 20 samples, the mean of the inter-keystroke timing can be determined with an error of less than 20%.


User Study Proxy Server Side Channel Attack Query Packet Keystroke Dynamic 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Google Instant,
  2. 2.
  3. 3.
    Chen, S., Wang, R., Wang, X., Zhang, K.: Side-channel leaks in web applications: A reality today, a challenge tomorrow. In: Proceedings of the 2010 IEEE Symposium on Security and Privacy, SP 2010, pp. 191–206. IEEE Computer Society, Washington, DC (2010)CrossRefGoogle Scholar
  4. 4.
    Song, D.X., Wagner, D., Tian, X.: Timing analysis of keystrokes and timing attacks on ssh. In: Proceedings of the 10th conference on USENIX Security Symposium, SSYM 2001, vol. 10, p. 25. USENIX Association, Berkeley (2001)Google Scholar
  5. 5.
    Araujo, L., Sucupira, J. L., Lizarraga, M., Ling, L., Yabu-Uti, J.: User authentication through typing biometrics features. Trans. Sig. Proc. 53(2), 851–855 (2005)MathSciNetCrossRefGoogle Scholar
  6. 6.
    Killourhy, K.S.: A Scientific Understanding of Keystroke Dynamics. Dissertation, Carnegie Mellon University (2012)Google Scholar
  7. 7.
    Peacock, A., Ke, X., Wilkerson, M.: Typing patterns: A key to user identification. IEEE Security and Privacy 2(5), 40–47 (2004)CrossRefGoogle Scholar
  8. 8.
    Monrose, F., Rubin, A.D.: Keystroke dynamics as a biometric for authentication. Future Gener. Comput. Syst. 16(4), 351–359 (2000)CrossRefGoogle Scholar
  9. 9.
    Tey, C.M., Gupta, P., Gao, D.: I can be You: Questioning the use of Keystroke Dynamics as Biometrics. In: Proceedings of the Network and Distributed System Security Symposium (NDSS), San Diego, CA (February 2013)Google Scholar
  10. 10.
    Joyce, R., Gupta, G.: Identity authentication based on keystroke latencies. Commun. ACM 33(2), 168–176 (1990)CrossRefGoogle Scholar
  11. 11.
    Haider, S., Abbas, A., Zaidi, A.: A multi-technique approach for user identification through keystroke dynamics. In: IEEE International Conference on Systems, Man and Cybernetics, SMC 2000, pp. 1336–1341 (2000)Google Scholar
  12. 12.
    Killourhy, K., Maxion, R.: Why did my detector do that?!: predicting keystroke-dynamics error rates. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 256–276. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  13. 13.
  14. 14.
  15. 15.
  16. 16.
  17. 17.
    Mahemoff, M.: Ajax Design Patterns. O’Reilly Media, Inc. (2006)Google Scholar
  18. 18.
    Normal Sum Distribution,
  19. 19.

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Chee Meng Tey
    • 1
  • Payas Gupta
    • 1
  • Debin Gao
    • 1
  • Yan Zhang
    • 2
  1. 1.Singapore Management UniversitySingapore
  2. 2.State Key Laboratory Of Information Security, Institute of Information EngineeringChinese Academy of SciencesChina

Personalised recommendations