ssh keystroke timing attacks

SSH Keystroke Timing Attacks

Mike HogyeThad HughesJosh Sarfaty

Joe Wolf

SSHThe Secure SHell protocol was created by Tatu Ylönen and others to provide encrypted data

transfers between remote machines

Mmmm…SSH

SSH Weaknesses

SSH can leak information about passwordsApproximate length of password can

be inferred by examining number of packets.

Keystroke Timing Analysis can reduce the search space for brute force attacks.

Password Keystroke Timing

• Users type passwords often• Password keystrokes develop consistent rhythm due to

optimized hand motion• This rhythm can be used to determine characteristics about

the password

Time Between Adjacent Keystrokes vs. Key Typed

0.0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

R ] i p J [ : 4 Enter

Key Typed

Tim

e Be

twee

n Ad

jace

nt K

eyst

roke

s (s

econ

ds)

Trial 1

Trial 2

Trial 3

Trial 4

Trial 5

Trial 6

Trial 7

Trial 8

Time Between Adjacent Keystrokes vs. Key TypedWith Network Latency

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

R ] i p J [ : 4 Enter

Key Typed

Tim

e Be

twee

n Ad

jace

nt K

eyst

roke

s (s

econ

ds)

Trial 1

Trial 2

Trial 3

Trial 4

Trial 5

Trial 6

Trial 7

Trial 8

SSH Immediate Mode• Each keystroke is sent IMMEDIATELY from client to

server, one character per packet• Allows interactive user experience

Passwords & SSH•SSH login does NOT used immediate mode•Password (and username) packets are padded to fixed lengths•No problems, right?

WRONG !!Maybe?

su•UNIX “Switch User” command (used to get root access)•Executed in IMMEDIATE mode

SSH1 su command

Nested SSH•Start new SSH session from within a running SSH session•Username and password sent to server B in immediate mode

So What?• Password lengths can be determined• Reveals timing information of password keystrokes• Academically speaking, this is a lot of information

Is This Practical?• How to detect an “su” command?• How to detect a nested SSH session?• Network latency

Detecting the “su”• Look for the ‘su’ signature• Not as easy as it sounds

“I am a su”

40 40

ack ack

40 40 40 40

ack ack ack

48 48

“s” “u” Return “a” “b” “c” “d” Return

40

ack

ack ack ack

56 566440 40 40 40

ack

ack ack ack

40

Server Response

Client

Server

SSH2 su command

SSH! (nested)• Theoretically similar to detecting ‘su’• In practice, much harder to detect• No definite packet signature for calling

‘ssh’

How late(ncy) is your network

• Random network delay influences observed packet times

• Song’s paper considered latency statistics– Determined that latency is not an issue– Used eight year old statistics– Song’s estimated network latency: 10 ms

• Modern latency easily reaches 170 ms

Internet Latency

Conclusions• Song: Timing analysis can reduce brute-

force password search by a factor of 50• In practice, this is unlikely• Use SSH2

– PuTTY defaults to SSH1