keystroke timing attack

C. Jason Coit jasonc at silicondefense.com
Tue Nov 13 08:14:32 EST 2001 

All,

Roel Jonkman and I release two patches that countered this attack a
while back.  I submitted a patch for OpenSSH 2.9p2 on Oct 5 and 2.9.9p2
on Oct 16.  These patches are located at
http://www.silicondefense.com/software/ssh/index.htm.  
Our method was to send packets every 50 ms (using IGNORE messages if no
keystroke was made) and then shutting down after about a second after
the last genuine keystroke.  Is it possible to get our code into
openssh?  



regards,

Jason Coit

Solar Designer wrote:
> 
> On Sun, Nov 11, 2001 at 02:12:44PM +0100, Markus Friedl wrote:
> > On Sun, Nov 11, 2001 at 01:26:25AM +0100, Andersson, Mats wrote:
> > > The next release of MindTerm (an ssh1/ssh2 implementation in java found at
> > > www.appgate.com/mindterm) contains a client-side "countermeasure" against
> > > this timing attack aswell. It starts sending IGNORE messages, at
> > > pseudo-random short intervals, of same size as a channel-data packet
> > > containing a keystroke when one start typing and then keeps on sending
> > > these packets up to 2 seconds after last keypress, completely hiding the
> > > inter-keystroke timings.
> >
> > but since the server won't send an 'echo' ignore message to the
> > client's ignore message, it's now possible to figure out the
> > SU-signature again!
> 
> Why, it would also not send "echo" ignore messages when a shell
> command (and not a password) is being entered.  So the server-side
> countermeasure continues to work to the same extent it normally did.
> 
> It's just the described client-side countermesure which turns out to
> be totally ineffective (as opposed to quite ineffective which it
> normally is) when there's also a server-side countermeasure as
> recommended by our advisory and as implemented in recent OpenSSH.
> Such an interesting interaction. ;-(
> 
> > moreover i don't think random intervalls help, i think you need 'fixed'
> > intervalls.
> >
> > if you have random intervals, you can probably strip the random noise
> > if you have enough samples.
> 
> In case anyone cares, I agree with Markus entirely.  In fact, this
> issue has been discussed before our advisory and the Berkeley paper
> went public.
> 
> It's nice to see client authors try to design and implement additional
> countermeasures.  Unfortunately, I don't believe there's much which
> can be done without a protocol extension which would let clients and
> servers agree on the dummy traffic.  Whatever we thought was practical
> to implement right now is described in the advisory.  For the clients
> this means protecting the initial login username and password only.
> 
> --
> /sd

-- 

+--                                  --+
|   C. Jason Coit Programmer/Analyst   |
|    Silicon Defense: IDS Solutions    |
|    http://www.silicondefense.com/    |
+--                                   -+

More information about the openssh-unix-dev mailing list