[Cryptography] SSH vulnerability when using passwords

Nico Williams nico at cryptonector.com
Wed Jan 7 01:34:07 EST 2015

On Tue, Jan 06, 2015 at 06:51:42PM -0800, Abe Singer wrote:
> IIRC, That attack actually depends on on which authentication method
> gets used for password authentication.  The "password" method described
> in RFC 4252 sends the password all at once (if/how it gets fragmented
> by the transport and crypto layer is left as an exercise for the reader).
> The challenge-response method defined in RFC 4256 sends keystrokes one
> at a time and is vulnerable to timing analysis.  [...]

Neither sends a password a character at a time.  RFC4256 is designed
with PAM in mind, which also doesn't have the application feed passwords
one character at a time to the API.


More information about the cryptography mailing list