Presentation for CDA6938 Network Security, Spring 2006 Timing Analysis of Keystrokes and Timing Attacks on SSH Authors: Dawn Xiaodong Song, David Wagner, Xuqing Tian Publish: Usenix Security Symposium 2001 Presented by: Hua Zhang

Presentation for CDA6938 Network Security, Spring 2006 Contributions Show that minor weaknesses of SSH can leak significant information Propose a way to infer key sequences from inter- keystroke timing Implement a real attack system Propose countermeasures for the attack

Presentation for CDA6938 Network Security, Spring 2006 Outline Introduction Weakness of SSH Eavesdropping SSH Analysis of Inter-keystroke Timing Inferring Character Sequences Herbivore Password Inference for Multiple Users Conclusion

Presentation for CDA6938 Network Security, Spring 2006 Introduction Telnet, rlogin, ftp –Pass all information without encryption –In broadcast-based networks (e.g. Ethernet), attacker can eavesdrop the network to get all communicated information SSH (Secure Shell) –Offer an encrypted channel between the host and the server –Authentication of host and server

Presentation for CDA6938 Network Security, Spring 2006 Introduction

Presentation for CDA6938 Network Security, Spring 2006 Weakness of SSH Packets are padded only to an eight-byte boundary when a block cipher is in use –Attacker can estimate the approximate length of the original data Every keystrokes is sent immediately in a separate packet –Attacker can learn the exact length of user’s passwords –And the precise inter-keystroke timing, which can be used to crack the password

Presentation for CDA6938 Network Security, Spring 2006 Eavesdropping SSH ‘su’ is the Unix command to switch to the root user The pattern forms a signature Attacker can get –Exact length of the password –Precise inter-keystroke timings of the password

Presentation for CDA6938 Network Security, Spring 2006 Nested SSH Attack User SSH to B, then SSH to C –E.g. if C can only be accessed through B Password characters are passed separately to B, then as one packet to C –Attacker can get exact length of password and inter-stroke timing

Presentation for CDA6938 Network Security, Spring 2006 Analysis of Inter-keystroke Timing Data Collection –Not possible to gather real passwords due to security and priority reasons –Approach 1: pick a random password and ask a user to type Not necessary as only key pairs are needed People tends to type passwords in group of 3-4 characters, which distorts the statistics –Approach 2: pick key pairs for user to type

Presentation for CDA6938 Network Security, Spring 2006 Analysis of Inter-keystroke Timing Data are collected by asking users to type key pairs Key pair ‘v-o’ takes much less time then key pair ‘v-b’ There are almost non- overlapping

Presentation for CDA6938 Network Security, Spring 2006 Analysis of Inter-Keystroke Timing

Presentation for CDA6938 Network Security, Spring 2006 Analysis of Inter-Keystroke Timing The latency between the two key strokes of a given key pair forms a Gaussian-like distribution Estimated information gain available from latency information is about 1.2 bits per characteristic pair - significant compared to the bits per character entropy of written English

Presentation for CDA6938 Network Security, Spring 2006 Inferring Character Sequences Hidden Markov Model –The output, y, is only determined by the current state –Widely used in areas such as speech reorganization N-Viterbi Algorithm –Given y, the sequence of latencies, try to infer the real character sequence –Calculate the possibility that a sequence will yield the output y

Presentation for CDA6938 Network Security, Spring 2006 Inferring Character Sequences The graph shows the probability that the real character pair appears within the n most-likely character paris Using the middle curve –Success rate is 90% when n=70

Presentation for CDA6938 Network Security, Spring 2006 Herbivore Targeted for nested-SSH Herbivore –Wait for packets correspond to passwords –Measures the inter-arrival times –Using n-Viterbi algorithm to generate list of candidate passwords

Presentation for CDA6938 Network Security, Spring 2006 Herbivore Percentage of the password space tried by Herbivore –On average, only needs to test 1/50 times as many passwords as brute-force search Problem –Herbivore is trained by the frequencies of the user at first, which is not feasible in reality

Presentation for CDA6938 Network Security, Spring 2006 Password Inference for Multiple Users Observations –Inferring is more effectively if trained by the same user –Distances between the typing statistics of two users can vary significantly –Inferring can still be used without training data from the user

Presentation for CDA6938 Network Security, Spring 2006 Countermeasures Send dummy packets when users are typing password –Signature attack will fail –Inter-keystroke timing information is still available to the user For every keystroke, delay random time before sending out the packet –Randomize the timing information of the keystrokes –Won’t work if the attacker can monitor the user login many times and compute the average of the latencies Send packets at constant rate

Presentation for CDA6938 Network Security, Spring 2006 Conclusion Strong Points –A lot of experiment results to support the proposed ideas –Implement Herbivore Weak Points –Assuming that people have similar typing statistics –Data collected by typing key pairs, people may type differently when typing passwords –Herbivore only works for nested-SSH

Presentation for CDA6938 Network Security, Spring 2006 Questions?