Key stroke timing and timing attack on ssh
1 / 16

Key-Stroke Timing and Timing Attack on SSH - PowerPoint PPT Presentation

  • Uploaded on

Technion - Israel Institute of Technology Computer Networks Laboratory. Key-Stroke Timing and Timing Attack on SSH. Yonit Shabtai and Michael Lustig supervisor: Yoram Yihyie. http:\\ Client. Client. Client. SSH protocol. SSH protocol. SSH protocol.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Key-Stroke Timing and Timing Attack on SSH' - hansel

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Key stroke timing and timing attack on ssh

Technion - Israel Institute of Technology

Computer Networks Laboratory

Key-Stroke Timing and Timing Attack on SSH

Yonit Shabtai and Michael Lustig

supervisor: YoramYihyie


Ssh overview




SSH protocol

SSH protocol

SSH protocol

SSH protocol

SSH Overview

  • SSH - protocol for secure network transmition.

  • SSH replaces telnet,rsh,rlogin,ftp,etc…

  • Provides authentication, integrity, encryption.

  • Two different protocols: SSH1,SSH2

Ssh2 overview


Random Padding

Integrity data (MAC)



Padding length


Random Padding

Integrity data (MAC)



Padding length


Optionally compressed

SSH2 overview

  • Transport layer

    • Secure channel - Diffie-Helman key exchange.

    • Server authentication - RSA/DSS signatures (CA opt.)

    • Encryption by CBC cyphers (3DES,Blowfish,…).

    • Integrity of data - Mac (HMAC-SHA1/MD5).

  • User authentication layer

    • Integrity & confidentiality are assumed.

    • Two authentication methodes supported:

      • Public key authentication (CA opt.)

      • Password authentication

  • Connection layer

    • Interactive login sessions, rexec, X11, TCP forwarding.

    • Multiplexing sessions into one channel.

Ssh weaknesses
SSH weaknesses

  • Password is padded to 8 byte boundary (tracking short passwords)

  • In interactive mode, every keystroke is immediately sent in a separate IP packet.

    Keystroke timing leaks information!

Hidden markov model
Hidden Markov Model

  • Markov process

  • HMM - A Markov model when the current state can not be observed.

  • Outputs of the process are observed.

  • Probability of output depends only on the state.

  • Information on the prior path of the process can be inferred from it’s output.

  • Motivation - efficient algorithms for working with HMM.

Keystroke timing as hmm

q = character pair

y = latency observation

Keystroke Timing as HMM

  • Character pair is the hidden state.

  • Keystroke latency measured is the output observation.

  • Two assumptions:

    • character sequence is uniformly distributed (holds for passwords).

    • Probability distribution of latency, depends only on the current state.

Viterbi algorithm

  • Widely used to solve HMM.

  • The algorithm:

    • (y1,…..,yT) = observations of HMM.

    • (q1,…..,qt) = Most likely sequences.

    • S(qt) most likely sequence ,ending with qt with posteriori probability of V(qt).

Init : V(q1) = P(q1|y1)

Iterate : V(qt) = max(qt-1) P(yt |qt) P(qt |qt-1)V(qt-1)

S(qt) =argmax(qt-1) P(yt |qt) P(qt |qt-1)V(qt-1) , 2 t T

Viterbi algorithm example




Viterbi Algorithm example

  • The n-Viterbi algorithm.

System scheme




System Scheme

Detect SSH session

detect nested SSH

or SU

Keystroke Timing





Key stroke timing test
Key stroke timing test

  • A software that measures keystroke timing latencies and performs statistical operations was developed.

  • We selected four letter keys, two number keys and two upper-case keys for the experiment

  • i a k m 2 3 O J

  • Using these keys we formed 64 key pairs.

  • A user was asked to type each pair 30 times.

  • The mean value, and variance of the latency was calculated for each pair.

Information gain analysis
Information Gain Analysis

Attacker without prior knowledge: q RQ

H0[q] = -qQPr(q)log2 [Pr(q)] = log2[|Q|] = 6 [bits]

Attacker knows latency y0 of the keystroke of q RQ

H1[q|y=y0] = -qQPr(q|y=y0)log2 [Pr(q|y=y0)]


  • There are four types of timing distinguishable character pairs.

  • Though the results are “optimistic” , it is shown that keystroke timing leaks a considerable amount of information.

  • SSH is not secure as commonly believed.

The End