|From:||Darrin Chandler <dwchandler-AT-stilyagin.com>|
|Subject:||Re: Patching a SSH 'Weakness'|
|Date:||Wed, 10 Sep 2008 19:21:27 -0700|
On Thu, Sep 11, 2008 at 10:06:27AM +0900, Hari wrote: > On Thu, Sep 11, 2008 at 4:58 AM, Kevin Neff <firstname.lastname@example.org> wrote: > > Hi, > > > > Some secure protocols like SSH send encrypted keystrokes > > as they're typed. By doing timing analysis you can figure > > out which keys the user probably typed (keys that are > > physically close together on a keyboard can be typed > > faster). A careful analysis can reveal the length of > > passwords and probably some of password itself. > > > > The paper: > > > > http://portal.acm.org/citation.cfm? > > id=1267612.1267637&coll=Portal&dl=GUIDE&CFID=1943417&C > > FTOKEN=28290455 > > The paper itself is not accessible. Prima facie, this looked like a > technology-in-search-of-a-problem kinda thing to me. For now, it > sounds like bull. > However, there are atleast 10 references to keystoke > timing/characteristics. That this 'weakness' holds water is a > judgement call. Of course, one can make any kind of conclusion only > after studying the paper/references. I remember reading that or a similar paper a while back. The idea has been around for longer. Is it a weakness? Yes, I'd say so. I can't comment on how serious it is, but at first blush not too serious. Making OpenSSH immune would be nice, as a proactive step. The reason why I think it's a weakness is that you can gather statistics on typing and use those to infer things. I.e., you can extract meaningful information from the encrypted session. If you're snooping on ssh and see a short burst of typing followed by another ssh session from the remote machine you can guess they typed 'ssh host.example.com' by the length of typing and the host connected to. Nice crib. Oh, after than connect was there another short burst? Probably the password. How many keystrokes can probably be inferred. Perhaps stats on interkey timing can be used to make some intelligent guesses, such as the 4th char is NOT punctuation because is followed char 3 too closely. Or whatever. Just because this takes real work and isn't in a popular script kiddie tool doesn't mean you should discount it. Traffic analysis of one kind or another has a long history of paying off well. -- Darrin Chandler | Phoenix BSD User Group | MetaBUG email@example.com | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation [demime 1.01d removed an attachment of type application/pgp-signature]
Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds