SSH Keystroke Timing Attacks
description
Transcript of SSH Keystroke Timing Attacks
![Page 1: SSH Keystroke Timing Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062410/56815d70550346895dcb7960/html5/thumbnails/1.jpg)
SSH Keystroke Timing Attacks
Mike HogyeThad HughesJosh Sarfaty
Joe Wolf
![Page 2: SSH Keystroke Timing Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062410/56815d70550346895dcb7960/html5/thumbnails/2.jpg)
![Page 3: SSH Keystroke Timing Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062410/56815d70550346895dcb7960/html5/thumbnails/3.jpg)
SSHThe Secure SHell protocol was created by Tatu Ylönen and others to provide encrypted data
transfers between remote machines
Mmmm…SSH
![Page 4: SSH Keystroke Timing Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062410/56815d70550346895dcb7960/html5/thumbnails/4.jpg)
SSH Weaknesses
SSH can leak information about passwordsApproximate length of password can
be inferred by examining number of packets.
Keystroke Timing Analysis can reduce the search space for brute force attacks.
![Page 5: SSH Keystroke Timing Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062410/56815d70550346895dcb7960/html5/thumbnails/5.jpg)
Password Keystroke Timing
• Users type passwords often• Password keystrokes develop consistent rhythm due to
optimized hand motion• This rhythm can be used to determine characteristics about
the password
![Page 6: SSH Keystroke Timing Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062410/56815d70550346895dcb7960/html5/thumbnails/6.jpg)
Time Between Adjacent Keystrokes vs. Key Typed
0.0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
R ] i p J [ : 4 Enter
Key Typed
Tim
e Be
twee
n Ad
jace
nt K
eyst
roke
s (s
econ
ds)
Trial 1
Trial 2
Trial 3
Trial 4
Trial 5
Trial 6
Trial 7
Trial 8
![Page 7: SSH Keystroke Timing Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062410/56815d70550346895dcb7960/html5/thumbnails/7.jpg)
Time Between Adjacent Keystrokes vs. Key TypedWith Network Latency
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
R ] i p J [ : 4 Enter
Key Typed
Tim
e Be
twee
n Ad
jace
nt K
eyst
roke
s (s
econ
ds)
Trial 1
Trial 2
Trial 3
Trial 4
Trial 5
Trial 6
Trial 7
Trial 8
![Page 8: SSH Keystroke Timing Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062410/56815d70550346895dcb7960/html5/thumbnails/8.jpg)
SSH Immediate Mode• Each keystroke is sent IMMEDIATELY from client to
server, one character per packet• Allows interactive user experience
![Page 9: SSH Keystroke Timing Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062410/56815d70550346895dcb7960/html5/thumbnails/9.jpg)
Passwords & SSH•SSH login does NOT used immediate mode•Password (and username) packets are padded to fixed lengths•No problems, right?
WRONG !!Maybe?
![Page 10: SSH Keystroke Timing Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062410/56815d70550346895dcb7960/html5/thumbnails/10.jpg)
su•UNIX “Switch User” command (used to get root access)•Executed in IMMEDIATE mode
SSH1 su command
![Page 11: SSH Keystroke Timing Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062410/56815d70550346895dcb7960/html5/thumbnails/11.jpg)
Nested SSH•Start new SSH session from within a running SSH session•Username and password sent to server B in immediate mode
![Page 12: SSH Keystroke Timing Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062410/56815d70550346895dcb7960/html5/thumbnails/12.jpg)
So What?• Password lengths can be determined• Reveals timing information of password keystrokes• Academically speaking, this is a lot of information
![Page 13: SSH Keystroke Timing Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062410/56815d70550346895dcb7960/html5/thumbnails/13.jpg)
Is This Practical?• How to detect an “su” command?• How to detect a nested SSH session?• Network latency
![Page 14: SSH Keystroke Timing Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062410/56815d70550346895dcb7960/html5/thumbnails/14.jpg)
Detecting the “su”• Look for the ‘su’ signature• Not as easy as it sounds
“I am a su”
40 40
ack ack
40 40 40 40
ack ack ack
48 48
“s” “u” Return “a” “b” “c” “d” Return
40
ack
ack ack ack
56 566440 40 40 40
ack
ack ack ack
40
Server Response
Client
Server
SSH2 su command
![Page 15: SSH Keystroke Timing Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062410/56815d70550346895dcb7960/html5/thumbnails/15.jpg)
SSH! (nested)• Theoretically similar to detecting ‘su’• In practice, much harder to detect• No definite packet signature for calling
‘ssh’
![Page 16: SSH Keystroke Timing Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062410/56815d70550346895dcb7960/html5/thumbnails/16.jpg)
How late(ncy) is your network
• Random network delay influences observed packet times
• Song’s paper considered latency statistics– Determined that latency is not an issue– Used eight year old statistics– Song’s estimated network latency: 10 ms
• Modern latency easily reaches 170 ms
![Page 17: SSH Keystroke Timing Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062410/56815d70550346895dcb7960/html5/thumbnails/17.jpg)
Internet Latency
![Page 18: SSH Keystroke Timing Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062410/56815d70550346895dcb7960/html5/thumbnails/18.jpg)
Conclusions• Song: Timing analysis can reduce brute-
force password search by a factor of 50• In practice, this is unlikely• Use SSH2
– PuTTY defaults to SSH1
![Page 19: SSH Keystroke Timing Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062410/56815d70550346895dcb7960/html5/thumbnails/19.jpg)