SecurityFocus
has an
article
about a
weakness
in SSH implementations discovered by a team of researchers from the University of California at Berkeley. By carefully studying statistical analysis of typing rhythms, it is possible to discern information about a users SSH session, including the length of their password.
Read the
article
at SecurityFocus carefully. Also, check out ssh-agent(1) as a means of eliminating sending your encrypted password across the wire. This weakness dives into the realm of information theory and pattern analysis.
(Comments are closed)
Comments
By
fansipans ()
on
THIS article is great ... because...um...it's exemplary um...well here's my user info for aol (for example) :
map the flow of information, map the flow and
chain of trust, and map the chains and webs of
actions and abilities of any given system...and
you'd be surprised what you could accomplish given
just a few simple (though completely unsuspected) moves
which reminds me of the fact that i'm moving (dc to boston). so if anyone wants a fairly nice 19inch color tv and a sega genesis (mortal combat, sonic the hedgehog,roadrash included) I WILL GIVE THEM TO YOU FOR FREE .. so long as you pick them up...i'm in northern virginia right now so "hit me up" on instant messanger
unf. i need french fries and coffee. damn you laptop recharge time. o.
oh and a final *woop* for information theory
--fansipans
By
Tobias Paprotta ()
on
www.paprotta.de
This article was already mentioned in the presentation
'SSH traffic analysis' by dugsong (monkeys rule)
and solar desiner at HAL 2001.
Their work also shows possibilities to gain infor-
mation about SSH authentification methods (incl.
pw lengths)
Hey how does this affect openssh? Is openssh affected? Can we use the findings of this report to further secure ssh? or is the problem inherent in the design?
Sorry I don't know a lot about how encryption works.. so it'd be great if someone could clue me in.
By fansipans () on
map the flow of information, map the flow and
chain of trust, and map the chains and webs of
actions and abilities of any given system...and
you'd be surprised what you could accomplish given
just a few simple (though completely unsuspected) moves
which reminds me of the fact that i'm moving (dc to boston). so if anyone wants a fairly nice 19inch color tv and a sega genesis (mortal combat, sonic the hedgehog,roadrash included) I WILL GIVE THEM TO YOU FOR FREE .. so long as you pick them up...i'm in northern virginia right now so "hit me up" on instant messanger
unf. i need french fries and coffee. damn you laptop recharge time. o.
oh and a final *woop* for information theory
--fansipans
By Tobias Paprotta () on www.paprotta.de
'SSH traffic analysis' by dugsong (monkeys rule)
and solar desiner at HAL 2001.
Their work also shows possibilities to gain infor-
mation about SSH authentification methods (incl.
pw lengths)
So long
Tobias
By proof () proof at xcheese dot org on http://ifconfig.net
Sorry I don't know a lot about how encryption works.. so it'd be great if someone could clue me in.