User: Password:
Subscribe / Log in / New account

Re: Patching a SSH 'Weakness'

From:  Damien Miller <>
To:  johan beisser <>
Subject:  Re: Patching a SSH 'Weakness'
Date:  Sat, 13 Sep 2008 09:08:41 +1000 (EST)
Message-ID:  <>
Cc:  Philip Guenther <>,
Archive-link:  Article

On Fri, 12 Sep 2008, johan beisser wrote:

> On Sep 12, 2008, at 3:12 PM, Philip Guenther wrote:
> > On Fri, Sep 12, 2008 at 2:05 PM, johan beisser <> wrote:
> > 
> > This about security.  Being realistic means *not* being optimistic
> > that extracting data will be "too hard", "too unlikely", "only
> > applicable to a subset of people [and certainly not me]", etc.  Have
> > you not read enough papers that start with something like "It was
> > previously thought that attack [foo] was impractical for the following
> > reasons: [blah blah blah].  This paper demonstrates practical
> > circumstances under which those reasons fail or don't apply and the
> > attack succeeds"?
> Sure, against SSH1.
> The ACM paper was also published in 2001, same time frame. There's
> more padding (see the TCPDump output I provided) in SSH2. Also, take a
> look at what Damien Miller responded with: OpenSSH is applying extra
> padding.
> SSH2 is the default these days. I won't say it's impossible to do
> keystroke analysis, it's just going to be difficult to know if what
> two letters were typed and when. Frankly, I've given you ssh2 packet
> dump (i'll happily provide raw tcpdump output, if you want it).

There is no reason to believe that keystroke timing attacks will be
impossible against protocol 2 where they work against protocol 1.
They might just be a little more tricky.

Pointing at the paper and discounting it because it is ssh1 only is
sticking your head in the sand. It is usually easier to research attacks
on simpler protocols and work up to more complicated ones later.


(Log in to post comments)

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds