New SSH attack weakens passwords

New SSH attack weakens passwords
Ann Harrison, SecurityFocus 2001-08-17

Researchers say the elapsed time between keystrokes can reveal much about your password.

passwd keystroke timing 2001-08-20
Zoltan Maroti

SSH Keystroke Timing Attack 2001-08-20
Chris Leonardos <cleonardos (at) triumph (dot) com [email concealed]> (3 replies)

SSH Keystroke Timing Attack 2001-08-20
impetus (1 replies)

SSH Keystroke Timing Attack 2001-08-30
Anonymous SSH User

Now, if I remember correctly, the SSH2 protocol has a flag that can be sent with a packet which says 'ignore this packet'. I guess the idea is that both sides should periodically (apparently rapidly) send these packets to foil timing attacks. An eavesdropper won't be able to tell if the packet is marked as such unless he has already circumvented the encryption (at which point SSH is useless anyway).

Here it is (from draft-secsh-transport-10.txt): Ignored Data Message (SSH_MSG_IGNORE).

Quoting: "This message can be used as an additional protection against advance traffic analysis techniques."

Apparently the protocol isn't being used to its fullest.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/241/6822#6822

SSH Keystroke Timing Attack 2001-08-30
Anonymous Coward

SSH Keystroke Timing Attack 2001-08-30
Chuck Geigner

how hard would it be 2001-08-30
Gerard Saraber

Why use password? 2001-08-30
Wkdpanda

Which keystrokes to find timings for. 2001-08-30
Todd Knarr <tknarr (at) silverglass (dot) org [email concealed]>