Actions

Keystroke Deanonymization

From Whonix

(Redirected from Keystroke Fingerprinting)

Keystroke Dynamics[edit]

Keystroke biometric algorithms have advanced to the point where it is viable to fingerprint users based on soft biometric traits. This is a privacy risk because masking spatial information -- such as the IP address via Tor -- is insufficient to anonymize users. [1]

Users can be uniquely fingerprinted based on: [2]

  • Typing speed.
  • Exactly when each key is located and pressed (seek time), how long it is held down before release (hold time), and when the next key is pressed (flight time).
  • How long the breaks/pauses are in typing.
  • How many errors are made and the most common errors produced.
  • How errors are corrected during the drafting of material.
  • The type of local keyboard that is being used.
  • Whether they are likely right or left-handed.
  • Rapidity of letter sequencing indicating the user's likely native language.

A unique neural algorithm generates a primary pattern for future comparison. It is thought that most individuals produce keystrokes that are as unique as handwriting or signatures. This technique is imperfect; typing styles can vary during the day and between different days depending on the user's emotional state and energy level. [2]

Unless protective steps are taken to obfuscate the time intervals between key press and release events, it is likely most users can be deanonymized based on their keystroke manner and rhythm biometrics. Adversaries are likely to have samples of clearnet keystroke fingerprinting which they can compare with "anonymous" Tor samples. At a minimum users should not type into browsers with Javascript enabled, since this opens up this deanonymization vector. Text should be written in an offline text editor and then copied and pasted into the web interface when it is complete.

News: kloak - Keystroke Anonymization Tool - Testers Wanted

In addition, users must also disguise their linguistic style to combat stylometric analysis and be aware of mouse tracking techniques available to adversaries.

Defense Testing[edit]

You can test that kloak actually works by trying an online keystroke biometrics demo. For example, try these three different scenarios:

Train normal, test normal

Train normal, test kloak

Train kloak, test kloak


Train normal means to train with normal typing behavior, i.e., without kloak running. At the enrollment page on the KeyTrac demo, enter a username and password without kloak running, and then on the authenticate page, try authenticating.

Expected results and interpretation:


Train normal, test normal

trial 1: 94% accuracy identified

trial 2: 92% accuracy

trial 3: 94% ..


Train normal, test kloak

trial 1: 18%

trial 2: 15%

trial 3: 19%


Train kloak, test kloak

trial 1: 40%

trial 2: 42%

trial 3 36%


Without kloak users can be identified with very high certainty. The second set of tests show that kloak definitely obfuscates typing behavior, making it difficult to authenticate or identify a particular user. Third set: users running kloak may look "similar" to other users running kloak. That is, it might be possible to identify kloak users from non-kloak users. If this is the case, the anonymity set will increase as more users start running kloak.

Future[edit]

Update: A new version of kloak is available since March 2019.

Kloak now runs as a service and is readily installable from Whonix ™ repos. It will be installed in Whonix ™ 15 by default. We recommend installing it on the host however so it remains effective in event of Workstation VM compromise. If you need to access accounts (for example banking) that enforce keystroke biometrics, then it may be a good idea to just limit installation to Whonix ™ VMs. Planned future developments will focus on obfuscating unique mouse movement behavior to protect user anonymity.

Tickets:

See Also[edit]

References[edit]


No user support in comments. See Support. Comments will be deleted after some time. Specifically after comments have been addressed in form of wiki enhancements. See Wiki Comments Policy.


Anonymous user #1

3 months ago
Score 0 You
Kloak 0.2-1 is unable to find a keyboard and fails in Qubes-Whonix when run as a service. Change /lib/systemd/system/kloak.service from "ExecStart=/usr/sbin/kloak" to "ExecStart=/usr/sbin/kloak -r /dev/input/event0 -w /dev/uinput" to fix.

Patrick

3 months ago
Score 0++

That won't work.

Now documented. Or see https://foru...on-tool/7089 to learn why.
Add your comment
Whonix welcomes all comments. If you do not want to be anonymous, register or log in. It is free.


Random News:

There are five different options for subscribing to Whonix source code changes.


https | (forcing) onion

Follow: Twitter | Facebook | gab.ai | Stay Tuned | Whonix News

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian. Debian is a registered trademark owned by Software in the Public Interest, Inc.

Whonix ™ is produced independently from the Tor® anonymity software and carries no guarantee from The Tor Project about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.