keystroke timing attack

mouring at etoh.eviladmin.org mouring at etoh.eviladmin.org
Sat Nov 10 16:33:01 EST 2001


That is the point if you can cleanly and simply implement that I'm sure a
lot of people would be happy, but one can not randomly pick what to
send right away and what can wait for an enter.

SSL encrypted telnet would have the same problem. I think technically any
interactive VPN or IPSec session could have the same problem if I've read
all the white papers rights.

- Ben

On 9 Nov 2001, Florin Andrei wrote:

> On Fri, 2001-11-09 at 15:24, Gert Doering wrote:
> >
> > On Fri, Nov 09, 2001 at 12:27:29PM -0800, Florin Andrei wrote:
> > > Maybe i'm missing something, but isn't enough to not send passwords
> > > char-by-char over the network, and just wait for Enter and then send the
> > > whole lot?
> >
> > How do you know that something the user types is a password (and not
> > "input to your favourite editor" or such)?
>
> (walking on thin ice...)
>
> Well, when you authenticate by using user/pass, this is what you type:
>
> somecharacters<enter>
> someothercharacters<enter>
> nowtherealsessionstarts
>
> I'm not sure if the ssh client can distinguish between
> password-authenticated sessions and other sessions, but if it does, then
> send everything between the first and the second <enter> in one chunk.
> You don't need local echo anyway for those characters, so...
>
> --
> Florin Andrei
>
> "Thomas Jefferson would love Napster" (a MSNBC reporter)
>
>




More information about the openssh-unix-dev mailing list