Displaying 5 results from an estimated 5 matches for "silicondefense".
2001 Oct 16
1
[Fwd: Re: Defeating Timing Attacks Patch for OpenSSH 2.9.9p2 and 2.9p2]
...roke timing information.
regards,
-Jason Coit
-------- Original Message --------
Subject: Re: Defeating Timing Attacks Patch for OpenSSH 2.9.9p2 and
2.9p2
Date: Tue, 16 Oct 2001 17:36:18 -0400
From: Nicolas Williams <Nicolas.Williams at ubsw.com>
To: "C. Jason Coit" <jasonc at silicondefense.com>
CC: openssh-unix-dev at mindrot.org
References: <3BCC889C.AA5C57F0 at silicondefense.com>
Let's see. The timing attack has to do with predictable timing. The
solution would seem to be to add randomness to the packet timing. Your
patch does not do this -- it adds more predictable...
2001 Oct 16
1
Defeating Timing Attacks Patch for OpenSSH 2.9.9p2 and 2.9p2
...rate(i.e. if the server needs to respond with large amounts of data
it will be able to do so with large packets and without the 50 ms timing
constraint).
We currently have patches and modified distributions for OpenSSH 2.9p2
and 2.9.9p2.
The files for OpenSSH 2.9p2 are available at
http://www.silicondefense.com/software/ssh/ssh-2.9p2-diffs
http://www.silicondefense.com/software/ssh/opens3h-2.9p2.tar.gz
These files for OpenSSH 2.9.9p2 are available at
http://www.silicondefense.com/software/ssh/ssh-2.9.9p2-diffs
http://www.silicondefense.com/software/ssh/opens3h-2.9.9p2.tar.gz
The patch for 2.9.9p2 is...
2001 Oct 06
1
Defeating Timing Attacks
...f the server needs to respond with large amounts of data
it will be able to do so with large packets and without the 50 ms timing
constraint).
The patch is currently for openssh 2.9.2 only (should not be hard to
port) and is available below as well as on the Silicon Defense web site
http://www.silicondefense.com/software/ssh/ssh-2.9.2-diffs
There is also a tarbal version of the the patched 2.9.2 openssh code
available for download.
http://www.silicondefense.com/software/ssh/opens3h-2.9p2.tar.gz
--
+-- --+
| C. Jason Coit Programmer/Analyst...
1999 Jul 28
6
You got some 'splaininn to do Lucy ;-)
We just had a security application vendor come in. We asked about Linux
support and he said that putting a security application on top of an
insecure OS was useless. When I asked what he meant by insecure he replied
that Linux does not have a true Auditing capability - as opposed to HP-UX &
Solaris which they do support. Can anyone explain to me what he was talking
about?
Thanks,
Marty
2001 Nov 09
4
keystroke timing attack
I'm reading this fine article on O'Reilly:
http://linux.oreillynet.com/lpt/a//linux/2001/11/08/ssh_keystroke.html
<quote>
The paper concludes that the keystroke timing data observable from
today's SSH implementations reveals a dangerously significant amount of
information about user terminal sessions--enough to locate typed
passwords in the session data stream and reduce the