1 / 18

Timing Analysis of Keystrokes and Timing Attacks on SSH

Timing Analysis of Keystrokes and Timing Attacks on SSH. D. Song, D. Wagner, and X. Tian 10th USENIX Security Symposium, 2001 Presented by: Rui Peng. Outline. Secure Shell (SSH) weaknesses Analysis of user keystroke patterns Attack using inter-keystroke timing Performance evaluation

royal
Download Presentation

Timing Analysis of Keystrokes and Timing Attacks on SSH

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Timing Analysis of Keystrokes and Timing Attacks on SSH D. Song, D. Wagner, and X. Tian 10th USENIX Security Symposium, 2001 Presented by: Rui Peng

  2. Outline • Secure Shell (SSH) weaknesses • Analysis of user keystroke patterns • Attack using inter-keystroke timing • Performance evaluation • Countermeasures • Comments and conclusion

  3. Secure Shell (SSH) • Offers an encrypted channel and strong authentication. • Replaces telnet, rlogin. • Two seemingly minor weaknesses: • Padding: 1-8 bytes • Reveals approximate data size • Separate packet for each keystroke • Leaks timing information of user’s typing

  4. Traffic Signature Attack

  5. What is the central idea ? • Exploit SSH Weaknesses => • Obtain Inter-Keystroke Timing (Latency) => • Infer User Password • Collect user typing statistics => • Build a Hidden Markov Model and train it using the data => • Recommend passwords based on latency data

  6. How Are Training Data Collected? • Pick a pair of characters, e.g. (“v”, “o”) • Ask users to type the pair for 30-40 times • Collect latency information • Repeat for every different pair of characters

  7. Estimated Gaussian Distributions of All Character Pairs

  8. Entropy and Information Gain

  9. Hidden Markov Model (HMM) • Latency distributions severely overlap • Hard to infer characters just based on latency • Solution: Use Hidden Markov Model (HMM) • HMM: describes finite-state stochastic process • Transition probability only depends on the current state

  10. Inference Algorithm • y = (y1, y2, …, yT): sequence of latencies • q = (q1, q2, …, qT): sequence of character pairs • Calculate Pr(q|y): likelihood of the two • Pr(q|y) essentially gives a ranking for each possible character sequence q

  11. Performance results • 10 tests all with length 8 • On average the real password is located within top 2.7% of the list. • Half of the time the password will be in the top 1% of the list.

  12. Difference in user typing patterns • 75% of the time the latencies are the same. • Typing statistics have a large component in common. • Attack does NOT need typing statistics from the victim !

  13. Countermeasures • Let the server return dummy packets when it receives keystroke packets from the client. • Let the client randomly delay sending keystroke packets. • Let the client send keystroke packets at a constant rate.

  14. Strengths • Novel idea • Nice technique • Good performance • Interesting findings • Countermeasures given

  15. Limitations • No mention of how to deal with backspace • No discussion of how different keyboard layouts affect the results • Laptop vs desktop • Different keyboard layouts in different regions

  16. Thank you! • Questions?

More Related