Presentation is loading. Please wait.

Presentation is loading. Please wait.

Key-Stroke Timing and Timing Attack on SSH Yonit Shabtai and Michael Lustig supervisor: Yoram Yihyie Technion - Israel Institute of Technology Computer.

Published byJuliet Logan Modified over 8 years ago

Similar presentations

Presentation on theme: "Key-Stroke Timing and Timing Attack on SSH Yonit Shabtai and Michael Lustig supervisor: Yoram Yihyie Technion - Israel Institute of Technology Computer."— Presentation transcript:

1 Key-Stroke Timing and Timing Attack on SSH Yonit Shabtai and Michael Lustig supervisor: Yoram Yihyie Technion - Israel Institute of Technology Computer Networks Laboratory http:\\comnet.technion.ac.il/~cn19s01

2 SSH Overview SSH - protocol for secure network transmition. SSH replaces telnet,rsh,rlogin,ftp,etc… Provides authentication, integrity, encryption. Two different protocols: SSH1,SSH2 SSH protocol Client SSH protocol Client

3 SSH2 overview Transport layer –Secure channel - Diffie-Helman key exchange. –Server authentication - RSA/DSS signatures (CA opt.) –Encryption by CBC cyphers (3DES,Blowfish,…). –Integrity of data - Mac (HMAC-SHA1/MD5). User authentication layer –Integrity & confidentiality are assumed. –Two authentication methodes supported: Public key authentication (CA opt.) Password authentication Connection layer –Interactive login sessions, rexec, X11, TCP forwarding. –Multiplexing sessions into one channel. Padding length Random Padding Payload Integrity data (MAC) Packet length Optionally compressed encrypted Padding length Random Padding Payload Integrity data (MAC) Packet length

4 SSH weaknesses  Password is padded to 8 byte boundary (tracking short passwords)  In interactive mode, every keystroke is immediately sent in a separate IP packet. Keystroke timing leaks information!

5 Keystroke Attack on SSH

6 Hidden Markov Model Markov process HMM - A Markov model when the current state can not be observed. Outputs of the process are observed. Probability of output depends only on the state. Information on the prior path of the process can be inferred from it’s output. Motivation - efficient algorithms for working with HMM.

7 Keystroke Timing as HMM Character pair is the hidden state. Keystroke latency measured is the output observation. Two assumptions: –character sequence is uniformly distributed (holds for passwords). –Probability distribution of latency, depends only on the current state. q = character pair y = latency observation

8 Viterbi-Algorithm Widely used to solve HMM. The algorithm: –(y 1,…..,y T ) = observations of HMM. –(q 1,…..,q t ) = Most likely sequences. –S(q t ) most likely sequence,ending with q t with posteriori probability of V(q t ). Init : V(q 1 ) = P(q 1 |y 1 ) Iterate : V(q t ) = max (qt-1) P(y t |q t ) P(q t |q t-1 )V(q t-1 ) S(q t ) =argmax (qt-1) P(y t |q t ) P(q t |q t-1 )V(q t-1 ), 2  t  T

9 Viterbi Algorithm example The n-Viterbi algorithm. Output(1) Output(2)Output(3)

10 System Scheme AB Sniffer Detect SSH session detect nested SSH or SU n-Viterbi statistics Keystroke Timing Possibilities Password

11 Key stroke timing test A software that measures keystroke timing latencies and performs statistical operations was developed. We selected four letter keys, two number keys and two upper-case keys for the experiment i a k m 2 3 O J Using these keys we formed 64 key pairs. A user was asked to type each pair 30 times. The mean value, and variance of the latency was calculated for each pair.

12 Key stroke timing test results

13 Information Gain Analysis Attacker without prior knowledge: q  R Q H 0 [q] = -  q  Q Pr(q)log 2 [ Pr(q)] = log 2 [|Q|] = 6 [bits] Attacker knows latency y 0 of the keystroke of q  R Q H 1 [q|y=y 0 ] = -  q  Q Pr(q|y=y 0 )log 2 [ Pr(q|y=y 0 )]

14 Information Gain Estimation

15 Conclusions There are four types of timing distinguishable character pairs. Though the results are “optimistic”, it is shown that keystroke timing leaks a considerable amount of information. SSH is not secure as commonly believed.

16 The End http://comnet.technion.ac.il/~cn19s01

Download ppt "Key-Stroke Timing and Timing Attack on SSH Yonit Shabtai and Michael Lustig supervisor: Yoram Yihyie Technion - Israel Institute of Technology Computer."

Similar presentations

IPSec.

IPSec.
Umut Girit 200535027.  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.

Umut Girit  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2000 Ferry Astika Saputra Workshop Administrasi Jaringan TELNET & SSH.

McGraw-Hill©The McGraw-Hill Companies, Inc., 2000 Ferry Astika Saputra Workshop Administrasi Jaringan TELNET & SSH.
Secure Socket Layer.

Secure Socket Layer.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.

Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Cryptography and Network Security

Cryptography and Network Security
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Hidden Markov Model Cryptanalysis Chris Karlof and David Wagner.

Hidden Markov Model Cryptanalysis Chris Karlof and David Wagner.
Secure Shell – SSH Tam Ngo Steve Licking cs265. Overview Introduction Brief History and Background of SSH Differences between SSH-1 and SSH- 2 Brief Overview.

Secure Shell – SSH Tam Ngo Steve Licking cs265. Overview Introduction Brief History and Background of SSH Differences between SSH-1 and SSH- 2 Brief Overview.
PatReco: Hidden Markov Models Alexandros Potamianos Dept of ECE, Tech. Univ. of Crete Fall 2004-2005.

PatReco: Hidden Markov Models Alexandros Potamianos Dept of ECE, Tech. Univ. of Crete Fall
Telnet/SSH Tim Jansen, Mike Stanislawski. TELNET is short for Terminal Network Enables the establishment of a connection to a remote system, so that the.

Telnet/SSH Tim Jansen, Mike Stanislawski. TELNET is short for Terminal Network Enables the establishment of a connection to a remote system, so that the.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.
Secure Remote Access: SSH. K. Salah 2 What is SSH?  SSH – Secure Shell  SSH is a protocol for secure remote login and other secure network services.

Secure Remote Access: SSH. K. Salah 2 What is SSH?  SSH – Secure Shell  SSH is a protocol for secure remote login and other secure network services.
TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.

TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.
Keystroke Dynamics Jarmo Ilonen. Structure of presentation Introduction Keystroke dynamics for Verification Identification Commercial system: BioPassword.

Keystroke Dynamics Jarmo Ilonen. Structure of presentation Introduction Keystroke dynamics for Verification Identification Commercial system: BioPassword.
Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.

Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.

Similar presentations

Ads by Google