Thanks for all the comments. I think we're all pretty much on the same page.
First order of business is to look at how much of a weakness this may be. Then, implement several potential solutions. Finally, test to see if the "fixes" improved the situation. I like the idea of mainly patching the username and passwd transfer. But there may be some utility to having interactive sessions as bullet proof as possible. I will pitch the idea to my group. If they agree to work on it, we will have something by the end of the quarter (bar F). --Kevin On Fri, Sep 12, 2008 at 7:01 AM, Mike M <[EMAIL PROTECTED]> wrote: > On 9/10/2008 at 2:58 PM Kevin Neff wrote: > > |Hi, > | > |Some secure protocols like SSH send encrypted keystrokes > |as they're typed. By doing timing analysis you can figure > |out which keys the user probably typed (keys that are > |physically close together on a keyboard can be typed > |faster). A careful analysis can reveal the length of > |passwords and probably some of password itself. > ============= > > > >> (keys that are physically close together on a keyboard > >> can be typed faster). > > > I do not agree with that statement. Using two fingers I can hit the "A" > and > "L" keys nearly simultaneously (probably could even hit them simultaneously > if > I tried enough). > > The statement seems to rely upon the typist being a one-finger typer.
