, SecurityFocus 2001-08-17
Researchers say the elapsed time between keystrokes can reveal much about your password.
WASHINGTON--A team of researchers from the University of California at Berkeley revealed two weaknesses in Secure Shell (SSH) implementations Friday that allow an eavesdropper to learn the exact length of a user's password by observing the rhythm of their keystrokes.By using advanced statistical techniques on timing information collected over the network, researchers also found that the eavesdropper can learn significant information about what users type in SSH sessions.
SSH is designed to provide a secure channel between two hosts, and strong authentication of both the remote host and user. But a paper entitled "Timing Analysis of Keystrokes and Timing Attacks on SSH," presented at the Usenix Security Symposium here, shows that the commonly used system has serious weaknesses, and may give users a false sense of security.
The research group, which includes Dawn Xiaodong Song, David Wagner and Xuqing Tian, showed that the transmitted packets are padded only to an eight-byte boundary if a block cipher is used.
Their second weakness is that in an interactive mode, each keystroke that a user types is sent to a remote machine in separate IP packets immediately after the key is pressed. According to the researchers, this leaks the inter-keystroke timing information of the users' typing.
"Unfortunately, SSH is not as bullet proof as one would hope," said Song. "Our attack shows that an eavesdropper can learn sensitive information about the users' data, such as passwords, over SSH."
Song, who presented the paper, said the researchers performed a statistical study of users' typing patterns and showed that these patterns revealed information about the keys typed. She said that by developing a Hidden Markov Model and a key sequence prediction algorithm, the team could predict key sequences from inter-keystroke timings.
The researchers studied user dynamics and determined that the timing information of the keystrokes leak information about the key sequences typed at about 1 bit of information about the content per keystroke pair. Because the entropy of passwords is only 4-8 bits per character, this 1 bit per keystroke pair information can reveal significant information about the content typed.
The researchers further verified that the time it takes the operating system to send out the packet after the key is pressed is generally negligible compared to the inter-keystroke timing. An eavesdropper can therefore learn the precise inter-stroke timing of users' typing based on the arrival time of the packets.
Based on their findings, the researchers developed an attack system, called Herbivore, which attempts to learn users' passwords by monitoring SSH sessions. Song noted that by collecting timing information on the network, Herbivore can increase the speed of an exhaustive password search by a factor of fifty.
These results apply not only to SSH, said Song, but also to a general class of protocols for encrypting interactive traffic. She warned that because timing leaks open up a new set of security risks, caution must be taken when designing this type of protocol.
The
"It's a classical application of traffic analysis where information can be gained just from the pattern of the communication rather than the data itself," said cryptographer Greg Rose, principal engineer with Qualcomm. "In practice, it's a small result, because a best practice site will still not be vulnerable in a meaningful way.
"It exposes partial information about passwords, but the whole point of using SSH is that you don't need to authenticate through the firewall with passwords, so attackers have no launch point," adds Rose.
"This demonstrates that tools are important, but without the context of a good security policy your risk is unmanaged, said Tom Limoncelli of security auditing firm Lumeta Corp., and coauthor of The Practice of System and Network Administration. "I think the countermeasures will come soon. I am never worried about a security risk being announced, we are worried about a security risk being kept secret."
This is not the first SSH attack published by researchers. In March, an advisory with the SSHOW traffic analysis tool, entitled "Passive Analysis of SSH (Secure Shell) Traffic," was posted to the BUGTRAQ security mailing list. The authors, Solar Designer and Dug Song, also included unofficial SSH 1.2.x patch. This advisory demonstrated several weakness in implementations of SSH protocols which let attacks obtain sensitive information by passively monitoring encrypted SSH sessions. This information could be used to speed-up brute-force attacks on passwords.