Packet Timing and Data Leaks
Howard Chu
hyc at symas.com
Mon Aug 7 04:38:14 AEST 2023
Damien Miller wrote:
> On Thu, 3 Aug 2023, Chris Rapier wrote:
>
>> Howdy all,
>>
>> So, one night over beers I was telling a friend how you could use the timing
>> between key presses on a type writer to extract information. Basically, you
>> make some assumptions about the person typing (touch typing at so many words
>> per second and then fuzzing the parameters until words come out).
>>
>> The I found a paper written back in 2001 talked about using the interpacket
>> timing in interactive sessions to leak information.
>> https://people.eecs.berkeley.edu/~dawnsong/papers/ssh-timing.pdf
>>
>> I'm sure this has been addressed (or dismissed) but I'm looking for the
>> specific section of code that might deal with this. Any pointers?
>
> The main issue raised in that paper was that it was trivially detectable
> when terminal echo was switched off and so an attacker could specifically
> observe the moments when users were typing their passwords into (say)
> sudo. This got fixed around the time the paper was released IIRC,
> search for "Simulate echo" in channels.c:channel_handle_wfd().
>
> The broader issue of hiding all potential keystroke timing is not yet fixed.
The keystroke timing issue would be solved by adding LINEMODE support as I did back in 2010.
https://lists.mindrot.org/pipermail/openssh-unix-dev/2010-June/028732.html
The code is still available here https://github.com/hyc/OpenSSH-LINEMODE/
If there's sufficient interest this time, I can probably bring it all up to date with
a current OpenSSH version. I won't bother if it meets the same apathy as last time.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
More information about the openssh-unix-dev
mailing list