Secure Shell – SSHOverviewHistory and BackgroundSSH-1 vs. SSH-2How SSH WorksSSH-2 ProtocolSSH2’s “Secure” ChannelIdentifying Password TransfersIs this Useful?Keystroke TimingSlide 11Keystroke Pair ProbabilitiesHidden Markov ModelDoes It WorkSlide 15Slide 16Secure Shell – SSHTam NgoSteve Lickingcs265OverviewIntroductionBrief History and Background of SSHDifferences between SSH-1 and SSH-2Brief Overview of how SSH worksAttack on SSHKey-Stroke Timing AttackConclusionHistory and BackgroundPassword-sniffing attackSSH-1 was developed, Finland, 1995SSH Communications Security Ltd. Replacement for telnet and r-commandsVersion 2, SSH-2 released in 1998SSH-1 vs. SSH-2All in one protocolCRC-32 integrity checkOne session per connectionNo password changeNo public-key certificate authenticationSeparate protocolsStrong integrity checkMultiple sessions per connectionPassword changeprovide public-key certificate authenticationHow SSH Works(1) Client contacts server(2) If SSH protocol versions do not agree, no connection(3) Server identifies itself. Server sends host key, server key, check bytes, list of methods. Client looks in its DB for hosts.(4) Client sends a secret key, encrypted using server’s public keyBoth begins encryption. Server authentication is completedClient authentication on the server side. Example, password and public-key authenticationSSH-2 ProtocolSSH2’s “Secure” ChannelWhat SSH does:Packets are padded up to the first 8 byte multipleInput is sent as each key-down is readNot all input is echoed by the serverWhat it means:Data size can be estimatedKeystroke timing is feasiblePassword sessions are identifiableIdentifying Password TransfersDoesn’t SSH transfer passwords all at once? Yes, but…Only when logging into the serverNot when running any applications (e.g. su)Not when chaining loginsIs this Useful?Everything is encrypted, more information is required than just a passwordWhat good is a password if you don’t know the host/user/application it is forAttackers can sniff traffic to determine the host it is destined forWith access to the ps command attackers can narrow it down to a user running a specific applicationKeystroke Timing Various key pairs have different delaysKeystroke TimingKeystroke Pair ProbabilitiesHidden Markov ModelState machineThe current state cannot be observed, only the outputTransition to next state depends only on current stateThe likely state path can be deduced from observed outputLet each state be a key pair and the output be the delay between the two key pressesDoes It WorkThe HMM can be solved using known algorithms to find a likely solutionThe large amount of guesswork involved means the most likely solution isn’t always the correct oneInstead look at the n most likely solutionsDoes It WorkGiven a subset of all possible 8 character random passwordsThis method can reduce work by a factor of 50Translates to roughly 1 bit per character enteredDoes It WorkCan timing information be collected?YesAre the timing metrics useful if the user creating them isn’t pre-tested?YesIs it feasible to use a HMM to crack passwords?Depends on who you
View Full Document