[Cryptography] SSH vulnerability when using passwords
Jonathan Katz
jkatz at cs.umd.edu
Tue Jan 6 20:01:09 EST 2015
On Tue, Jan 6, 2015 at 6:42 PM, John Gilmore <gnu at toad.com> wrote:
> A friend pointed me to this page:
>
> https://stribika.github.io/2015/01/04/secure-secure-shell.html
>
> But neither that nor the ssh wikipedia page mention an SSH
> vulnerability that lets an attacker guess the letters of a remote
> login password used under SSH. I remember this attack being mentioned
> years ago, perhaps in a crypto conference rump session?
>
> The attack works when you don't use keys or shared secrets -- just the
> usual login/password processing standard for the remote end's
> operating system. This is by far the simplest way to use SSH -- it
> requires no public keys, no private keys, no one-time pads. All it
> requires is that you can remember your login name and password, which
> everyone is already used to. It lets you log in to a remote system
> from *anywhere* that has a copy of ssh, without bringing any keying
> material along.
>
> The problem is that the ssh protocol sends each letter of the password
> as an entire packet of encrypted stuff -- but there are only a small
> number of possible letters that might have been typed. So the entropy
> in each of those early ssh packets is very low. The attack makes
> guesses about which letters you might have picked, is able to
> eliminate many of the guesses by showing that the crypto would have
> produced something different in that case, relies partly based on the
> inter-letter timing as I recall, and recovers passwords or partial
> passwords a significant fraction of the time. Then, of course, those
> passwords are extremely useful in breaking into the remote system at
> any time afterward. Which is why NSA would store them for later use.
Could it possibly be this one?
http://users.ece.cmu.edu/~dawnsong/papers/ssh-timing.pdf
More information about the cryptography
mailing list