key-stroke timing and timing attack on ssh yonit shabtai and michael lustig supervisor: yoram yihyie...
TRANSCRIPT
Key-Stroke Timing and Timing Key-Stroke Timing and Timing Attack on SSHAttack on SSH
Yonit Shabtai and Michael Lustig
supervisor: Yoram Yihyie
Technion - Israel Institute of Technology
Computer Networks Laboratory
http:\\comnet.technion.ac.il/~cn19s01
SSH OverviewSSH Overview
SSH - protocol for secure network transmition.
SSH replaces telnet,rsh,rlogin,ftp,etc… Provides authentication, integrity,
encryption. Two different protocols: SSH1,SSH2
SSH protocol SSH protocol
Client Client
SSH protocol SSH protocol
Client
SSH2 overviewSSH2 overview
Transport layer– Secure channel - Diffie-Helman key exchange.– Server authentication - RSA/DSS signatures (CA opt.)– Encryption by CBC cyphers (3DES,Blowfish,…).– Integrity of data - Mac (HMAC-SHA1/MD5).
User authentication layer– Integrity & confidentiality are assumed.– Two authentication methodes supported:
• Public key authentication (CA opt.)• Password authentication
Connection layer– Interactive login sessions, rexec, X11, TCP forwarding.– Multiplexing sessions into one channel.
Padding length
Random Padding
PayloadIntegrity data
(MAC)Packet length
Optionally compressed
encrypted
Padding length
Random PaddingPayload
Integrity data
(MAC)
Packet length
SSH weaknessesSSH weaknesses
Password is padded to 8 byte boundary (tracking short passwords)
In interactive mode, every keystroke is immediately sent in a separate IP packet.
Keystroke timing leaks information!
Keystroke Attack on SSHKeystroke Attack on SSHtime
time
"s " "u " "en te r" "y" "o " "n " "i" "t" "en te r"
"P assw ord :" "p rom pt"
Adversary
a
b
ceavesdrop
SSH
SSH
Hidden Markov ModelHidden Markov Model
Markov process HMM - A Markov model when the current state
can not be observed. Outputs of the process are observed. Probability of output depends only on the state. Information on the prior path of the process can
be inferred from it’s output. Motivation - efficient algorithms for working with
HMM.
Keystroke Timing as HMMKeystroke Timing as HMM
Character pair is the hidden state. Keystroke latency measured is the output
observation. Two assumptions:
– character sequence is uniformly distributed (holds for passwords).
– Probability distribution of latency, depends only on the current state.
q = character pair
y = latency observation
Viterbi-AlgorithmViterbi-Algorithm
Widely used to solve HMM. The algorithm:
– (y1,…..,yT) = observations of HMM.
– (q1,…..,qt) = Most likely sequences.
– S(qt) most likely sequence ,ending with qt with posteriori probability of V(qt).
Init : V(q1) = P(q1|y1)
Iterate : V(qt) = max(qt-1) P(yt |qt) P(qt |qt-1)V(qt-1)
S(qt) =argmax(qt-1) P(yt |qt) P(qt |qt-1)V(qt-1) , 2 t T
Viterbi Algorithm exampleViterbi Algorithm example
q1
q2q2
q1 q1
q2
q1
q2q2
q1 q1
q2
q1
q2q2
q1 q1
q2
q1
q2q2
q1 q1
q2
q1
q2q2
q1 q1
q2
q1
q2q2
q1 q1
q2
q1
q2q2
q1 q1
q2
• The n-Viterbi algorithm.
Output(1) Output(2) Output(3)
q 1
q 2
q s
1
1
1
1
2
...
n
1
2
...
n
1
2
...
n
1
2
...
n
1
2
...
n
1
2
...
n
q 1
q 2
q s
q 1
q 2
q s
t = 1 t = 2 t = 3
System SchemeSystem Scheme
A B
Sniffer
Detect SSH session
detect nested SSHor SU
n-Viterbistatistics
Keystroke Timing
Possibilities
Password
Key stroke timing testKey stroke timing test
•A software that measures keystroke timing latencies and performs statistical operations was developed.
• We selected four letter keys, two number keys and two upper-case keys for the experiment
i a k m 2 3 O J
•Using these keys we formed 64 key pairs.
•A user was asked to type each pair 30 times.
•The mean value, and variance of the latency was calculated for each pair.
Key stroke timing test resultsKey stroke timing test results
Information Gain AnalysisInformation Gain Analysis
Attacker without prior knowledge: q RQ
H0[q] = -qQPr(q)log2 [ Pr(q)] = log2[|Q|] = 6 [bits]
Attacker knows latency y0 of the keystroke of q RQ
H1[q|y=y0] = -qQPr(q|y=y0)log2 [ Pr(q|y=y0)]
qPqy
qPqy
yP
qPqyyq
][]|Pr[
][]|Pr[
][
][]|Pr[]|Pr[
0
0
0
00
Information Gain EstimationInformation Gain Estimation
001010 ]|[]Pr[][]|[][ dyyyqHyqHyqHqHI [bits]3.3147 2.6853 6
Conclusions Conclusions
•There are four types of timing distinguishable character pairs.
•Though the results are “optimistic” , it is shown that keystroke timing leaks a considerable amount of information.
•SSH is not secure as commonly believed.
The End
http://comnet.technion.ac.il/~cn19s01