keystroke timing attack
Florin Andrei
florin at sgi.com
Sat Nov 10 10:49:56 EST 2001
On Fri, 2001-11-09 at 15:24, Gert Doering wrote:
>
> On Fri, Nov 09, 2001 at 12:27:29PM -0800, Florin Andrei wrote:
> > Maybe i'm missing something, but isn't enough to not send passwords
> > char-by-char over the network, and just wait for Enter and then send the
> > whole lot?
>
> How do you know that something the user types is a password (and not
> "input to your favourite editor" or such)?
(walking on thin ice...)
Well, when you authenticate by using user/pass, this is what you type:
somecharacters<enter>
someothercharacters<enter>
nowtherealsessionstarts
I'm not sure if the ssh client can distinguish between
password-authenticated sessions and other sessions, but if it does, then
send everything between the first and the second <enter> in one chunk.
You don't need local echo anyway for those characters, so...
--
Florin Andrei
"Thomas Jefferson would love Napster" (a MSNBC reporter)
More information about the openssh-unix-dev
mailing list