Hi to you all. Actually since before the advisory
by Solar Designer in Securityfocus' bugtraq and the
appearance of this paper we have been working
at corelabs together with Ariel Futoransky,
Carlos Sarraute and Gerardo Richarte in an implementation
of an attack to this vulnerability in SSH. Our attack
concentrates in recovering the typed text in ssh
connections (and not only the psswd). We are able
to recover more than 50% of some messages in a
not noisy channel by only eavesdropping. But this
information is subjected to the scenario we are
using, and I do not want to impress everybody on
lies. The paper will be available soon. Of course
it can be exploited in a variety of systems. And
there is a lot of work to be done. There are many
tools coming from statistics that can be readily
used. Furthermore, it is dificult and yet has to
be done, to imlpement a tool that uses all these
vulnerabilities, e.g., timing plus some known
cleartexts, some obvious server answers, etcetera. We
should be able to publish our results soon, and I'll
by then post a mail with the paper location by then.
There are still more people researching on this
vulnerabilities (of which I know). And many directions
of research still remain unexamined. Back when the
bugtraq vuln-rep appeared a discussion of solutions
was made, and there are also some propositions in the
"Timing Analysis..." paper. I think there is much to
be studied on traffic analysis, and encryption and
authetication protocols are just the first of which
we have heard.
Best,
Ariel Waissbein
CORElabs - CORE Security Technologies
[EMAIL PROTECTED]
On 22 Aug 2001 11:37:39 -0400, "Perry E. Metzger" <[EMAIL PROTECTED]>
wrote:
> What I find really neat here is that up until now, serious traffic
> analysis has been fairly neglected in the open crypto community. Is
> this the start of things to come?
>
> ------- Start of forwarded message -------
> Date: Wed, 22 Aug 2001 08:53:30 -0600
> From: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: Timing Analysis of Keystrokes and Timing Attacks on SSH
> Message-ID: <[EMAIL PROTECTED]>
> Mime-Version: 1.0
> Content-Type: text/plain; charset=us-ascii
>
> Timing Analysis of Keystrokes and Timing Attacks on SSH
> Dawn Xiaodong Song, David Wagner, Xuqing Tian
> University of California, Berkeley
>
> SSH is designed to provide a security channel between two hosts. Despite
> the
> encryption and authentication mechanisms it uses, SSH has two weakness:
> First, the transmitted packets are padded only to an eight-byte boundary
> (if
> a block cipher is in use), which reveals the approximate size of the
> original data. Second, in interactive mode, every individual keystroke
> that
> a user types is sent to the remote machine in a separate IP packet
> immediately after the key is pressed, which leaks the interkeystroke
> timing
> information of users' typing. In this paper, we show how these seemingly
> minor weaknesses result in serious security risks.
>
> First we show that even very simply statistical techniques suffice to
> reveal sensitive information such as the length of users' passwords or
> even
> root passwords. More importantly, we further show that using more advanced
>
> statistical techniques on timing information collected from the network,
> the eavesdropped can learn significant information about what users type
> in
> SSH sessions. In particular, we perform a statistical study of users'
> typing patterns and show that these patterns reveal information about the
> keys typed. By developing a Hidden Markov Model and our key sequence
> prediction algorithm, we can predict key sequences from the interkeystroke
>
> timings. We further develop and attacker system, Herbivore, which tried to
>
> learn users' passwords by monitoring SSH sessions. By collecting timing
> information on the network, Herbivore can speed up exhaustive search for
> passwords by a factor of 50. We also propose some countermeasures.
>
> In general our results apply not only to SSH, but also to general class of
>
> protocols for encrypting interactive traffic. We show that timing leaks
> open a new set of security risks, and hence caution must be taken when
> designing this type of protocol.
>
> http://paris.cs.berkeley.edu/~dawnsong/papers/ssh-timing.pdf
>
> -
> Elias Levy
> SecurityFocus
> http://www.securityfocus.com/
> Si vis pacem, para bellum
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
> ------- End of forwarded message -------
>
>
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to
> [EMAIL PROTECTED]
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
