Seminar

Timing Analysis of Keystrokes and Timing Attacks on SSH - Revisited -

Andreas Noack, E-Mail: andreas.noack@rub.de

Is SSH really secure?

Trinity hacks a nuclear power plant - Matrix Reloaded

2

Is SSH really secure? Introduction

Three Classes of Attacks
Cryptographic/Protocol attacks Insertion (CRC-32 weakness) Implementation attacks Buffer Overflows Responses leak secret information ... Side channel attacks Power consumption analysis Acoustic analysis Timing analysis Keystroke timing analysis [1]
3

Is SSH really secure? Introduction

Three Classes of Attacks
Cryptographic/Protocol attacks Insertion (CRC-32 weakness) Implementation attacks Buffer Overflows Responses leak secret information ... Side channel attacks Power consumption analysis Acoustic analysis Timing analysis Keystroke timing analysis
4

Is SSH really secure? Introduction

Keystroke Timing Analysis [1]

Times between keystrokes are different Exact measurement leaks information about typed keys examples (...) inter-keystroke timings lie between 40 and 220 msec. More efficient than a pure Bruteforce/Dictionary attack only possible password candidates tested

Is SSH really secure? Preliminaries

Weaknesses in SSH
1.) Transmitted characters are padded to ciphers blocklength Blocklength of the symmetric ciphers is in general 8 byte SSH-2 sends a packets length encrypted SSH-1 sends the packet length unencrypted What does that mean? SSH-2: Length of the initial password can be approximated to a multiple of 8 byte SSH-1: Length of the initial password is clear General: Length of a packet gives information about its content or function
6

Is SSH really secure? Preleminaries Preliminaries

Weaknesses in SSH
2.) Interactive mode: every keystroke is sent immediately is enabled after the initial login What does that mean? Timing information can be extracted from data flow Initial login is not affected! For analyzing the initial login, special scenarios are needed

Is SSH really secure? Timing Attack

Scenarios
We can only collect timing information, when SSH is in interactive mode

Enabled after initial login, special scenarios are needed: Nested attack su command

Is SSH really secure? Timing Attack

Setup

Network sniffer (e.g. wireshark) exact time measurement, packet size Information analysis filter out password keystrokes n-Viterbi algorithm calculates possible password candidates Keystroke timing characteristics of a special user general timing characteristics
9

Is SSH really secure? Timing Attack

Some Critics on Song et al. [1]
Timing analysis is no more feasible

OpenSSH (4.4p1) sends blanks in non-echo mode non-echo mode is activated, when the user types a password

Attacker cannot differentiate, if password is typed

10

Is SSH really secure? Timing Attack

Solution Idea
Another component is needed Test with OpenSSH (4.4p1) on loopback-device: blank responses up to 100 times faster than echo responses But real network latencies cover these timing differences Network jitter must be compensated to differentiate blanks from echoes Measure Round Trip Times (RTT)
11

Is SSH really secure? Timing Attack

More Critics on Song et al. [1]
The Hidden Markov Model (HMM) is used

t qn yn

: time step : character pair (e.g., abc -> q1=ab, q2=bc) : latency between keystrokes

12

Is SSH really secure? Timing Attack

More Critics on Song et al. [1]
The Hidden Markov Model (HMM) is inefficient! next state depends on more than current state

Typing seqence:

yiq

Typing seqence:

aiq
13

Is SSH really secure? Timing Attack

Solution Idea
Second degree HMM next state depends on more former states n-Viterbi algorithm more effective

Disadvantages
Build second degree HMM statistic: more timing data required
14

Is SSH really secure? Timing Attack

Experimental Results
2nd degree Hidden Markov Model (2 states)
a->e->n: e->e->n: h->e->n: i->e->n: k->e->n: m->e->n: n->e->n: s->e->n: u->e->n: y->e->n: z->e->n: 248.257 msec, 197.001 msec 245.268 msec, 189.544 msec 120.117 msec, 149.703 msec 168.367 msec, 206.581 msec 152.465 msec, 191.877 msec 164.501 msec, 212.866 msec 105.127 msec, 123.233 msec 206.624 msec, 206.502 msec 189.254 msec, 263.705 msec 269.264 msec, 202.869 msec 163.557 msec, 234.820 msec

(right hand: 1st, 3rd key, left hand: 2nd key)

15

Is SSH really secure?

Demonstration

16

Is SSH really secure? Conclusion

Approximated information gain for touch typing writers [1] >1.2 bits per character (password) ~ factor 50 decrease of a bruteforce attack Timing attack on non touch typing writers probably possible with individual typing statistic Special scenarios are needed Nested attack su-command Timing attacks on SSH are of moderate security risk

17

Is SSH really secure?

Questions?

Andreas Noack, E-Mail: andreas.noack@rub.de

18

Is SSH really secure? References

[1] Dawn Xiaodong Song, David Wagner and Xuquing Tian. Timing Analysis of Keystrokes and Timing Attacks on SSH. 10th USENIX Security Symposium, 2001. [2] Michael Lustig and Yonit Shabtai. Keystroke Attack on SSH. Final Project Report at Technion IIT, October 2001. [3] Michael Augustus Hogye, Christopher Thaddeus Hughes, Joshua Michael Sarfaty and Joseph David Wolf. Analysis of the Feasibility of Keystroke Timing Attacks Over SSH Connections. Research Project at University of Virginia, December 2001. [4] A.J. Menezes, P.C. Van Oorschot, and S.A. Vanstone. Handbook of Applied Cryptography. CRC press, 1997. [5] Ahmad-Reza Sadeghi and Christian Wachsmann. Network Security II - Secure Shell.Ruhr-Universitt Bochum, 2004. [6] Stuart Russel and Peter Norvig. Arti?cial Intelligence. A modern approach. Prentice Hall, 1995. [7] Solar Designer and Dug Song. Passive Analysis of SSH (Secure Shell) Traffic. http://www.securiteam.com/securitynews/ 5KP0O0A3PU.html, March 2001. [8] Weak CRC allows packet injection into SSH sessions encrypted with block ciphers. http://www. kb.cert.org/vuls/id/13877, June 1998. [9] Weak CRC allows RC4 encrypted SSH1 packets to be modi?ed without notice. http://www.kb. cert.org/vuls/id/25309, January 2001. [10] Side channel attack. http://en.wikipedia.org/wiki/Side-channel_attack, December 2006. [11] Information entropy. http://en.wikipedia.org/wiki/Information_entropy, December 2006. [12] Dmitri Asonov and Rakesh Agrawal. Keyboard Acoustic Emanations. In Proceedings of the IEEE Symposium on Security and Privacy, 2004. [13] Li Zhuang, Feng Zhou and J.D. Tygar Keyboard Acoustic Emanations Revisited. In Proceedings of the 12th ACM Conference on Computer and Communications Security, November 2005. [14] Yigael Berger, Avishai Wool and Arie Yeredor Dictionary Attacks Using Keyboard Acoustic Emanations. CCS?06, October 2006. [15] Gaurav Shah, Andres Molina and Matt Blaze. Keyboards and Covert Channels. 15th USENIX Security Symposium, 2006.

19