Timing Analysis of Keystrokes and Timing Attacks on SSH (fwd)

Eugene Leitl Eugene.Leitl at lrz.uni-muenchen.de
Wed Aug 22 08:45:15 PDT 2001




-- Eugen* Leitl <a href="http://www.lrz.de/~ui22204/">leitl</a>
______________________________________________________________
ICBMTO  : N48 10'07'' E011 33'53'' http://www.lrz.de/~ui22204
57F9CFD3: ED90 0433 EB74 E4A9 537F CFF5 86E7 629B 57F9 CFD3

---------- Forwarded message ----------
Date: 22 Aug 2001 11:37:39 -0400
From: Perry E. Metzger <perry at piermont.com>
To: cryptography at wasabisystems.com
Subject: Timing Analysis of Keystrokes and Timing Attacks on SSH


What I find really neat here is that up until now, serious traffic
analysis has been fairly neglected in the open crypto community. Is
this the start of things to come?

------- Start of forwarded message -------
Date: Wed, 22 Aug 2001 08:53:30 -0600
From: aleph1 at securityfocus.com
To: secpapers at securityfocus.com
Cc: secureshell at securityfocus.com
Subject: Timing Analysis of Keystrokes and Timing Attacks on SSH
Message-ID: <20010822085330.J3366 at securityfocus.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii

Timing Analysis of Keystrokes and Timing Attacks on SSH
Dawn Xiaodong Song, David Wagner, Xuqing Tian
University of California, Berkeley

SSH is designed to provide a security channel between two hosts. Despite the
encryption and authentication mechanisms it uses, SSH has two weakness:
First, the transmitted packets are padded only to an eight-byte boundary (if
a block cipher is in use), which reveals the approximate size of the
original data. Second, in interactive mode, every individual keystroke that
a user types is sent to the remote machine in a separate IP packet
immediately after the key is pressed, which leaks the interkeystroke timing
information of users' typing. In this paper, we show how these seemingly
minor weaknesses result in serious security risks.

First we show that even very simply statistical techniques suffice to
reveal sensitive information such as the length of users' passwords or even
root passwords. More importantly, we further show that using more advanced
statistical techniques on timing information collected from the network,
the eavesdropped can learn significant information about what users type in
SSH sessions. In particular, we perform a statistical study of users'
typing patterns and show that these patterns reveal information about the
keys typed. By developing a Hidden Markov Model and our key sequence
prediction algorithm, we can predict key sequences from the interkeystroke
timings. We further develop and attacker system, Herbivore, which tried to
learn users' passwords by monitoring SSH sessions. By collecting timing
information on the network, Herbivore can speed up exhaustive search for
passwords by a factor of 50. We also propose some countermeasures.

In general our results apply not only to SSH, but also to general class of
protocols for encrypting interactive traffic. We show that timing leaks
open a new set of security risks, and hence caution must be taken when
designing this type of protocol.

http://paris.cs.berkeley.edu/~dawnsong/papers/ssh-timing.pdf

-
Elias Levy
SecurityFocus
http://www.securityfocus.com/
Si vis pacem, para bellum

---------------------------------------------------------------------
To unsubscribe, e-mail: secureshell-unsubscribe at securityfocus.com
For additional commands, e-mail: secureshell-help at securityfocus.com


------- End of forwarded message -------



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com





More information about the cypherpunks-legacy mailing list