OpenBSD Journal

y SSH password length discovery

Contributed by Dengue on from the stretch dept.

SecurityFocus has an article about a weakness in SSH implementations discovered by a team of researchers from the University of California at Berkeley. By carefully studying statistical analysis of typing rhythms, it is possible to discern information about a users SSH session, including the length of their password.

Read the article at SecurityFocus carefully. Also, check out ssh-agent(1) as a means of eliminating sending your encrypted password across the wire. This weakness dives into the realm of information theory and pattern analysis.

(Comments are closed)

  1. By fansipans () on

    THIS article is great ...'s exemplary um...well here's my user info for aol (for example) :
    map the flow of information, map the flow and
    chain of trust, and map the chains and webs of
    actions and abilities of any given system...and
    you'd be surprised what you could accomplish given
    just a few simple (though completely unsuspected) moves

    which reminds me of the fact that i'm moving (dc to boston). so if anyone wants a fairly nice 19inch color tv and a sega genesis (mortal combat, sonic the hedgehog,roadrash included) I WILL GIVE THEM TO YOU FOR FREE .. so long as you pick them up...i'm in northern virginia right now so "hit me up" on instant messanger
    unf. i need french fries and coffee. damn you laptop recharge time. o.
    oh and a final *woop* for information theory


  2. By Tobias Paprotta () on

    This article was already mentioned in the presentation
    'SSH traffic analysis' by dugsong (monkeys rule)
    and solar desiner at HAL 2001.
    Their work also shows possibilities to gain infor-
    mation about SSH authentification methods (incl.
    pw lengths)

    So long

  3. By proof () proof at xcheese dot org on

    Hey how does this affect openssh? Is openssh affected? Can we use the findings of this report to further secure ssh? or is the problem inherent in the design?

    Sorry I don't know a lot about how encryption works.. so it'd be great if someone could clue me in.


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]