Presentation is loading. Please wait.

Presentation is loading. Please wait.

Presentation for CDA6938 Network Security, Spring 2006 Timing Analysis of Keystrokes and Timing Attacks on SSH Authors: Dawn Xiaodong Song, David Wagner,

Published byHilda Dalton Modified over 8 years ago

Similar presentations

Presentation on theme: "Presentation for CDA6938 Network Security, Spring 2006 Timing Analysis of Keystrokes and Timing Attacks on SSH Authors: Dawn Xiaodong Song, David Wagner,"— Presentation transcript:

1 Presentation for CDA6938 Network Security, Spring 2006 Timing Analysis of Keystrokes and Timing Attacks on SSH Authors: Dawn Xiaodong Song, David Wagner, Xuqing Tian Publish: Usenix Security Symposium 2001 Presented by: Hua Zhang

2 Presentation for CDA6938 Network Security, Spring 2006 Contributions Show that minor weaknesses of SSH can leak significant information Propose a way to infer key sequences from inter- keystroke timing Implement a real attack system Propose countermeasures for the attack

3 Presentation for CDA6938 Network Security, Spring 2006 Outline Introduction Weakness of SSH Eavesdropping SSH Analysis of Inter-keystroke Timing Inferring Character Sequences Herbivore Password Inference for Multiple Users Conclusion

4 Presentation for CDA6938 Network Security, Spring 2006 Introduction Telnet, rlogin, ftp –Pass all information without encryption –In broadcast-based networks (e.g. Ethernet), attacker can eavesdrop the network to get all communicated information SSH (Secure Shell) –Offer an encrypted channel between the host and the server –Authentication of host and server

5 Presentation for CDA6938 Network Security, Spring 2006 Introduction

6 Presentation for CDA6938 Network Security, Spring 2006 Weakness of SSH Packets are padded only to an eight-byte boundary when a block cipher is in use –Attacker can estimate the approximate length of the original data Every keystrokes is sent immediately in a separate packet –Attacker can learn the exact length of user’s passwords –And the precise inter-keystroke timing, which can be used to crack the password

7 Presentation for CDA6938 Network Security, Spring 2006 Eavesdropping SSH ‘su’ is the Unix command to switch to the root user The pattern forms a signature Attacker can get –Exact length of the password –Precise inter-keystroke timings of the password

8 Presentation for CDA6938 Network Security, Spring 2006 Nested SSH Attack User SSH to B, then SSH to C –E.g. if C can only be accessed through B Password characters are passed separately to B, then as one packet to C –Attacker can get exact length of password and inter-stroke timing

9 Presentation for CDA6938 Network Security, Spring 2006 Analysis of Inter-keystroke Timing Data Collection –Not possible to gather real passwords due to security and priority reasons –Approach 1: pick a random password and ask a user to type Not necessary as only key pairs are needed People tends to type passwords in group of 3-4 characters, which distorts the statistics –Approach 2: pick key pairs for user to type

10 Presentation for CDA6938 Network Security, Spring 2006 Analysis of Inter-keystroke Timing Data are collected by asking users to type key pairs Key pair ‘v-o’ takes much less time then key pair ‘v-b’ There are almost non- overlapping

11 Presentation for CDA6938 Network Security, Spring 2006 Analysis of Inter-Keystroke Timing

12 Presentation for CDA6938 Network Security, Spring 2006 Analysis of Inter-Keystroke Timing The latency between the two key strokes of a given key pair forms a Gaussian-like distribution Estimated information gain available from latency information is about 1.2 bits per characteristic pair - significant compared to the 0.6-1.3 bits per character entropy of written English

13 Presentation for CDA6938 Network Security, Spring 2006 Inferring Character Sequences Hidden Markov Model –The output, y, is only determined by the current state –Widely used in areas such as speech reorganization N-Viterbi Algorithm –Given y, the sequence of latencies, try to infer the real character sequence –Calculate the possibility that a sequence will yield the output y

14 Presentation for CDA6938 Network Security, Spring 2006 Inferring Character Sequences The graph shows the probability that the real character pair appears within the n most-likely character paris Using the middle curve –Success rate is 90% when n=70

15 Presentation for CDA6938 Network Security, Spring 2006 Herbivore Targeted for nested-SSH Herbivore –Wait for packets correspond to passwords –Measures the inter-arrival times –Using n-Viterbi algorithm to generate list of candidate passwords

16 Presentation for CDA6938 Network Security, Spring 2006 Herbivore Percentage of the password space tried by Herbivore –On average, only needs to test 1/50 times as many passwords as brute-force search Problem –Herbivore is trained by the frequencies of the user at first, which is not feasible in reality

17 Presentation for CDA6938 Network Security, Spring 2006 Password Inference for Multiple Users Observations –Inferring is more effectively if trained by the same user –Distances between the typing statistics of two users can vary significantly –Inferring can still be used without training data from the user

18 Presentation for CDA6938 Network Security, Spring 2006 Countermeasures Send dummy packets when users are typing password –Signature attack will fail –Inter-keystroke timing information is still available to the user For every keystroke, delay random time before sending out the packet –Randomize the timing information of the keystrokes –Won’t work if the attacker can monitor the user login many times and compute the average of the latencies Send packets at constant rate

19 Presentation for CDA6938 Network Security, Spring 2006 Conclusion Strong Points –A lot of experiment results to support the proposed ideas –Implement Herbivore Weak Points –Assuming that people have similar typing statistics –Data collected by typing key pairs, people may type differently when typing passwords –Herbivore only works for nested-SSH

20 Presentation for CDA6938 Network Security, Spring 2006 Questions?

Download ppt "Presentation for CDA6938 Network Security, Spring 2006 Timing Analysis of Keystrokes and Timing Attacks on SSH Authors: Dawn Xiaodong Song, David Wagner,"

Similar presentations

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CMPE208 Presentation Terminal Access Controller Access Control System Plus (TACACS+) By MARVEL (Libing, Bhavana, Ramya, Maggie, Nitin)

CMPE208 Presentation Terminal Access Controller Access Control System Plus (TACACS+) By MARVEL (Libing, Bhavana, Ramya, Maggie, Nitin)
Hidden Markov Model Cryptanalysis Chris Karlof and David Wagner.

Hidden Markov Model Cryptanalysis Chris Karlof and David Wagner.
Service Discrimination and Audit File Reduction for Effective Intrusion Detection by Fernando Godínez (ITESM) In collaboration with Dieter Hutter (DFKI)

Service Discrimination and Audit File Reduction for Effective Intrusion Detection by Fernando Godínez (ITESM) In collaboration with Dieter Hutter (DFKI)
Password Authentication Using Hopfield Neural Networks Shouhong Wang; Hai Wang Systems, Man, and Cybernetics, Part C: Applications and Reviews, IEEE Transactions.

Password Authentication Using Hopfield Neural Networks Shouhong Wang; Hai Wang Systems, Man, and Cybernetics, Part C: Applications and Reviews, IEEE Transactions.
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.

Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
SSH: An Internet Protocol By Anja Kastl IS 373 - World Wide Web Standards.

SSH: An Internet Protocol By Anja Kastl IS World Wide Web Standards.
Secure Shell – SSH Tam Ngo Steve Licking cs265. Overview Introduction Brief History and Background of SSH Differences between SSH-1 and SSH- 2 Brief Overview.

Secure Shell – SSH Tam Ngo Steve Licking cs265. Overview Introduction Brief History and Background of SSH Differences between SSH-1 and SSH- 2 Brief Overview.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel:03-5742968, Fax : 886-3-572-3694.

1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel: , Fax :
Exploring timing based side channel attacks against 802.11i CCMP Suman Jana, Sneha K. Kasera University of Utah Introduction

Exploring timing based side channel attacks against i CCMP Suman Jana, Sneha K. Kasera University of Utah Introduction
Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
Toward a Framework for Preventing Side-Channel Attacks in Wireless Networks Jeff Pang.

Toward a Framework for Preventing Side-Channel Attacks in Wireless Networks Jeff Pang.
First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown and edited by Archana Chidanandan Cryptographic Tools.

First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown and edited by Archana Chidanandan Cryptographic Tools.
Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.

Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.
Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Telnet/SSH Tim Jansen, Mike Stanislawski. TELNET is short for Terminal Network Enables the establishment of a connection to a remote system, so that the.

Telnet/SSH Tim Jansen, Mike Stanislawski. TELNET is short for Terminal Network Enables the establishment of a connection to a remote system, so that the.
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.
CSE331: Introduction to Networks and Security Lecture 17 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 17 Fall 2002.

Similar presentations

Ads by Google