Key-Stroke Timing and Timing Attack on SSH Yonit Shabtai and Michael Lustig supervisor: Yoram Yihyie...
-
Upload
juliet-logan -
Category
Documents
-
view
217 -
download
0
Transcript of Key-Stroke Timing and Timing Attack on SSH Yonit Shabtai and Michael Lustig supervisor: Yoram Yihyie...
![Page 1: Key-Stroke Timing and Timing Attack on SSH Yonit Shabtai and Michael Lustig supervisor: Yoram Yihyie Technion - Israel Institute of Technology Computer.](https://reader036.fdocuments.in/reader036/viewer/2022082505/56649dc05503460f94ab4f1a/html5/thumbnails/1.jpg)
Key-Stroke Timing and Timing Key-Stroke Timing and Timing Attack on SSHAttack on SSH
Yonit Shabtai and Michael Lustig
supervisor: Yoram Yihyie
Technion - Israel Institute of Technology
Computer Networks Laboratory
http:\\comnet.technion.ac.il/~cn19s01
![Page 2: Key-Stroke Timing and Timing Attack on SSH Yonit Shabtai and Michael Lustig supervisor: Yoram Yihyie Technion - Israel Institute of Technology Computer.](https://reader036.fdocuments.in/reader036/viewer/2022082505/56649dc05503460f94ab4f1a/html5/thumbnails/2.jpg)
SSH OverviewSSH Overview
SSH - protocol for secure network transmition.
SSH replaces telnet,rsh,rlogin,ftp,etc… Provides authentication, integrity,
encryption. Two different protocols: SSH1,SSH2
SSH protocol SSH protocol
Client Client
SSH protocol SSH protocol
Client
![Page 3: Key-Stroke Timing and Timing Attack on SSH Yonit Shabtai and Michael Lustig supervisor: Yoram Yihyie Technion - Israel Institute of Technology Computer.](https://reader036.fdocuments.in/reader036/viewer/2022082505/56649dc05503460f94ab4f1a/html5/thumbnails/3.jpg)
SSH2 overviewSSH2 overview
Transport layer– Secure channel - Diffie-Helman key exchange.– Server authentication - RSA/DSS signatures (CA opt.)– Encryption by CBC cyphers (3DES,Blowfish,…).– Integrity of data - Mac (HMAC-SHA1/MD5).
User authentication layer– Integrity & confidentiality are assumed.– Two authentication methodes supported:
• Public key authentication (CA opt.)• Password authentication
Connection layer– Interactive login sessions, rexec, X11, TCP forwarding.– Multiplexing sessions into one channel.
Padding length
Random Padding
PayloadIntegrity data
(MAC)Packet length
Optionally compressed
encrypted
Padding length
Random PaddingPayload
Integrity data
(MAC)
Packet length
![Page 4: Key-Stroke Timing and Timing Attack on SSH Yonit Shabtai and Michael Lustig supervisor: Yoram Yihyie Technion - Israel Institute of Technology Computer.](https://reader036.fdocuments.in/reader036/viewer/2022082505/56649dc05503460f94ab4f1a/html5/thumbnails/4.jpg)
SSH weaknessesSSH weaknesses
Password is padded to 8 byte boundary (tracking short passwords)
In interactive mode, every keystroke is immediately sent in a separate IP packet.
Keystroke timing leaks information!
![Page 5: Key-Stroke Timing and Timing Attack on SSH Yonit Shabtai and Michael Lustig supervisor: Yoram Yihyie Technion - Israel Institute of Technology Computer.](https://reader036.fdocuments.in/reader036/viewer/2022082505/56649dc05503460f94ab4f1a/html5/thumbnails/5.jpg)
Keystroke Attack on SSHKeystroke Attack on SSHtime
time
"s " "u " "en te r" "y" "o " "n " "i" "t" "en te r"
"P assw ord :" "p rom pt"
Adversary
a
b
ceavesdrop
SSH
SSH
![Page 6: Key-Stroke Timing and Timing Attack on SSH Yonit Shabtai and Michael Lustig supervisor: Yoram Yihyie Technion - Israel Institute of Technology Computer.](https://reader036.fdocuments.in/reader036/viewer/2022082505/56649dc05503460f94ab4f1a/html5/thumbnails/6.jpg)
Hidden Markov ModelHidden Markov Model
Markov process HMM - A Markov model when the current state
can not be observed. Outputs of the process are observed. Probability of output depends only on the state. Information on the prior path of the process can
be inferred from it’s output. Motivation - efficient algorithms for working with
HMM.
![Page 7: Key-Stroke Timing and Timing Attack on SSH Yonit Shabtai and Michael Lustig supervisor: Yoram Yihyie Technion - Israel Institute of Technology Computer.](https://reader036.fdocuments.in/reader036/viewer/2022082505/56649dc05503460f94ab4f1a/html5/thumbnails/7.jpg)
Keystroke Timing as HMMKeystroke Timing as HMM
Character pair is the hidden state. Keystroke latency measured is the output
observation. Two assumptions:
– character sequence is uniformly distributed (holds for passwords).
– Probability distribution of latency, depends only on the current state.
q = character pair
y = latency observation
![Page 8: Key-Stroke Timing and Timing Attack on SSH Yonit Shabtai and Michael Lustig supervisor: Yoram Yihyie Technion - Israel Institute of Technology Computer.](https://reader036.fdocuments.in/reader036/viewer/2022082505/56649dc05503460f94ab4f1a/html5/thumbnails/8.jpg)
Viterbi-AlgorithmViterbi-Algorithm
Widely used to solve HMM. The algorithm:
– (y1,…..,yT) = observations of HMM.
– (q1,…..,qt) = Most likely sequences.
– S(qt) most likely sequence ,ending with qt with posteriori probability of V(qt).
Init : V(q1) = P(q1|y1)
Iterate : V(qt) = max(qt-1) P(yt |qt) P(qt |qt-1)V(qt-1)
S(qt) =argmax(qt-1) P(yt |qt) P(qt |qt-1)V(qt-1) , 2 t T
![Page 9: Key-Stroke Timing and Timing Attack on SSH Yonit Shabtai and Michael Lustig supervisor: Yoram Yihyie Technion - Israel Institute of Technology Computer.](https://reader036.fdocuments.in/reader036/viewer/2022082505/56649dc05503460f94ab4f1a/html5/thumbnails/9.jpg)
Viterbi Algorithm exampleViterbi Algorithm example
q1
q2q2
q1 q1
q2
q1
q2q2
q1 q1
q2
q1
q2q2
q1 q1
q2
q1
q2q2
q1 q1
q2
q1
q2q2
q1 q1
q2
q1
q2q2
q1 q1
q2
q1
q2q2
q1 q1
q2
• The n-Viterbi algorithm.
Output(1) Output(2) Output(3)
q 1
q 2
q s
1
1
1
1
2
...
n
1
2
...
n
1
2
...
n
1
2
...
n
1
2
...
n
1
2
...
n
q 1
q 2
q s
q 1
q 2
q s
t = 1 t = 2 t = 3
![Page 10: Key-Stroke Timing and Timing Attack on SSH Yonit Shabtai and Michael Lustig supervisor: Yoram Yihyie Technion - Israel Institute of Technology Computer.](https://reader036.fdocuments.in/reader036/viewer/2022082505/56649dc05503460f94ab4f1a/html5/thumbnails/10.jpg)
System SchemeSystem Scheme
A B
Sniffer
Detect SSH session
detect nested SSHor SU
n-Viterbistatistics
Keystroke Timing
Possibilities
Password
![Page 11: Key-Stroke Timing and Timing Attack on SSH Yonit Shabtai and Michael Lustig supervisor: Yoram Yihyie Technion - Israel Institute of Technology Computer.](https://reader036.fdocuments.in/reader036/viewer/2022082505/56649dc05503460f94ab4f1a/html5/thumbnails/11.jpg)
Key stroke timing testKey stroke timing test
•A software that measures keystroke timing latencies and performs statistical operations was developed.
• We selected four letter keys, two number keys and two upper-case keys for the experiment
i a k m 2 3 O J
•Using these keys we formed 64 key pairs.
•A user was asked to type each pair 30 times.
•The mean value, and variance of the latency was calculated for each pair.
![Page 12: Key-Stroke Timing and Timing Attack on SSH Yonit Shabtai and Michael Lustig supervisor: Yoram Yihyie Technion - Israel Institute of Technology Computer.](https://reader036.fdocuments.in/reader036/viewer/2022082505/56649dc05503460f94ab4f1a/html5/thumbnails/12.jpg)
Key stroke timing test resultsKey stroke timing test results
![Page 13: Key-Stroke Timing and Timing Attack on SSH Yonit Shabtai and Michael Lustig supervisor: Yoram Yihyie Technion - Israel Institute of Technology Computer.](https://reader036.fdocuments.in/reader036/viewer/2022082505/56649dc05503460f94ab4f1a/html5/thumbnails/13.jpg)
Information Gain AnalysisInformation Gain Analysis
Attacker without prior knowledge: q RQ
H0[q] = -qQPr(q)log2 [ Pr(q)] = log2[|Q|] = 6 [bits]
Attacker knows latency y0 of the keystroke of q RQ
H1[q|y=y0] = -qQPr(q|y=y0)log2 [ Pr(q|y=y0)]
qPqy
qPqy
yP
qPqyyq
][]|Pr[
][]|Pr[
][
][]|Pr[]|Pr[
0
0
0
00
![Page 14: Key-Stroke Timing and Timing Attack on SSH Yonit Shabtai and Michael Lustig supervisor: Yoram Yihyie Technion - Israel Institute of Technology Computer.](https://reader036.fdocuments.in/reader036/viewer/2022082505/56649dc05503460f94ab4f1a/html5/thumbnails/14.jpg)
Information Gain EstimationInformation Gain Estimation
001010 ]|[]Pr[][]|[][ dyyyqHyqHyqHqHI [bits]3.3147 2.6853 6
![Page 15: Key-Stroke Timing and Timing Attack on SSH Yonit Shabtai and Michael Lustig supervisor: Yoram Yihyie Technion - Israel Institute of Technology Computer.](https://reader036.fdocuments.in/reader036/viewer/2022082505/56649dc05503460f94ab4f1a/html5/thumbnails/15.jpg)
Conclusions Conclusions
•There are four types of timing distinguishable character pairs.
•Though the results are “optimistic” , it is shown that keystroke timing leaks a considerable amount of information.
•SSH is not secure as commonly believed.
![Page 16: Key-Stroke Timing and Timing Attack on SSH Yonit Shabtai and Michael Lustig supervisor: Yoram Yihyie Technion - Israel Institute of Technology Computer.](https://reader036.fdocuments.in/reader036/viewer/2022082505/56649dc05503460f94ab4f1a/html5/thumbnails/16.jpg)
The End
http://comnet.technion.ac.il/~cn19s01