SSH Vulnerability and the Future of SSL 290
iamchris writes "Growing complacent in regards to security is dangerous. I've become more and more dependant on the SSL-type tools for my security... ssh itself, ssl for my web content, scp, sftp, etc... We all know nothing is 100% secure (or if you don't, God help you). An article on Security Focus cites a vulnerability with SSH and passwords. We usually type them in letter-by-letter. A lot of information can be gleaned from the timing of the keystrokes and some (relatively simple) packet decoding. Is there a better alternative to SSL based tools (Perhaps TLS)? Is there anything that can be done with the clients help with the small packet issue?"
Right... (Score:3, Funny)
re: Right... (Score:4, Interesting)
Although funny, it does seem to miss the point, which isn't clearly outlined. Picture it this way......
There are Hundreds of thousands, if not Millions to 10's of Millions of computers out there that use encryption to transmit very important data. Sometimes that data is a trade secret, sometimes that data is Finacial Results that SEC rules say you can't publish yet, sometimes its internal company communication...almost all of which is being sent by Dilbert clones. Sometimes the admin, who may just be a High School teacher (they can't afford admins), chooses to use encryption over the entire network to allow kids to use dictionary passwords.
Anyhow, rule number 1 of security, the overall security of your network is only as good as your weakest link. So maybe the corporate exchanges within the network are all secure, but an employee on a low profile, unimporatant computer uses ssh to access his personal email and not only that it's a dictionary password, it's just email afterall. Now some clever cracker packet sniffs his email typing patterns, and does a brute force attack on his password...Now all that is needed is patience and one person to send the wrong info to that email account. Not only that, but by reading his email, one might be able to know how the company works and then call up one day and socially engineer important information. This COULD happen and if encryption in general and SSH in particular doesn't immediatly change to prevent this sort of attack, it will happen.
In the old days, crackers went through the garbage of a target, before attacking it. (Hell, that is still done.) Now a days, the word "garbage" means different things. It could be a note to a family member that the boss is out of town for the weekend, that the company is moving to Linux next week or maybe even a Dilbert protype emailing himself his own password to the corporate network. At anyrate, this kind of thing is a bit more serious than it sounds at first glance and should be fixed immediately.
But WHY?... (Score:2)
(from the Securityfocus article)
I see how packet capturing could lead to a vulnerability in this. What I *don't* see, is why in the HELL anyone would want to send each letter of the password in a single packet!! I don't see any security benefit to it, and it would seem to make cracking the password slightly easier. It would seem that sending your entire password in one chunk would be more secure.
Can anyone explain to me WHY ssh would do this?
-Kasreyn
Re:But WHY?... (Score:2)
Remember, they're not referring to the password used to establish the SSH session. They're talking about passwords entered during the SSH session.
Give the SSH people some credit.
Oh... (Score:2)
-Kasreyn
SSH2 and Public Key Authentication (Score:4, Informative)
Re:SSH2 and Public Key Authentication (Score:2)
(Then again, the above could be completely off-base...I do graphics software, not security software. :-) )
Re:SSH2 and Public Key Authentication (Score:3, Insightful)
The ssh client doesn't know in general when you are typing a password, but it does know in specific when you are typing the one to start the session. My Java ssh client happens to have "gotten it right" not because I'm smarter then other ssh client authors but because I had a dialog box to ask for the password. I expect a lot of other window system dependent ssh clients work the same way.
Or entering passwords for things on the remote host (like things on the serial devices). However the attacker needs to somehow know when you are entering this other password. It won't normally be easy for them to know. Unless they have created a problem, and called you to ask you to fix it... you can type you password locally and paste them into the ssh client, but that seems painful, and it also mean you password is in the local cut buffer which is an attackable location (and also you might paste it somewhere you didn't want to...). Blech.
Re:SSH2 and Public Key Authentication (Score:3, Informative)
Hmmm, I think you may be right. I don't know enough about the normal SSH code to check, but taking a quick look at mine the password is in a single CMSG_AUTH_PASSWORD packet not the CMSG_STDIN_DATA packets, so I expect everything sends the initial packet as a single chunk. The only thing open to this attack would be passwords sent during a session.
Which means either the authors of the paper took into account the difficulty of guessing what input text is (or might be) the passwords, and we are all in a (modest) bit of trouble, or something fishy is going on here.
Re:SSH2 and Public Key Authentication (Score:2)
This would require some cooperation from programs like the shell - instead of Bash putting the terminal into raw mode and doing its own line editing, it would need persuading that the line editing would be done somewhere else and would send a whole line at a time.
BTW - anyone else see the text at the end of the article saying 'to link to this article, please use the following URL?'.
Re:SSH2 and Public Key Authentication (Score:2)
Re:SSH2 and Public Key Authentication (Score:2)
Re:SSH2 and Public Key Authentication (Score:2)
As for inter-key timing during normal typing (how long does it take you to type "su" vs "of"), it would be surprising and interesting---and more related to ergonomics than to computing---if keys typed were that easy to decode from timing alone. And the article is woefully short on detail there. I don't doubt it's possible, but I do doubt it's easy, and probably requires a good amount of data and intuition to really work.
Re:SSH2 and Public Key Authentication (Score:2)
The danger discussed above is that if each keystroke is sent individualy (instead of in a block) an attacker can monitor the times between keystrokes. If (as is probably the case) differnt transitions of keys take differnt amounts of time then some data can be gotten about what you are typing.
Passwords are precisely the wrong place to worry about this kind of attack. They are the text we type *least* likely to have recognizable delay patterns between various keys (yes it is probably the most consistant timed keystrokes we type but each individual holds their hands quite differntly when they type their password so unless we had actually observed them type in their pawword we would have little knowledge about what kind of keys might correspond to the observed pattern of delays in their password). In addition good passwords (if you have a bad password you already have a much bigger security hole anyway) are some of the most entrpoic pieces of text you type (that is it is the most difficult to make guesses about what a 5 letter pawword is if you know 4 letters than it is to guess what a 5 letter word or name is if you know 4 letters).
In short given the already dubious nature of this attack (no doubt some error will be introduced into the packet timings by the network significantly compounding the already difficult task of guessing keys from key timings) it really isn't passwords people shoule be worried about. More likely would be an attack like this would be used to reconstruct an email where the language structure presents lower entropy and keystroke timings are much easier to deal with.
Re:SSH2 and Public Key Authentication (Score:2)
Use RSA keys (Score:1)
Re:Use RSA keys (Score:2)
Try running tcpdump to capture a password-based ssh login. You won't see one-packet-per-key unless you happen to be in that unfortunate keyboard-interactive mode.
Ssh password authentication does not leak timing information.
TeraTerm (Score:2, Insightful)
- Hyperbolix
Re:TeraTerm (Score:1)
There are lots of script-kiddie tools which can do this, even over a switched LAN etc. Better dont use SSH1.
Re:TeraTerm (Score:1)
I use PuTTY (which supports SSH2) if I need to access stuff on the Linux server at home, but I'm currently using TTSSH to do VNC-over-SSH to access a Win2K workstation behind the server. I know SSH1 has its issues, as you mention...but is there an SSH2 client (preferably at least "free as in beer") for Windows that does port forwarding? I'd rather not give the schmucks who closed off the original SSH my money if I can avoid it. PuTTY is good (small enough to suck down from my server to a remote computer if I need it), but it doesn't do the port forwarding needed to get VNC to work.
Re:TeraTerm (Score:2)
Then yout get pure openssh, along with a whole suite of unix tools on your windows box.
-earl
Re:TeraTerm (Score:2)
SSH2 doesn't have any magic that makes PKI easy. Anyone who tells you otherwise is trying to sell you something.
Re:TeraTerm (Score:1)
I think that most Windows terminal emulators have similar functionality. It seems like a very simple step to take to help preserve passwords. I also find that it's convenient because I like to use a long password and it's easier to correct mistakes that way.
That still doesn't invalidate the general comment, though, which is that SSH and similar protocols are still subject to traffic analysis. Padding with null information, deliberately introducing some timing jitter into keystrokes being sent, etc. can certainly help in that regard. The big thing to remember is that security is relative; you can always find some way of making it a little bit better.
Re:TeraTerm (Score:2)
Linemode SSH. (Score:2)
to go to linemode, where the client sends only
one packet for each section of the session
between carriage returns.
Problem solved.
Re:Linemode SSH. (Score:1)
to go to linemode, where the client sends only
one packet for each section of the session
between carriage returns.
Thats fine for the comand line, but it doesn't work so well for interactive editors.
Re:Linemode SSH. (Score:2)
with a hotkey on the ssh client side. Just say in
the manual - your password will be more secure if you type ctrl-meta-dingbat-thwirble-whoops-wheres-my-thrib
Re:Linemode SSH. (Score:2)
represent both the local typing and what is
echoed, in linemode.
So what? (Score:4, Insightful)
The article pretty much says that keystroke timing can help increase the efficiency of dictionary searches.
Big deal. If your paswords are vulnerable to dictionary searches, then you have bigger problems than keystroke timing vulnerability.
This sounds like a non-issue to me.
Re:So what? (Score:1)
Re:So what? (Score:2)
Brute force would try shorter passwords first. Assuming passwords match \w+, that's 63^letters^. If you check letters-1 passwords first, you've only wasted 1/63rd more time than if you knew the length (well, 1/63 + 1/(63^2) +
Besides, it's trivial to modify SSH clients to check for password prompts and obscure password timing and length (add in backspaces...).
Re:So what? (Score:2)
So, let's say you have an 8 character password now. That's 7 key pairs (1-2, 2-3...7-8). So, you lost 7 bits of "randomness" in your password. Add two more randomish characters, and, assuming that you get 4 bits of entropy per character, you're now better off than you were before. And the brute force is now harder than it was before this attack was considered. 10 characters isn't that much worse than 8.
Pretty damned theoretical (Score:2)
More to worry about if you're paranoid. (Score:1, Troll)
Well, if you use RSA you don't need to type a password so that would solve that particular problem. But if you really want to be paranoid about it, the technology exists to capture your keystrokes. I believe it works by detecting the charge released from depressing each keystroke(the keyboard uses capacitance to send specific characters if I'm not mistaken). So you really need to work behind lead walls or something else that will block that signal from being transmitted.
Again, using RSA would prevent the password from being transmitted. But they could just keep listening, and gather sensitive data as you type away.
Re:More to worry about if you're paranoid. (Score:2)
Just to be clear, you should use a password with RSA keys (otherwise, for instance, root on the system that has your RSA key can impersonate you on the remote system). However, as I understand it, the password used is used to decrypt the RSA key prior to use, and then the decrypted RSA key is used. So yes, it should protect against this (very theoretical) attack.
But then, you were already using RSA keys so that knowing your password on the remote system wasn't sufficient, right?
As an aside, I've found that those cute little credit-card CD-ROMs are excellent for storing your RSA key, and they're usable with just about everything but TiBooks and iMacs - and with the extra space, you can keep known-good SSH binaries for Windows, Mac, and any Unix systems you commonly use on there as well.
Use better password technology (Score:1)
Instead of password auth, use something like s/key, so it really won't matter if the evil cracker gets:
SEWN LULU PIN HOUR PRY YEAROpenBSD [openbsd.org] supports s/key right out of the box, which is spiffy. Or use Public Key authentication, expensive crypto cards, or any of the other alternative authentication techniques out there.
complete non-issue (Score:2, Interesting)
But if you need to worry THAT much about security, then I'd assume you have much bigger problems than that to deal with, such as the FBI or CIA or whoever it is going to such great lengths to figure out your password...
Re:complete non-issue (Score:2)
Humans aren't very good at "random" typing. Instead it is much better to type to some rhythm. I personally like "Shave and a hair cut TWO BITS" repeated over and over again. But hat is mostly because it scares the other people in my office when they hear me sing.
Scaring your co-workers is an important part of any decent security scheme.
New key-gen instructions (Score:2)
Key based authentication (Score:1)
As I understand it, the password just allows you to decrypt the private key w/ a symmetrical cipher. Then the connection is encrypted w/ the public/private key pair. This means they actually have to have physical acess (with read filesystem permissions) to the private key as well as the password.
I think we're safe. (Score:2)
For those using a command-line version, who are really paranoid, you can just vary the rhythm of your strokes (type along with your music!). Or use RSA authentication.
But in general, I don't think anyone needs to worry about this unless they've got a bulls-eye on their backs.
The Best Option... (Score:1)
[Clarify] Some things are perfectly secure (Score:2)
In terms of security, there are some things that *are* perfectly secure. The one-time cipher is an example of this. Unfortunately, the pad of keys must be synchronized at either end of the communication -- and of course you can't transmit these, so practically-speaking, it's not really an option.
There's a neat document outlining "snake-oil" signs in encryption software here [interhack.net].
Re:[Clarify] Some things are perfectly secure (Score:1)
Okay, timing maybe, but there's no sane way to send a one time pad anyway. One lost packet and you die...
use of backspace (Score:1)
You are the Weakest Link... (Score:1)
SSH != SSL (Score:1)
Re:SSH != SSL (Score:2)
Key timing (Score:2)
For thos who are wondering what nagle is, it's an algorithm that helps TCP avoid sending a packet for every key stroke on telnet connections among other things.
Re:Key timing (Score:2)
Yes, but the SSH server may have been compiled
with the NAGLE algorithm explicitly disabled, or
(with SSH2 at least), it can be disabled at run
time in the
config file with the NoDelay keyword.
Re:Key timing (Score:2)
Those people generally don't have to try to squeze performance out of a network.
obscurity (Score:1)
This can be avoided by altering your key timing. How do you do this? Don't use a Qwerty keyboard
Takahashi
keyboard based security (Score:2, Interesting)
So, take the time to learn Dvorak. You'll save minutes each day in typing, and you're hands will feel better, and it should effectively screw up any timing-based password sniffers!
Quick dvorak "graphic":
' , . p y f g c r l / = \
a o e u i d h t n s -
; q j k x b m w v z
Re:keyboard based security (Score:2)
The study says that it will take you slightly longer to hit keys off the 8 home position keys because your finger requires slightly more time to move to that key. If that is a true statement, then a keyboard which places the most commonly used 8 letters in those positions should result in faster typing speeds since your fingers are not traveling to those commonly typed keys.
As for that myth link:
> Other more recent studies, including one by the General Services
> Administration, have shown there is little or no difference between the
> keyboards in such areas as learning ease, speed and comfort.
Where is this study? Okay, that isn't really important. What is important is the bias of economics presented by the quoted article. It also doesn't state until much later than the study the GSA performed has its own critics.
> The two critics also argue that if the Dvorak keyboard was indeed
> superior, then big corporations -- especially back in the days of huge
> typing pools -- would have grasped the long-term economic benefits of
> paying to switch over to the "better" design.
I think the two critics forget how little people in the typing pools were paid. What's cheaper: Retraining someone already skilled with the qwerty keyboard, or hiring another typist to take up the slack? How much extra would it have cost to order Dvorak keyboards from typewriter companies tooled to produce qwerty keyboards?
What's more, while today's
> personal computers can easily be reprogrammed to the Dvorak layout, few
> people do.
You know slashdot has had this argument before. Most people use keyboards at places other than their own desks. When I go over to help someone else with their code, I don't need to be slowed by hunt-n-peck on a qwerty keyboard because I am accustomed to dvorak. This is the reason most people who try learning the dvorak keyboard give up. Qwerty already has market position. How this escaped the researchers, I do not know.
Re:keyboard based security (Score:2)
Good thing I never tried to play NetHack on a Dvorak keyboard... I'd be trying to quaff my armor instead of walking around a sleeping nymph.
time your password keystrokes (Score:2, Interesting)
RickB
How to foil this method of password detection (Score:2, Funny)
This is why I always type drunk.
Ratguy
Re:How to foil this method of password detection (Score:2, Funny)
On the downside, you tend to type "rm" when you mean "mv" and "mke2fs" when you mean "e2fsck", but that's a small price to pay for security!
Key timing (Score:2)
Anyways, even though I might not care, others might. Well, for everyone else, the solution seems pretty simple to me. Have the client read the whole password, then send the response to the server. Now, no matter how slowly you type, as soon as the client gets the password it'll zip it away as fast as possible.
Password use? (Score:2)
I think this applies only to passwords typed during an SSH session, not the password during the authentication phase. As far as I know, during password authentication the password is collected and sent as a single unit, not character by character. Finding information about passwords by watching character timing's not a new attack, and there's one major problem with it: during an encrypted session, how do you tell when the user's typing a password, as opposed to moving around in an editor or something?
Re:Password use? (Score:2)
during an encrypted session, how do you tell when the user's typing a password, as opposed to moving around in an editor or something?
Because when you type in a password (using su, anyway), echo is turned off. su has a fairly strong signature. Command prompt received, two characters sent and echoed, another character sent, then 11 characters (or so, CR+Password: ) sent, then characters being sent without any echo. Surely you could sniff that with a fairly high hit/miss ratio.
Defeat the nagle-disabling, and use public keys! (Score:5, Informative)
When you have Nagle enabled, your keystrokes are aggregated into larger packets, because the next packet is not sent until an ACK for the previous one is received---or you type enough to send a full segment. Or something like that; I leave it to the reader to verify the details of Nagle. In any case, it's clear that Nagle can obscure the timing of individual keystrokes if the latency is high enough to cause aggregation of several characters into one packet.
Secondly, if you use public key authentication, then you won't be typing your SSH password over the network. Of course, other sensitive information may be typed, such as passwords to other systems logged into within the SSH sessions. But the SSH key itself can't be compromised by this timing attack.
Why do key timings... (Score:2)
But when you come right down to risks, passwords are well and good until the information that's password (or passphrase) protected is worth a lot of money to someone or is incriminating to someone else or something like that. You can extract a lot of information from a person with a pair of needle nose pliers. Or the bolt cutters. Cut off a fellows' big toe and threaten to do other body parts. How many here would last even one more toe? Security is relative. Your live goat porn collection is probably pretty safe. A Mafia Don's financial records probably aren't. Especially if the Godfather thinks said Don has been crossing him...
Now, if you are a spy... (Score:2)
it's not so bad. (Score:2)
Don't get upset, get used to it. Expect to see of these in the coming millenium.
BTW, keystroke timing is a pretty old attack. In the past, it's been used for two basic operations: One, who is it? and two, what are they typing.
Everyone has a distinct typing style that can be used as a fingerprint to identify them. If you have an audio recording of someone typing, and a database of recordings of typists with access to the machine, you can figure out which person was at the keyboard.
The more difficult problem is discovering what was typed, but with a little thought and analysis, you can probably get a good idea.
This vulnerability decreases the time for a dictionary search by about a factor of fifty. Congrats to the researchers for exposing this weakness.
An extreme technique (Score:5, Informative)
The technique was as follows:
Person A logs into the client, using a username/password pair. The client then generates an RSA keypair, using hashes of the username and the password as seeds for the random number generator.
The client then contacts a key exchange server. This takes the client public key and the server public key, generates a fresh set of keys for both client and server, encrypts them using the appropriate public key, and sends the keys back as appropriate. (eg: The client gets the client's private key and the server's public key.)
This establishes the link between the client and the server. Each then generates a secret key, using one of a selection of algorithms. (I used Serpent and Rijndael). The secret keys are then exchanged, using the public keys.
The client then uses the original username and password to connect to a Kerberos server, for a ticket.
Only at this point is data allowed to be exchanged between the server and the client, and only for the duration authorised for that ticket.
After random intervals, the secret keys are regenerated, though not necessarily with the same algorithm as before. The new keys are again exchanged with the public keys.
Once the Kerberos ticket expires, the public and private keys are replaced, using the key server. Once the keys are replaced, the Kerberos server can be contacted to refresh the ticket.
The reason for this amazingly convoluted system? I wanted a system that could run on an untrusted network, with an untrusted client AND an untrusted server.
The challange was to devise a system that provided sufficient checks that a compromise at ANY point would not yield useful information.
In practice, that's very hard to do. Compromise the database, and you have the data. There's not a lot you can do about that. Compromise the front-end server, and you can mimic anything. Again, there's not a lot you can do to stop that.
The way I approached this (and PLEASE remember that this is NOT my field, and others will have vastly superior techniques) was to insist on all data, at both ends, being encrypted as far back in the system as possible, using keys with very limited lifespans.
The idea here is to reduce the window of opportunity by as much as possible. The idea of using multiple algorithms, public-key encryption, etc, was to soak-off as much of the window as possible with trying possibilities out.
(Note to non-Wargamers: Soak-offs are where you use a trivial piece to divert a much more significant piece of your opponent, so that you can defeat what's left with relative ease. In this case, I used the "trivial" problem of picking the right algorithm to soak-off the processing power of the opponent. My "main forces" (encryption, intrusion detection, etc) could then walk right over whatever was left.)
Wargaming and computer security, IMHO, are very closely related. However, legal issues prevent me from applying my favourite tactic in "Squad Leader" and "Advanced Squad Leader" -- steamroller one flank, setting fire to everything behind me so I can't be encircled. I'd love to see a Black Hat vs. 3 stacks of 3 x 8-4-3's with HMG's, and a 10-2 leader, but I suspect that would be considered excessive by The Powers That Be.
Re:couple of questions (Score:2)
Yes, the date/timestamp was used to salt the seed. (Hey! Salted sunflower seeds!
The client doesn't know anything about the server, at the start. It only knows about its own keys at that point. The key server knows the initial public keys of both server and client, and then both key-pairs for both server and client. This information is securely wiped after being sent. After the exchange, the client knows the server's public key, but not its own.
The client and the server aren't interested in validating -who- they are, per se, initially. What they are concerned with is establishing a line of communication which is effectively untappable. Once that line has been established, the line is considered secure enough to send the identifying information (eg: the Kerberos login and ticket). That information is then used to authenticate.
The purpose of setting up a secure line first effectively blocked the SSH attack mentioned earlier, of examining delay between keystrokes, packet-size, etc. Because you don't know -how- the data has been encrypted (only that it has), you don't know how the packet sizes compare.
The keys are for either the serpent or rijndael cypher. Which one is picked entirely at random, each time this stage is completed. To make sure that both client and server are expecting the same algorithm, the choice needs to be sent over the public-key connection.
Because the encryption code was the same for both the client and server, the server must also authenticate itself on the Kerberos server. (Oops! Forgot to mention this.) This means that the server can authenticate itself to the client, in the same way as the client does to the server.
Yes, refreshing is to limit the damage. If any one key is obtained, then anyone with that key can systematically break any information in the chunk that that key was valid for, assuming they logged every packet. By changing the secret keys frequently, then the direct damage possible is very minimal. All they can do is read, and only a small chunk at that.
If a public or private key is compromised, then you've a tougher problem, as these carry the secret keys and methods. The best I could come up with there was to use two rounds of public key exchange, to make it difficult for someone to keep track of who's keys are who's and for what. It's not foolproof, but it's something.
The Kerberos server is "vulnerable", but as it is talked to via this virtual private network, it can be "behind" the main server, and therefore not visible to the outside network.
Physical security is a problem, yes. That is tackled by having a distributed system. (You've three servers, but you don't necessarily know which one does what.) Because of this, even the administrator doesn't know, at any given power-up, which machine is doing what. A physical attack would require the compromise of ALL machines in the group to be compromised. This doesn't -stop- a physical attack - you can't, really. All you can do is scale up the problem to make it impractical for the information.
Social engineering is another difficult problem. Anybody can figure out the username and password for a person. The only way to avoid this would be to have client-side certificates, but your average user is unlikely to want to mess with those.
All in all, the "best" way to limit the damage of social engineering is to have the user input as LATE in the process as possible. That way, you've got to dig your way through all the other layers in order to even make use of the information.
Hopefully this clears up the concept up a little. As I said, this isn't my field, so any inaccuracies are entirely due to my pet hamster lying to me.
gimme encrypted keystrokes (Score:2)
to be REALLY paranoid, I'd like a terminal client that waited for the enter/return key to be pressed before sending the packets - collect each command locally and only transmit upon completion. BUT the actual keypresses shoudl be immediately encrypted as they are typed in RAM - so there is never a plaintext version of the password (or in factm anything you type!)
I think Stephenson invented this idea in Cryptonomicon - it was secureEmacs or something like that...
ssh compression (Score:2, Informative)
vulnerability ? (Score:2)
Or calling any security system vulnerable because if someone sees you type the password, that can 'crack' the security.
Also, it seems to me you would have to know a lot about the person typing the password.Everything from typing speed, to state of there mind at the time of typing the password.
This is a serious attack (Score:2, Informative)
I am not one of the authors. Everything I write here is the result of informative discussions with Dawn Song, one of the authors on the ssh paper.
All ssh implementatons send your password in one packet (when using password authentication). However, if you ssh from A to B, and then from B to C, the fact that your password is sent from B to C in one packet isn't helping you a whole lot, since it was sent one character at a time from A to B. Using RSA authentication doesn't help, since you have to enter a password to access the key stored on B. This password will be sent one character at a time from A to B. This multihop ssh-ing is a common practice, so this is a serious threat.
Sombody else claimed that it was only effective against passwords which were susceptible to a dictionary attack. This is a non-sensical statement. The best way to describe what the attack does is in terms of bits of information gained, but I'll simply say that, with this attack, you usually only have to search about 1% of the possible passwords to find the right one.
Others have suggested using one finger to type, or using a dvorak keyboard, or deliberately typing in a random fashion. Using one finger or typing randomly will work. However, a dvorak keyboard would only change the keyboard model. The attacker could still perform the same attack, but using that model instead of the qwerty one.
As for remedies, inserting random jitter in ssh is not effective. By watching several logins, an attacker could average out the jitter to get the real timings. Changing ssh to send packets at regular intervals, or using line mode, will eliminate all timing information.
Although this attack was presented in terms of gathering passwords, it's also effective (perhaps even more effective) for recovering english text. In fact, the information recovered is about 1.2 bits/keypair, and english only has about 1.2 bits/letter of entropy. So in essence, because of this attack, YOU SHOULD CONSIDER SSH TO BE EFFECTIVELY EQUIVALENT TO NO ENCRYPTION AT ALL. You should not make light of this attack unless you would be willing to use telnet.
Somebody also said that this was extreme paranoia because one could just park a tempest van outside your window to get the text you type. But tempest vans are expensive and hard to operate. Breaking into routers is easy. This attack could easily be scripted, but I know of no tempest-van scripts in wide use. So the threat here is tremendous.
The best solution is to randomize your typing until ssh is modified to send packets at regular intervals.
Best,
Rob
Re:This is a serious attack (Score:2, Insightful)
So while I wholeheartedly agree with you that this is a serious attack, I don't agree that it reduces the security of ssh to that of telnet.
Re:This is a serious attack (Score:2)
One question, though: how do you determine which packets in the session are part of a password? And if you can't do that, how do you decide which timing information is to be used in breaking a password?
Seems to me this is not exactly a trivial job, and makes the attack fairly useless except in special situations where the attacker has knowledge of the exact sequence the user will be following.
Re:This is a serious attack (Score:2)
Not too hard, provided you limit your attack fodder to newly initialized SSH sessions.
If user logs in from A to B, then starts a new session to C, you can tell that session started because you see the initial traffic from B to C's port 22.
It's not that hard to then time all traffic from A to B's port 22, until such time as another packet (the complete password) goes from B to C's port 22. And as a bonus, you know that last packet from A to B/22 was enter, so you can use that in your timing.
Re:This is a serious attack (Score:3, Interesting)
1) If your passwords are dictionary crackable you have problems even without keytiming sniffing. You can crack a dictionary password using the WHOLE dictionary in less than 10 seconds, why should eliminating 95% of the keyspace be that valuable in this case?
2) If your passwords are not dictionary crackable than the keyspace is HUMONGOUS and eliminating 99% of that keyspace (multiplying by a constant) will leave you with another HUMONGOUS keyspace. Multiplying by constants is never a good way to reduce keyspace size, even if it is
3) No, one-handed random blindfolded two-finger backwards DVORAK standing-on-your-head typing will NOT help. NO ONE WILL DO IT.
4) No, this is not as horrible as Telnet. A VERY VERY small percentage of people that might be sniffing your network have the skills, motivation and time necessary to analyze your keystroke timing and use that information to any useful extent.
5) Yes, random jitter WOULD be effective. Random jitters don't even come close to averaging out to the real timings unless someone sits there and types there password over and over for several thousand iterations.
Now, for unrelated points of interest:
Anyone that types with any sizeable ammount of speed will not show enough difference in keystroke timings for it to be helpful in any useful way. And I would guess that most people that SSH on a regular basis are pretty good touch typists.
Fine, sending packets at regular intervals, and, more importantly, grouping keystrokes together, is a good solution. However, the situation is not nearly as dire as you would have us believe.
Justin Dubs
Rose misses the point (Score:2)
Login is not the only application of passwords. Many people enter passwords for su or sudo. Such passwords are vulnerable to this attack, in the sense that it would make it 50x easier to crack a stolen password file.
Typing (Score:3, Funny)
I usually just mash the keyboard with my fist in one shot. Sure, it takes a little longer than normal typing to get the right password, but no one's going to be guessing MY password.
Re:Typing (Score:2)
I just cut and paste my password from a text file - good luck trying to glean information out of the keystroke timing, guys!
It's traffic analysis, and it isn't just for SSH (Score:3, Interesting)
So in other words, the strategies they describe here for attacking SSH could be equally effective for most any asynchronous network protocol where you could try to infer information from the rhythm of the rate of data transfer. Further, there is ultimately no general solution, only incremental defenses against the general strategy:
So, as is often the case, if you want perfect security you can only have it at the expense of tremendous overhead, and ultimately you have to decide how far you want to take your defense against chaos theory before deciding that you just have to accept a certain degree of risk. Ultimately, there is no defense and you always have to accept that risk.
SSH public keys (Score:3, Insightful)
First, password authentication should be disabled, in favor of public key authentication. Second, only encrypted private keys are allowed for login sessions; an ssh agent will be recommened to minimize the inconvenience of repeatedly typing pass phrases. *Long* pass phrases will be recommended. (Note that you can't actually enforce the last two, they're just a matter of procedure.) In cases such as automated scripts which can not use encrypted private keys, a key pair will be generated *for each task*. The public key, when installed, will have the command specified so that the key pair can be used to execute *ONLY* one command.
In addition, all authorized public keys will be kept in a document on an HTTP server. A cron job (python script) will run at least once a day to fetch that list, and compare all of the private keys installed on the system to the authorized list. Any key which isn't in the master list will be removed from the system, and the network admin will be alerted.
Maybe similar procedures would benefit others. Does anyone see holes in this procedure?
Re:SSH public keys (Score:2)
No you can't. You still have to get access to the other machines and add your key. The only thing the script does is *remove* unauthorized, unlisted keys. It means that we can quickly and easily expire a key if it gets compromised, or the owner leaves.
Re:SSH public keys (Score:2)
Looks like your best encryption device... (Score:2)
Probably, a lot of the gain in cracking efficiency is due to simply the character transition probabilities (e.g., 'q' is almost always followed by 'u'), independent of their timing. In that case, simply obfuscating the timing might not help all that much.
Attack more complicated than article suggests (Score:2)
If the attacker knows when to look, they have some chance of guessing a password you type over an SSH connection, either for the next hop, for su, or for something else like that.
In the case of connecting to a 3rd host, they get tipped off as to when to look by the 2nd connection; you form the 2nd connection, and then type your password over the 1st connection. Note that this attack requires that they detect both connections, and make timing measurements on the 1st one to get the password on the 2nd.
A few ideas (Score:2)
Secure connections could send random amounts of null data at random times. To make it a lesser bandwidth problem, only have this excess data be produced when the client is sending stuff (ie, keep sending junk for a few seconds, then go quiet until the next keypress). It wouldn't be recommended for slow connections (like with modems) though..
Also, you could try to use different keyboard layouts (dvorak or other) to make it harder to guess what key is being pressed at a particular time.
I had thought of this a few months ago (Score:2)
It's easy to say that, I know, but it's true. :-)
When I first started using ssh, I thought of this. I mentioned the idea as a security vulnerability to a friend, and he dismissed it. I should've written it up, but I felt I should do tests first.
A good way to defeat this is to have ssh send packets every tenth of a second unless it hasn't gotten any data to send in more than 15 seconds, or if it has a lot of data to send. In the first case (no data for 15 seconds) it should stop sending, and in the second case it should send as soon as it has x (where x is probably something like 256) bytes of data to send.
This will add latency, up to a whole 100 milliseconds worth, but that would greatly reduce the problem.
Re:I had thought of this a few months ago (Score:2)
Re:I had thought of this a few months ago (Score:2)
Sure it is for, say, Quake, but it isn't too bad for typing. That's what I do over SSH. If I were playing something like 'hunt' I guess it'd be a problem, but I never have yet played twitch games over ssh.
Shitty unix products (Score:2)
Not about login password (Score:5, Insightful)
for (i = 0; i < options.number_of_password_prompts; i++) {
if (i != 0)
error("Permission denied, please try again.");
password = read_passphrase(prompt, 0);
packet_start(SSH_CMSG_AUTH_PASSWORD);
ssh_put_password(password);
memset(password, 0, strlen(password));
xfree(password);
packet_send();
packet_write_wait();
type = packet_read(&payload_len);
if (type == SSH_SMSG_SUCCESS)
return 1;
if (type != SSH_SMSG_FAILURE)
packet_disconnect("Protocol error: got %d in response to
passwd auth", type);
}
Many people do not understand this. Some believe they are protecting themselves from this risk via RSA authentication. Of course they're not, because the risk only affects passwords in session:
- gorf: My solution is simply not to use passwords at all; I use RSA keys exclusively...
- SagSaw: The best way I can think of is to use the RSA key authentication method. A RSA key pair is used to authenticate, rather than a password. This way, the password is never typed over the network connection.
- Pinball Wizard: Well, if you use RSA you don't need to type a password so that would solve that particular problem.
- subsolar2: I use RSA authentication for remote access, and have since day one. So the only real worry is somebody getting a copy of my private key...
- Greyfox: As has been noted, RSA is the way to go, at least with SSH authentication...
Others think that a GUI client is more secure entering a password in a dialog box suggests batch processing:- stripes: My Java ssh client happens to have "gotten it right" not because I'm smarter then other ssh client authors but because I had a dialog box to ask for the password.
- Hyperbolix: Teraterm
... has several SSH extensions. I beleive one of them has you type in the password all at once and then sends it as a single string, which means that key timing can't be determined. - rgmoore: I think that most Windows terminal emulators have similar functionality. It seems like a very simple step to take to help preserve passwords.
- garcia: don't most GUI terminal packages (including MacSSH, etc) all send it as a single string (SecureCRT)?
- Rimbo:
...I use the free ttssh extension to the freeware terminal program Tera Term. When it asks you for a password, it captures everything in a dialog box, and sends the password as one chunk.
- Jormundgard: Also, every SSH program I've used in windows takes in the whole password before sending it along.
The very few who got it:And who, pray tell, enables password auth? (Score:2)
If you don't have a private/public key pair, and if your public key isn't in the authorized_keys file of the target machine, then you don't deserve to log on. Tunneling passwords over the system is neither needed nor safe, and not just because of this article's hack.
If you allow SSH to do password authentication, then SSH is little better than Telnet in terms of protecting you from a poorly chosen password. While a sniffer might not be able to extract the password, you can still try a dictionary attack.
Force your users to use a keypair. Force them to put a passphrase on the keypair so that just stealing the key isn't enough.
Remember, the best security is something you are (restriction by host IP), something you have (posession of the private key), and something you know (the passphrase for the key.)
I can understand but why? (Score:3)
That is the only way you can call something secure.
Re:Get real (Score:1)
Some of us do. When I'm at home, I'm not in danger of bad things(tm) happening like this, but when I'm setting up inter-office communications here at work, I have to concern myself with the fact that there are competitors out there who will try such things. And for those who use SSH and the like for government work, this is a genuine concern.
And in some cases, it's just like closing the blinds to your house. No, there probably isn't anyone outside peering in the window, but there's no need to allow unwanted peeping.
I have to agree (Score:3, Funny)
Then again, perhaps my typo rate (and requisite back spaces) have helped me all this time.
Re:Get real (Score:2)
(The good thing is that it gives me LOTS of useful experience with Snort, AIDE, Tripwire and other tools.)
Sniffing is also done quite a bit (from what I've heard on IRC channels). I've done it myself (ksniffer is real nice).
On shared networks this sort of thing is almost trivial.
Don't type your passwords! (Score:2)
If you're going to be paranoid, why be paranoid by half measures?
Re:It's not that terrible... (Score:2)
Re:Doesn't sound so insecure (Score:2)
Re:don't send password: use SRP (Score:2)
Re:Don't over react (Score:2)
1) Create a non-root user and add them to the wheel group
2) Disable ftp access to members of the wheel group
3) Disable ssh logins from root
3) Allow only members of the wheel group su privilages
No problem.
Except because of an INSANE (IMHO) argument from RMS, GNU su doesn't support the wheel group convention.
I guess you could always just chmod the su file so that only members of the wheel group could execute it...