On 2 January 2012 03:01, ianG <i...@iang.org> wrote: >>> When I was a rough raw teenager doing this, I needed around 2 weeks to >>> pick up 5 letters from someone typing like he was electrified. The other 3 >>> were crunched in 4 hours on a vax780. >> >> how many samples? (distinct shoulder surf events) > > > About 1 a day, say 10, without making it obvious.
The trick to counter-acting shoulder surfing is to touch type and hold the shoulder suffers gaze so you know they are not looking at your key-presses. Computer teacher in high school used to do that I noticed. Seperately and relatedly I was thinking of having a go at designing a human computable challenge response for occasional when you know or believe your typing is being observed. eg Human remembers single digit numeric coefficients to a 8 mod 10 simultaneous equations (16 digits): r1 = a.x1+b.x2 mod 10 r2 = c.x3+d.x4 mod 10 ... r8 = o.x15+p.x16 mod 10 computer generates x1 - x16 at random between -9 and +9. Now a shoulder surfer sees less than 8 challenges responded to and they have only 1 equation for each pair of unknowns. The challenges are one use. The response (what is typed to login) are r1.. r8 an 8 digit number. That was just the rough idea, no calculations done yet, maybe one can reduce the number of terms and safely allow more than one use with a bit of tinkering. I was thinking it might be interesting for encrytped file systems also. Normally you login with your passphrase when you are confident you are not being shoulder surfed, or no public video surveillance in place (eg airport). But this way you have a second login mechanism with limited number of logins that are safe to use. The challenges and the disk key encrypted with salted, iterated hash of the challenge response can be stored separately, one per login, and over-written after use, preventing hostile reuse. After login they can be replaced with a new one. Adam _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
