On Thu, 3 Aug 2023, Chris Rapier wrote:> Howdy all, > > So, one night over beers I was telling a friend how you could use the timing > between key presses on a type writer to extract information. Basically, you > make some assumptions about the person typing (touch typing at so many words > per second and then fuzzing the parameters until words come out). > > The I found a paper written back in 2001 talked about using the interpacket > timing in interactive sessions to leak information. > https://people.eecs.berkeley.edu/~dawnsong/papers/ssh-timing.pdf > > I'm sure this has been addressed (or dismissed) but I'm looking for the > specific section of code that might deal with this. Any pointers?The main issue raised in that paper was that it was trivially detectable when terminal echo was switched off and so an attacker could specifically observe the moments when users were typing their passwords into (say) sudo. This got fixed around the time the paper was released IIRC, search for "Simulate echo" in channels.c:channel_handle_wfd(). The broader issue of hiding all potential keystroke timing is not yet fixed. -d
Damien Miller wrote:> On Thu, 3 Aug 2023, Chris Rapier wrote: > >> Howdy all, >> >> So, one night over beers I was telling a friend how you could use the timing >> between key presses on a type writer to extract information. Basically, you >> make some assumptions about the person typing (touch typing at so many words >> per second and then fuzzing the parameters until words come out). >> >> The I found a paper written back in 2001 talked about using the interpacket >> timing in interactive sessions to leak information. >> https://people.eecs.berkeley.edu/~dawnsong/papers/ssh-timing.pdf >> >> I'm sure this has been addressed (or dismissed) but I'm looking for the >> specific section of code that might deal with this. Any pointers? > > The main issue raised in that paper was that it was trivially detectable > when terminal echo was switched off and so an attacker could specifically > observe the moments when users were typing their passwords into (say) > sudo. This got fixed around the time the paper was released IIRC, > search for "Simulate echo" in channels.c:channel_handle_wfd(). > > The broader issue of hiding all potential keystroke timing is not yet fixed.The keystroke timing issue would be solved by adding LINEMODE support as I did back in 2010. https://lists.mindrot.org/pipermail/openssh-unix-dev/2010-June/028732.html The code is still available here https://github.com/hyc/OpenSSH-LINEMODE/ If there's sufficient interest this time, I can probably bring it all up to date with a current OpenSSH version. I won't bother if it meets the same apathy as last time. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
On 8/6/23 3:46 AM, Damien Miller wrote:> On Thu, 3 Aug 2023, Chris Rapier wrote: > >> Howdy all, >> >> So, one night over beers I was telling a friend how you could use the timing >> between key presses on a type writer to extract information. Basically, you >> make some assumptions about the person typing (touch typing at so many words >> per second and then fuzzing the parameters until words come out). >> >> The I found a paper written back in 2001 talked about using the interpacket >> timing in interactive sessions to leak information. >> https://people.eecs.berkeley.edu/~dawnsong/papers/ssh-timing.pdf >> >> I'm sure this has been addressed (or dismissed) but I'm looking for the >> specific section of code that might deal with this. Any pointers? > > The main issue raised in that paper was that it was trivially detectable > when terminal echo was switched off and so an attacker could specifically > observe the moments when users were typing their passwords into (say) > sudo. This got fixed around the time the paper was released IIRC, > search for "Simulate echo" in channels.c:channel_handle_wfd().Excellent! Thank you for the pointer.> > The broader issue of hiding all potential keystroke timing is not yet fixed.Could some level of obfuscation come from enabling Nagle for interactive sessions that has an associated TTY? Though that would be of limited usefulness in low RTT environments. I don't like the idea of having a steady drip of packets as that seems problematic both in terms of code complexity and network usage. I also don't like the idea of imposing random jitter though that might be easier to implement. However, without actual modeling I have no idea if that would actually improve things. Anyway, I was simply thinking about this because the whole bugging of typewriters thing crossed my mind recently. Chris