[Bug 763] Add Null packet keepalive option
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Mon Nov 24 19:05:12 EST 2003
http://bugzilla.mindrot.org/show_bug.cgi?id=763
------- Additional Comments From v at iki.fi 2003-11-24 01:05 -------
I assume Ralf Hauser invited me to add myself to Cc list of this bug because of
this comment:
http://www.mindrot.org/pipermail/openssh-unix-dev/2003-April/017804.html
So here it is for the record:
What about the randomness? Isn't there some information exposed currently as
to at what time and how many times the user for example presses keys? I
think there was a proposed attack to record the relative timing of packets
sent by ssh after each key press and to use that information to analyze what
kind of password the user might have typed. Inserting random traffic to the
stream might mitigate this information leak? Or has this been handled by
other means?
What tried to address with the above comment is what is described in
http://www.cs.berkeley.edu/~daw/papers/ssh-use01.ps
http://www.cs.berkeley.edu/~daw/papers/ssh-use01.pdf
Dawn Xiaodong Song, David Wagner, and Xuqing Tian,
"Timing Analysis of Keystrokes and Timing Attacks on SSH",
10th USENIX Security Symposium, 2001.
http://www.ece.cmu.edu/~dawnsong/papers/ssh-timing.pdf
A summary:
http://linux.oreillynet.com/lpt/a/linux/2001/11/08/ssh_keystroke.html
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the openssh-bugs
mailing list