y SSH password length discovery

Contributed by Dengue on 2001-08-23 from the stretch dept.

SecurityFocus has an article about a weakness in SSH implementations discovered by a team of researchers from the University of California at Berkeley. By carefully studying statistical analysis of typing rhythms, it is possible to discern information about a users SSH session, including the length of their password.

Read the article at SecurityFocus carefully. Also, check out ssh-agent(1) as a means of eliminating sending your encrypted password across the wire. This weakness dives into the realm of information theory and pattern analysis.

(Comments are closed)

Comments

By fansipans () on 2001-08-23 04:59

THIS article is great ... because...um...it's exemplary um...well here's my user info for aol (for example) :
map the flow of information, map the flow and
chain of trust, and map the chains and webs of
actions and abilities of any given system...and
you'd be surprised what you could accomplish given
just a few simple (though completely unsuspected) moves

which reminds me of the fact that i'm moving (dc to boston). so if anyone wants a fairly nice 19inch color tv and a sega genesis (mortal combat, sonic the hedgehog,roadrash included) I WILL GIVE THEM TO YOU FOR FREE .. so long as you pick them up...i'm in northern virginia right now so "hit me up" on instant messanger
unf. i need french fries and coffee. damn you laptop recharge time. o.
oh and a final *woop* for information theory

--fansipans
By Tobias Paprotta () on 2001-08-23 16:36 www.paprotta.de

This article was already mentioned in the presentation
'SSH traffic analysis' by dugsong (monkeys rule)
and solar desiner at HAL 2001.
Their work also shows possibilities to gain infor-
mation about SSH authentification methods (incl.
pw lengths)

So long
Tobias
By proof () proof at xcheese dot org on 2001-08-24 02:09 http://ifconfig.net

Hey how does this affect openssh? Is openssh affected? Can we use the findings of this report to further secure ssh? or is the problem inherent in the design?

Sorry I don't know a lot about how encryption works.. so it'd be great if someone could clue me in.

Latest Articles

Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (2)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)
Mon, Mar 11
- 11:28 Game of Trees 0.97 released (0)
Sun, Mar 10
- 09:06 LibreSSL versions 3.8.3 and 3.9.0 released (0)
Fri, Mar 08
- 06:46 OpenBGPD 8.4 released (0)
Mon, Mar 04
- 06:32 rpki-client 9.0 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]