[Cryptography] SSH vulnerability when using passwords

Abe Singer abe at oyvay.nu
Tue Jan 6 21:51:42 EST 2015

On Tue, Jan 06, 2015 at 03:42:05PM -0800, John Gilmore wrote:
> The problem is that the ssh protocol sends each letter of the password
> as an entire packet of encrypted stuff -- but there are only a small
> number of possible letters that might have been typed.  So the entropy
> in each of those early ssh packets is very low.  The attack makes
> guesses about which letters you might have picked, is able to
> eliminate many of the guesses by showing that the crypto would have
> produced something different in that case, relies partly based on the
> inter-letter timing as I recall, and recovers passwords or partial
> passwords a significant fraction of the time.  Then, of course, those
> passwords are extremely useful in breaking into the remote system at
> any time afterward.  Which is why NSA would store them for later use.

IIRC, That attack actually depends on on which authentication method
gets used for password authentication.  The "password" method described
in RFC 4252 sends the password all at once (if/how it gets fragmented
by the transport and crypto layer is left as an exercise for the reader).

The challenge-response method defined in RFC 4256 sends keystrokes one
at a time and is vulnerable to timing analysis.  challenge-response can
be used for password authentication, and may get used it and precedes
password authentication as a allowed method, and the server's PAM
configuration is set up for password auth (the default on Linux),

> Where is this attack written up in detail?  And how is it best
> defended against?

You may be thinking of Dawn Song's 2001 Usenix paper:


At least a partial defense is to disallow the challenge-response method
in sshd_config on the server, and ssh_config on clients.

I believe I read something about adding padding to ssh packets
to randomize the packet sizes, but the specifics escape me at the moment.

More information about the cryptography mailing list