Key-Stroke Timing and Timing Attack on SSH Yonit Shabtai and Michael Lustig supervisor: Yoram Yihyie Technion - Israel Institute of Technology Computer.

Slides:

Advertisements

Similar presentations

Advertisements

Umut Girit  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.

McGraw-Hill©The McGraw-Hill Companies, Inc., 2000 Ferry Astika Saputra Workshop Administrasi Jaringan TELNET ＆ SSH.

Secure Socket Layer.

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

Cryptography and Network Security

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Hidden Markov Model Cryptanalysis Chris Karlof and David Wagner.

Secure Shell – SSH Tam Ngo Steve Licking cs265. Overview Introduction Brief History and Background of SSH Differences between SSH-1 and SSH- 2 Brief Overview.

PatReco: Hidden Markov Models Alexandros Potamianos Dept of ECE, Tech. Univ. of Crete Fall

Telnet/SSH Tim Jansen, Mike Stanislawski. TELNET is short for Terminal Network Enables the establishment of a connection to a remote system, so that the.

Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

Secure Remote Access: SSH. K. Salah 2 What is SSH?  SSH – Secure Shell  SSH is a protocol for secure remote login and other secure network services.

TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.

Keystroke Dynamics Jarmo Ilonen. Structure of presentation Introduction Keystroke dynamics for Verification Identification Commercial system: BioPassword.

Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.

Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

SSH Secure Login Connections over the Internet

Announcement Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed. 1.

SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

Secure Remote Access: SSH. 2 What is SSH?  SSH – Secure Shell  SSH is a protocol for secure remote login and other secure network services over an insecure.

Shell Protocols Elly Bornstein Hiral Patel Pranav Patel Priyank Desai Swar Shah.

User Authentication By Eric Sita. Message Security Privacy: To expect confidentiality from a sender. Authentication: To be sure of someone's identity.

Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)

Andreas Steffen, , 11-SSH.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen M. Liebi Institute for Internet Technologies and Applications.

1 TCP/IP Applications. 2 NNTP: Network News Transport Protocol NNTP is a TCP/IP protocol based upon text strings sent bidirectionally over 7 bit ASCII.

1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.

Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),

©The McGraw-Hill Companies, Inc., 2000© Adapted for use at JMU by Mohamed Aboutabl, 2003Mohamed Aboutabl1 1 Chapter 29 Internet Security.

Network Security Essentials Chapter 5

CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.

Real Time Protocol (RTP) 김 준

Karlstad University IP security Ge Zhang

Network Security David Lazăr.

Secure Shell (SSH) Presented By Scott Duckworth April 19, 2007.

Peeping Tom in the Neighborhood Keystroke Eavesdropping on Multi-User Systems USENIX 2009 Kehuan Zhang, Indiana University, Bloomington XiaoFeng Wang,

BZUPAGES.COM Presentation on TCP/IP Presented to: Sir Taimoor Presented by: Jamila BB Roll no Nudrat Rehman Roll no

IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.

PGP & IP Security  Pretty Good Privacy – PGP Pretty Good Privacy  IP Security. IP Security.

Group 9 Chapter 8.3 – 8.6. Public Key Algorithms  Symmetric Key Algorithms face an inherent problem  Keys must be distributed to all parties but kept.

Network and Internet Security Prepared by Dr. Lamiaa Elshenawy

Presentation for CDA6938 Network Security, Spring 2006 Timing Analysis of Keystrokes and Timing Attacks on SSH Authors: Dawn Xiaodong Song, David Wagner,

IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.

Lect 8 Tahani al jehain. Types of attack Remote code execution: occurs when an attacker exploits a software and runs a program that the user does not.

K. Salah1 Security Protocols in the Internet IPSec.

Computer Science and Engineering Computer System Security CSE 5339/7339 Session 27 November 23, 2004.

Lecture 6 (Chapter 16,17,18) Network and Internet Security Prepared by Dr. Lamiaa M. Elshenawy 1.

Cryptography Hyunsung Kim, PhD University of Malawi, Chancellor College Kyungil University February, 2016.

@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013.

Encryption and Security Tools for IA Management Nick Hornick COSC 481 Spring 2007.

Cryptography CSS 329 Lecture 13:SSL.

1 Cryptography CSS 329 Lecture 12: Kerberos. 2 Lecture Outline Kerberos - Overview - V4 - V5.

CSE 4905 IPsec.

Chapter 18 IP Security  IP Security (IPSec)

Secure Sockets Layer (SSL)

Originally by Yu Yang and Lilly Wang Modified by T. A. Yang

Timing Analysis of Keystrokes and Timing Attacks on SSH

SSH: SECURE LOGIN CONNECTIONS OVER THE INTERNET

Virtual Private Networks (VPNs)

Timing Analysis of Keystrokes And Timing Attacks on SSH

MESSAGE ACCESS AGENT: POP AND IMAP

Presentation transcript:

Key-Stroke Timing and Timing Attack on SSH Yonit Shabtai and Michael Lustig supervisor: Yoram Yihyie Technion - Israel Institute of Technology Computer Networks Laboratory

SSH Overview SSH - protocol for secure network transmition. SSH replaces telnet,rsh,rlogin,ftp,etc… Provides authentication, integrity, encryption. Two different protocols: SSH1,SSH2 SSH protocol Client SSH protocol Client

SSH2 overview Transport layer –Secure channel - Diffie-Helman key exchange. –Server authentication - RSA/DSS signatures (CA opt.) –Encryption by CBC cyphers (3DES,Blowfish,…). –Integrity of data - Mac (HMAC-SHA1/MD5). User authentication layer –Integrity & confidentiality are assumed. –Two authentication methodes supported: Public key authentication (CA opt.) Password authentication Connection layer –Interactive login sessions, rexec, X11, TCP forwarding. –Multiplexing sessions into one channel. Padding length Random Padding Payload Integrity data (MAC) Packet length Optionally compressed encrypted Padding length Random Padding Payload Integrity data (MAC) Packet length

SSH weaknesses  Password is padded to 8 byte boundary (tracking short passwords)  In interactive mode, every keystroke is immediately sent in a separate IP packet. Keystroke timing leaks information!

Keystroke Attack on SSH

Hidden Markov Model Markov process HMM - A Markov model when the current state can not be observed. Outputs of the process are observed. Probability of output depends only on the state. Information on the prior path of the process can be inferred from it’s output. Motivation - efficient algorithms for working with HMM.

Keystroke Timing as HMM Character pair is the hidden state. Keystroke latency measured is the output observation. Two assumptions: –character sequence is uniformly distributed (holds for passwords). –Probability distribution of latency, depends only on the current state. q = character pair y = latency observation

Viterbi-Algorithm Widely used to solve HMM. The algorithm: –(y 1,…..,y T ) = observations of HMM. –(q 1,…..,q t ) = Most likely sequences. –S(q t ) most likely sequence,ending with q t with posteriori probability of V(q t ). Init : V(q 1 ) = P(q 1 |y 1 ) Iterate : V(q t ) = max (qt-1) P(y t |q t ) P(q t |q t-1 )V(q t-1 ) S(q t ) =argmax (qt-1) P(y t |q t ) P(q t |q t-1 )V(q t-1 ), 2  t  T

Viterbi Algorithm example The n-Viterbi algorithm. Output(1) Output(2)Output(3)

System Scheme AB Sniffer Detect SSH session detect nested SSH or SU n-Viterbi statistics Keystroke Timing Possibilities Password

Key stroke timing test A software that measures keystroke timing latencies and performs statistical operations was developed. We selected four letter keys, two number keys and two upper-case keys for the experiment i a k m 2 3 O J Using these keys we formed 64 key pairs. A user was asked to type each pair 30 times. The mean value, and variance of the latency was calculated for each pair.

Key stroke timing test results

Information Gain Analysis Attacker without prior knowledge: q  R Q H 0 [q] = -  q  Q Pr(q)log 2 [ Pr(q)] = log 2 [|Q|] = 6 [bits] Attacker knows latency y 0 of the keystroke of q  R Q H 1 [q|y=y 0 ] = -  q  Q Pr(q|y=y 0 )log 2 [ Pr(q|y=y 0 )]

Information Gain Estimation

Conclusions There are four types of timing distinguishable character pairs. Though the results are “optimistic”, it is shown that keystroke timing leaks a considerable amount of information. SSH is not secure as commonly believed.

The End