Abstract
The Google Suggestions service used in Google Search is one example of an interactivity rich Javascript application. In this paper, we analyse the timing side channel of Google Suggestions by reverse engineering the communication model from obfuscated Javascript code. We consider an attacker who attempts to infer the typing pattern of a victim. From our experiments involving 11 participants, we found that for each keypair with at least 20 samples, the mean of the inter-keystroke timing can be determined with an error of less than 20%.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Google Instant, http://goo.gl/WI9Zu
Autocomplete, http://goo.gl/jv3fQ
Chen, S., Wang, R., Wang, X., Zhang, K.: Side-channel leaks in web applications: A reality today, a challenge tomorrow. In: Proceedings of the 2010 IEEE Symposium on Security and Privacy, SP 2010, pp. 191–206. IEEE Computer Society, Washington, DC (2010)
Song, D.X., Wagner, D., Tian, X.: Timing analysis of keystrokes and timing attacks on ssh. In: Proceedings of the 10th conference on USENIX Security Symposium, SSYM 2001, vol. 10, p. 25. USENIX Association, Berkeley (2001)
Araujo, L., Sucupira, J. L., Lizarraga, M., Ling, L., Yabu-Uti, J.: User authentication through typing biometrics features. Trans. Sig. Proc. 53(2), 851–855 (2005)
Killourhy, K.S.: A Scientific Understanding of Keystroke Dynamics. Dissertation, Carnegie Mellon University (2012)
Peacock, A., Ke, X., Wilkerson, M.: Typing patterns: A key to user identification. IEEE Security and Privacy 2(5), 40–47 (2004)
Monrose, F., Rubin, A.D.: Keystroke dynamics as a biometric for authentication. Future Gener. Comput. Syst. 16(4), 351–359 (2000)
Tey, C.M., Gupta, P., Gao, D.: I can be You: Questioning the use of Keystroke Dynamics as Biometrics. In: Proceedings of the Network and Distributed System Security Symposium (NDSS), San Diego, CA (February 2013)
Joyce, R., Gupta, G.: Identity authentication based on keystroke latencies. Commun. ACM 33(2), 168–176 (1990)
Haider, S., Abbas, A., Zaidi, A.: A multi-technique approach for user identification through keystroke dynamics. In: IEEE International Conference on Systems, Man and Cybernetics, SMC 2000, pp. 1336–1341 (2000)
Killourhy, K., Maxion, R.: Why did my detector do that?!: predicting keystroke-dynamics error rates. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 256–276. Springer, Heidelberg (2010)
Tcpdump, http://www.tcpdump.org
JSBeautifier, http://jsbeautifier.org/
DOM Events, http://en.wikipedia.org/wiki/DOM_events
Mahemoff, M.: Ajax Design Patterns. O’Reilly Media, Inc. (2006)
Normal Sum Distribution, http://goo.gl/wfaMz
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Tey, C.M., Gupta, P., Gao, D., Zhang, Y. (2013). Keystroke Timing Analysis of on-the-fly Web Apps. In: Jacobson, M., Locasto, M., Mohassel, P., Safavi-Naini, R. (eds) Applied Cryptography and Network Security. ACNS 2013. Lecture Notes in Computer Science, vol 7954. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-38980-1_25
Download citation
DOI: https://doi.org/10.1007/978-3-642-38980-1_25
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-38979-5
Online ISBN: 978-3-642-38980-1
eBook Packages: Computer ScienceComputer Science (R0)