Key-Stroke Timing and Timing Key-Stroke Timing and Timing Attack on SSHAttack on SSH

Yonit Shabtai and Michael Lustig

supervisor: Yoram Yihyie

Technion - Israel Institute of Technology

Computer Networks Laboratory

http:\\comnet.technion.ac.il/~cn19s01

SSH OverviewSSH Overview

SSH - protocol for secure network transmition.

SSH replaces telnet,rsh,rlogin,ftp,etc… Provides authentication, integrity,

encryption. Two different protocols: SSH1,SSH2

SSH protocol SSH protocol

Client Client

SSH protocol SSH protocol

Client

SSH2 overviewSSH2 overview

Transport layer– Secure channel - Diffie-Helman key exchange.– Server authentication - RSA/DSS signatures (CA opt.)– Encryption by CBC cyphers (3DES,Blowfish,…).– Integrity of data - Mac (HMAC-SHA1/MD5).

User authentication layer– Integrity & confidentiality are assumed.– Two authentication methodes supported:

• Public key authentication (CA opt.)• Password authentication

Connection layer– Interactive login sessions, rexec, X11, TCP forwarding.– Multiplexing sessions into one channel.

Padding length

Random Padding

PayloadIntegrity data

(MAC)Packet length

Optionally compressed

encrypted

Padding length

Random PaddingPayload

Integrity data

(MAC)

Packet length

SSH weaknessesSSH weaknesses

Password is padded to 8 byte boundary (tracking short passwords)

In interactive mode, every keystroke is immediately sent in a separate IP packet.

Keystroke timing leaks information!

Keystroke Attack on SSHKeystroke Attack on SSHtime

time

"s " "u " "en te r" "y" "o " "n " "i" "t" "en te r"

"P assw ord :" "p rom pt"

Adversary

a

b

ceavesdrop

SSH

SSH

Hidden Markov ModelHidden Markov Model

Markov process HMM - A Markov model when the current state

can not be observed. Outputs of the process are observed. Probability of output depends only on the state. Information on the prior path of the process can

be inferred from it’s output. Motivation - efficient algorithms for working with

HMM.

Keystroke Timing as HMMKeystroke Timing as HMM

Character pair is the hidden state. Keystroke latency measured is the output

observation. Two assumptions:

– character sequence is uniformly distributed (holds for passwords).

– Probability distribution of latency, depends only on the current state.

q = character pair

y = latency observation

Viterbi-AlgorithmViterbi-Algorithm

Widely used to solve HMM. The algorithm:

– (y1,…..,yT) = observations of HMM.

– (q1,…..,qt) = Most likely sequences.

– S(qt) most likely sequence ,ending with qt with posteriori probability of V(qt).

Init : V(q1) = P(q1|y1)

Iterate : V(qt) = max(qt-1) P(yt |qt) P(qt |qt-1)V(qt-1)

S(qt) =argmax(qt-1) P(yt |qt) P(qt |qt-1)V(qt-1) , 2 t T

Viterbi Algorithm exampleViterbi Algorithm example

q1

q2q2

q1 q1

q2

q1

q2q2

q1 q1

q2

q1

q2q2

q1 q1

q2

q1

q2q2

q1 q1

q2

q1

q2q2

q1 q1

q2

q1

q2q2

q1 q1

q2

q1

q2q2

q1 q1

q2

• The n-Viterbi algorithm.

Output(1) Output(2) Output(3)

q 1

q 2

q s

1

1

1

1

2

...

n

1

2

...

n

1

2

...

n

1

2

...

n

1

2

...

n

1

2

...

n

q 1

q 2

q s

q 1

q 2

q s

t = 1 t = 2 t = 3

System SchemeSystem Scheme

A B

Sniffer

Detect SSH session

detect nested SSHor SU

n-Viterbistatistics

Keystroke Timing

Possibilities

Password

Key stroke timing testKey stroke timing test

•A software that measures keystroke timing latencies and performs statistical operations was developed.

• We selected four letter keys, two number keys and two upper-case keys for the experiment

i a k m 2 3 O J

•Using these keys we formed 64 key pairs.

•A user was asked to type each pair 30 times.

•The mean value, and variance of the latency was calculated for each pair.

Key stroke timing test resultsKey stroke timing test results

Information Gain AnalysisInformation Gain Analysis

Attacker without prior knowledge: q RQ

H0[q] = -qQPr(q)log2 [ Pr(q)] = log2[|Q|] = 6 [bits]

Attacker knows latency y0 of the keystroke of q RQ

H1[q|y=y0] = -qQPr(q|y=y0)log2 [ Pr(q|y=y0)]

Qq

qPqy

qPqy

yP

qPqyyq

][]|Pr[

][]|Pr[

][

][]|Pr[]|Pr[

0

0

0

00

Information Gain EstimationInformation Gain Estimation

001010 ]|[]Pr[][]|[][ dyyyqHyqHyqHqHI [bits]3.3147 2.6853 6

Conclusions Conclusions

•There are four types of timing distinguishable character pairs.

•Though the results are “optimistic” , it is shown that keystroke timing leaks a considerable amount of information.

•SSH is not secure as commonly believed.

The End

http://comnet.technion.ac.il/~cn19s01