Key-Stroke Timing and Timing Attack on SSH

1. Technion - Israel Institute of Technology Computer Networks Laboratory Key-Stroke Timing and Timing Attack on SSH Yonit Shabtai and Michael Lustig supervisor: YoramYihyie http:\\comnet.technion.ac.il/~cn19s01

2. Client Client Client SSH protocol SSH protocol SSH protocol SSH protocol SSH Overview • SSH - protocol for secure network transmition. • SSH replaces telnet,rsh,rlogin,ftp,etc… • Provides authentication, integrity, encryption. • Two different protocols: SSH1,SSH2

3. Payload Random Padding Integrity data (MAC) Packet length Padding length Payload Random Padding Integrity data (MAC) Packet length Padding length encrypted Optionally compressed SSH2 overview • Transport layer • Secure channel - Diffie-Helman key exchange. • Server authentication - RSA/DSS signatures (CA opt.) • Encryption by CBC cyphers (3DES,Blowfish,…). • Integrity of data - Mac (HMAC-SHA1/MD5). • User authentication layer • Integrity & confidentiality are assumed. • Two authentication methodes supported: • Public key authentication (CA opt.) • Password authentication • Connection layer • Interactive login sessions, rexec, X11, TCP forwarding. • Multiplexing sessions into one channel.

4. SSH weaknesses • Password is padded to 8 byte boundary (tracking short passwords) • In interactive mode, every keystroke is immediately sent in a separate IP packet. Keystroke timing leaks information!

5. Keystroke Attack on SSH

6. Hidden Markov Model • Markov process • HMM - A Markov model when the current state can not be observed. • Outputs of the process are observed. • Probability of output depends only on the state. • Information on the prior path of the process can be inferred from it’s output. • Motivation - efficient algorithms for working with HMM.

7. q = character pair y = latency observation Keystroke Timing as HMM • Character pair is the hidden state. • Keystroke latency measured is the output observation. • Two assumptions: • character sequence is uniformly distributed (holds for passwords). • Probability distribution of latency, depends only on the current state.

8. Viterbi-Algorithm • Widely used to solve HMM. • The algorithm: • (y1,…..,yT) = observations of HMM. • (q1,…..,qt) = Most likely sequences. • S(qt) most likely sequence ,ending with qt with posteriori probability of V(qt). Init : V(q1) = P(q1|y1) Iterate : V(qt) = max(qt-1) P(yt |qt) P(qt |qt-1)V(qt-1) S(qt) =argmax(qt-1) P(yt |qt) P(qt |qt-1)V(qt-1) , 2 t T

9. Output(1) Output(2) Output(3) Viterbi Algorithm example • The n-Viterbi algorithm.

10. A B Sniffer System Scheme Detect SSH session detect nested SSH or SU Keystroke Timing statistics n-Viterbi Possibilities Password

11. Key stroke timing test • A software that measures keystroke timing latencies and performs statistical operations was developed. • We selected four letter keys, two number keys and two upper-case keys for the experiment • i a k m 2 3 O J • Using these keys we formed 64 key pairs. • A user was asked to type each pair 30 times. • The mean value, and variance of the latency was calculated for each pair.

12. Key stroke timing test results

13. Information Gain Analysis Attacker without prior knowledge: q RQ H0[q] = -qQPr(q)log2 [Pr(q)] = log2[|Q|] = 6 [bits] Attacker knows latency y0 of the keystroke of q RQ H1[q|y=y0] = -qQPr(q|y=y0)log2 [Pr(q|y=y0)]

14. Information Gain Estimation

15. Conclusions • There are four types of timing distinguishable character pairs. • Though the results are “optimistic” , it is shown that keystroke timing leaks a considerable amount of information. • SSH is not secure as commonly believed.

16. The End http://comnet.technion.ac.il/~cn19s01