Dinei Florencio
Microsoft
USA

Cormac Herley
Microsoft
USA

In this paper we examine the problem of entering sensitive data, such as
passwords, from an untrusted machine. By untrusted we mean that it is
suspected to be infected with spyware which snoops on the user's activity.
Using such a machine is obviously undesirable, and yet roaming users often
have no choice. They are in no position to judge the security status of
internet cafe, airport lounge or business center machines. Either malice or
negligence on the part of an administrator means that any such machine can
easily be running a keylogger. The roaming user has no reliable way of
determining whether it is safe, and has no alternative to typing the
password.


We consider whether it is possible to enter data to confound spyware
assumed to be running on the machine in question. The difficulty of
mounting a collusion attack on a single user's password makes the problem
more tractable than it might appear. We explore several approaches. In the
first, we show how the user can embed a password in random keystrokes to
confuse spyware, while leaving the actual login unaffected. In the second
we employ a proxy server to strip random keys. In the third we again employ
a proxy that inverts a key mapping performed by the user. We examine also
several potential attacks.

Keywords: spyware, keyloggers,

Read Paper (in PDF)