SSH Passwords

I read the abstract for an Association of Computing Machinery (ACM) paper entitled “Timing Analysis of Keystroke and Timing Attacks on SSH”. The paper was written by Dawn Xiaodong Song and others. Unfortunately you have to be a member of ACM to read the body of the paper. I am looking into getting my company to pay for my membership. However I thought it would be fun to go over the abstract and think about what these researchers did to break SSH.

The key finding of this paper is that you can determine the approximate size of the original data sent over SSH. This is furthered by the fact that SSH sends every keystroke immediately to the server. Thus you can find out thing like how fast somebody is typing. You can also employ some statistics to figure out how long a person’s password is. The authors are not claiming they can decode the password. But given the length, they can severely cut down the number of guesses a brute force attack needs to do.

In case you do not already know, SSH stands for secure shell. It provides a mechanism to exchange data over a secure channel. SSH is used to remotely log into UNIX accounts. It replaces older telnet technology, which passed passwords as plain text over the network. SSH instead uses public key cryptography. Initially, SSH was vulnerable to man in the middle attacks. That alone is worth a separate discussion. However SSH was updated a long time ago to plug this gap. SSH uses both encryption and compression. So you would think that you could not easily determine the exact length of your password. However you can probably determine a good guess using a little statistics like the abstract says.

I will share some more information if I get a subscription to the ACM. Until then I will be trying to think how the researchers took apart SSH.