20

This paper:

https://www.usenix.org/legacy/events/sec01/full_papers/song/song.pdf

Explains how SSH can be compromised by analyzing the timing of the keystrokes to guess what the user is typing. It's about 12 years old.

I heard that this attack vector was solved in SSH long ago by sending keystrokes at random intervals.

However, out of curiosity, I fired up Wireshark and started an SSH connection to a Debian host. I typed in characters slowly and saw that a packet is being sent for each character, but there are no other packets sent besides. Then where is the defense against the timing attack?

Ram Rachum
  • 1,998
  • 2
  • 19
  • 20

2 Answers2

17

SSH does not actually defend against keystroke timing attacks. To my knowledge, no actual case of password recovery through timing analysis of a SSH connection has been spotted in the wild; however, since nobody in particular would have kept me informed if that had been the case, what does it prove ?

This report claims that the Song-Wagner-Tian attack is too difficult to pull off on a practical network, because the latency implied by the network masks the delays between key strokes. One may notice that the purported attack relies on a learning phase in which delays between two specific letters are first gathered (for a specific victim); that phase looks hard to do in practice. Another vexing issue is that an oft-typed password usually has its own delay patterns; that is, when you type the same password again and again, the delay between, say, a 'v' and a subsequent 'o' occurring in the password will be quite distinct from the delay measured when the "vo" letters appear in a non-password text that you also type.

Note: SSH includes some random padding, at least four random bytes (see the standard), but this is meant to avoid some potential weaknesses of the used block cipher. It does nothing about timing.

Tom Leek
  • 170,038
  • 29
  • 342
  • 480
  • 1
    I hate to say it, but your note isn't entirely correct. The SSH standard supports random padding, but it is [not actually used](https://security.stackexchange.com/q/185726/106285) by any implementations. The CBC padding is something completely different. – forest Apr 09 '22 at 18:06
6

I suppose your question is about:

WASHINGTON--A team of researchers from the University of California at Berkeley revealed two weaknesses in Secure Shell (SSH) implementations Friday that allow an eavesdropper to learn the exact length of a user's password by observing the rhythm of their keystrokes. By using advanced statistical techniques on timing information collected over the network, researchers also found that the eavesdropper can learn significant information about what users type in SSH sessions.

Note that this attack is using heuristics to detect when you type your password and then counts the characters, thus revealing the length. Mainly this can be done because passwords are part of your motoric memory meaning you can type it really fast because you have typed it a lot of times before. So if an attacker sees a rapid succession of characters (faster than your other keystrokes) then he knows that it probably is your password.

As you understand if you type your characters slowly, there is no way of analyzing this using standard heuristics. The heuristics will fail because you are not doing the normal expected behavior when typing your password.

forest
  • 65,613
  • 20
  • 208
  • 262
Lucas Kauffman
  • 54,229
  • 17
  • 113
  • 196
  • 2
    Of course, it isn't terribly critical to keep the length of your password a secret, as long as it is a reasonable length. Compare [How critical is it to keep your password length secret?](https://security.stackexchange.com/q/92233/2138) – user Feb 10 '17 at 22:47