Key stroke timing and timing attack on ssh
This presentation is the property of its rightful owner.
Sponsored Links
1 / 16

Key-Stroke Timing and Timing Attack on SSH PowerPoint PPT Presentation


  • 93 Views
  • Uploaded on
  • Presentation posted in: General

Technion - Israel Institute of Technology Computer Networks Laboratory. Key-Stroke Timing and Timing Attack on SSH. Yonit Shabtai and Michael Lustig supervisor: Yoram Yihyie. http:\\comnet.technion.ac.il/~cn19s01. Client. Client. Client. SSH protocol. SSH protocol. SSH protocol.

Download Presentation

Key-Stroke Timing and Timing Attack on SSH

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Key stroke timing and timing attack on ssh

Technion - Israel Institute of Technology

Computer Networks Laboratory

Key-Stroke Timing and Timing Attack on SSH

Yonit Shabtai and Michael Lustig

supervisor: YoramYihyie

http:\\comnet.technion.ac.il/~cn19s01


Ssh overview

Client

Client

Client

SSH protocol

SSH protocol

SSH protocol

SSH protocol

SSH Overview

  • SSH - protocol for secure network transmition.

  • SSH replaces telnet,rsh,rlogin,ftp,etc…

  • Provides authentication, integrity, encryption.

  • Two different protocols: SSH1,SSH2


Ssh2 overview

Payload

Random Padding

Integrity data (MAC)

Packet

length

Padding length

Payload

Random Padding

Integrity data (MAC)

Packet

length

Padding length

encrypted

Optionally compressed

SSH2 overview

  • Transport layer

    • Secure channel - Diffie-Helman key exchange.

    • Server authentication - RSA/DSS signatures (CA opt.)

    • Encryption by CBC cyphers (3DES,Blowfish,…).

    • Integrity of data - Mac (HMAC-SHA1/MD5).

  • User authentication layer

    • Integrity & confidentiality are assumed.

    • Two authentication methodes supported:

      • Public key authentication (CA opt.)

      • Password authentication

  • Connection layer

    • Interactive login sessions, rexec, X11, TCP forwarding.

    • Multiplexing sessions into one channel.


Ssh weaknesses

SSH weaknesses

  • Password is padded to 8 byte boundary (tracking short passwords)

  • In interactive mode, every keystroke is immediately sent in a separate IP packet.

    Keystroke timing leaks information!


Keystroke attack on ssh

Keystroke Attack on SSH


Hidden markov model

Hidden Markov Model

  • Markov process

  • HMM - A Markov model when the current state can not be observed.

  • Outputs of the process are observed.

  • Probability of output depends only on the state.

  • Information on the prior path of the process can be inferred from it’s output.

  • Motivation - efficient algorithms for working with HMM.


Keystroke timing as hmm

q = character pair

y = latency observation

Keystroke Timing as HMM

  • Character pair is the hidden state.

  • Keystroke latency measured is the output observation.

  • Two assumptions:

    • character sequence is uniformly distributed (holds for passwords).

    • Probability distribution of latency, depends only on the current state.


Viterbi algorithm

Viterbi-Algorithm

  • Widely used to solve HMM.

  • The algorithm:

    • (y1,…..,yT) = observations of HMM.

    • (q1,…..,qt) = Most likely sequences.

    • S(qt) most likely sequence ,ending with qt with posteriori probability of V(qt).

Init : V(q1) = P(q1|y1)

Iterate : V(qt) = max(qt-1) P(yt |qt) P(qt |qt-1)V(qt-1)

S(qt) =argmax(qt-1) P(yt |qt) P(qt |qt-1)V(qt-1) , 2 t T


Viterbi algorithm example

Output(1)

Output(2)

Output(3)

Viterbi Algorithm example

  • The n-Viterbi algorithm.


System scheme

A

B

Sniffer

System Scheme

Detect SSH session

detect nested SSH

or SU

Keystroke Timing

statistics

n-Viterbi

Possibilities

Password


Key stroke timing test

Key stroke timing test

  • A software that measures keystroke timing latencies and performs statistical operations was developed.

  • We selected four letter keys, two number keys and two upper-case keys for the experiment

  • i a k m 2 3 O J

  • Using these keys we formed 64 key pairs.

  • A user was asked to type each pair 30 times.

  • The mean value, and variance of the latency was calculated for each pair.


Key stroke timing test results

Key stroke timing test results


Information gain analysis

Information Gain Analysis

Attacker without prior knowledge: q RQ

H0[q] = -qQPr(q)log2 [Pr(q)] = log2[|Q|] = 6 [bits]

Attacker knows latency y0 of the keystroke of q RQ

H1[q|y=y0] = -qQPr(q|y=y0)log2 [Pr(q|y=y0)]


Information gain estimation

Information Gain Estimation


Conclusions

Conclusions

  • There are four types of timing distinguishable character pairs.

  • Though the results are “optimistic” , it is shown that keystroke timing leaks a considerable amount of information.

  • SSH is not secure as commonly believed.


Key stroke timing and timing attack on ssh

The End

http://comnet.technion.ac.il/~cn19s01


  • Login