Trojan Keyboard Driver (was Re: Viewing Current Password)

Brad Allen Brad Allen <Ulmo@BayView.COM>, Brad Allen <802000207@RUMAc.UPRM.Edu>
Tue, 12 Dec 2000 00:12:47 -0800


This is getting off-topic misc@openbsd.org fast, but even worse is
measuring typical letter keystroke seperations for typing depending on
the pattern of keys typed and then using this simple time seperation
technique to get a probability pattern of what the password could be.
If I thought of that, then I know the NSA could have thought of even
better schemes.  All they need to do then is do a bit of QWERTY
keyboard study and perhaps try to get some clear text or cracked
samples of a target user's typing.  A few minutes in a van physically
would save a lot of time even if the user doesn't type the specific
password wanted at that moment and NEVER uses TELNET (only unbroken
SSH).

I'm thinking OpenPGP implementations need something like OTP passwords
or something.  What is S/Key?  Perhaps that, if it fits the bill
... (no repeated keystrokes) ... ah, yes it is, as described by
RFC1760 (N. Haller, Bellcore, Feb. 1995); I have some concerns that
the digest be strong enough (e.g., MD5 may be used by some systems,
but MD5 had certain vulnerabilities which I forget; bitlength; etc.;
RC4 looks to be default).  I really have to read up on S/Key and
choosing good hashes and bitlengths and stuff, and integration into
GnuPG (cc'd to gnupg users list; cc to me but not to misc@openbsd.org
please): has anybody made S/Key patches for GnuPG yet, or something
even better than S/Key as described by RFC1760?  This might stop even
a van attack, even for those high-security GPG keys?  I still want
reasonable-security over-network keys right now.

jim.moore> An article I saw recently described a similar technique
jim.moore> used by the FBEye to capture PGP passwords being used by a
jim.moore> suspected gangster. A reference to the article is provided
jim.moore> below.

To misc@openbsd.org --- sorry for my prolificness today.  I'm getting
used to the tone of the mailing list.

To gnupg-users@gnupg.org --- please cc: me as I am not on the list,
and answer my question about S/Key integration into GnuPG, and leave
out cc:misc@openbsd.org unless you have a "yes" answer.

-- 
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of  "unsubscribe"  to gnupg-users-request@gnupg.org