Digg this story   Add to del.icio.us  
New SSH attack weakens passwords
Ann Harrison, SecurityFocus 2001-08-17

Researchers say the elapsed time between keystrokes can reveal much about your password.

WASHINGTON--A team of researchers from the University of California at Berkeley revealed two weaknesses in Secure Shell (SSH) implementations Friday that allow an eavesdropper to learn the exact length of a user's password by observing the rhythm of their keystrokes.

By using advanced statistical techniques on timing information collected over the network, researchers also found that the eavesdropper can learn significant information about what users type in SSH sessions.

SSH is designed to provide a secure channel between two hosts, and strong authentication of both the remote host and user. But a paper entitled "Timing Analysis of Keystrokes and Timing Attacks on SSH," presented at the Usenix Security Symposium here, shows that the commonly used system has serious weaknesses, and may give users a false sense of security.

The research group, which includes Dawn Xiaodong Song, David Wagner and Xuqing Tian, showed that the transmitted packets are padded only to an eight-byte boundary if a block cipher is used.

Their second weakness is that in an interactive mode, each keystroke that a user types is sent to a remote machine in separate IP packets immediately after the key is pressed. According to the researchers, this leaks the inter-keystroke timing information of the users' typing.

"Unfortunately, SSH is not as bullet proof as one would hope," said Song. "Our attack shows that an eavesdropper can learn sensitive information about the users' data, such as passwords, over SSH."

Song, who presented the paper, said the researchers performed a statistical study of users' typing patterns and showed that these patterns revealed information about the keys typed. She said that by developing a Hidden Markov Model and a key sequence prediction algorithm, the team could predict key sequences from inter-keystroke timings.

The researchers studied user dynamics and determined that the timing information of the keystrokes leak information about the key sequences typed at about 1 bit of information about the content per keystroke pair. Because the entropy of passwords is only 4-8 bits per character, this 1 bit per keystroke pair information can reveal significant information about the content typed.

The researchers further verified that the time it takes the operating system to send out the packet after the key is pressed is generally negligible compared to the inter-keystroke timing. An eavesdropper can therefore learn the precise inter-stroke timing of users' typing based on the arrival time of the packets.

'Herbivore' password cracker
Based on their findings, the researchers developed an attack system, called Herbivore, which attempts to learn users' passwords by monitoring SSH sessions. Song noted that by collecting timing information on the network, Herbivore can increase the speed of an exhaustive password search by a factor of fifty.

These results apply not only to SSH, said Song, but also to a general class of protocols for encrypting interactive traffic. She warned that because timing leaks open up a new set of security risks, caution must be taken when designing this type of protocol.

The paper presented at Usenix also proposes some countermeasures that can be taken to guard against this type of attack. Song says countermeasures must hide inter-keystroke timings and send dummy packets when the user is typing slowly. When the user is typing more quickly, they can combine the packets of several keystrokes so that attackers cannot read individual keystroke packets and determine the timing of the keys or how many characters are typed.

"It's a classical application of traffic analysis where information can be gained just from the pattern of the communication rather than the data itself," said cryptographer Greg Rose, principal engineer with Qualcomm. "In practice, it's a small result, because a best practice site will still not be vulnerable in a meaningful way.

"It exposes partial information about passwords, but the whole point of using SSH is that you don't need to authenticate through the firewall with passwords, so attackers have no launch point," adds Rose.

"This demonstrates that tools are important, but without the context of a good security policy your risk is unmanaged, said Tom Limoncelli of security auditing firm Lumeta Corp., and coauthor of The Practice of System and Network Administration. "I think the countermeasures will come soon. I am never worried about a security risk being announced, we are worried about a security risk being kept secret."

This is not the first SSH attack published by researchers. In March, an advisory with the SSHOW traffic analysis tool, entitled "Passive Analysis of SSH (Secure Shell) Traffic," was posted to the BUGTRAQ security mailing list. The authors, Solar Designer and Dug Song, also included unofficial SSH 1.2.x patch. This advisory demonstrated several weakness in implementations of SSH protocols which let attacks obtain sensitive information by passively monitoring encrypted SSH sessions. This information could be used to speed-up brute-force attacks on passwords.

    Digg this story   Add to del.icio.us  
Comments Mode:
passwd keystroke timing 2001-08-20
Zoltan Maroti
SSH Keystroke Timing Attack 2001-08-20
Chris Leonardos <cleonardos (at) triumph (dot) com [email concealed]> (3 replies)
SSH Keystroke Timing Attack 2001-08-20
impetus (1 replies)
SSH Keystroke Timing Attack 2001-08-30
Anonymous SSH User
SSH Keystroke Timing Attack 2001-08-30
Anonymous Coward
SSH Keystroke Timing Attack 2001-08-30
Chuck Geigner
how hard would it be 2001-08-30
Gerard Saraber
Why use password? 2001-08-30
Which keystrokes to find timings for. 2001-08-30
Todd Knarr <tknarr (at) silverglass (dot) org [email concealed]>


Privacy Statement
Copyright 2010, SecurityFocus