similar to: Defeating Timing Attacks

Displaying 20 results from an estimated 100000 matches similar to: "Defeating Timing Attacks"

2001 Oct 16
1
[Fwd: Re: Defeating Timing Attacks Patch for OpenSSH 2.9.9p2 and 2.9p2]
Nicolas, The timing attack described in the paper by Dawn Song et al. works by examining the timing of keystrokes. Currently OpenSSH sends a packet every time you press a key, thus it is possible to capture the approximate inter-keystroke timing of a user (they found minimal overhead in time from a key press to packet sent). Our patch causes a packet to be sent every 50 ms regardless of whether
2015 Jan 07
2
discussion about keystroke timing attacks against SSH on the cryptography ML
Hi folks. FYI: There's a discussion[0] about keystroke timing attacks against SSH going on on the cryptography mailing list. Would be interesting to hear the opinion of some OpenSSH folks what SSH/OpenSSH is doing against this and what could maybe be don in addition. Especially since the main idea behind the attack is obviously not limited to the initial authentication phase when a password
2001 Oct 06
1
Defeating Timing Attacks
Hello, In response to the timing analysis attacks presented by Dawn Song et. al. in her paper http://paris.cs.berkeley.edu/~dawnsong/ssh-timing.html we at Silicon Defense developed a patch for openssh to avoid such measures. Timing Analysis Evasion changes were developed by C. Jason Coit and Roel Jonkman of Silicon Defense. These changes cause SSH to send packets unless request not to,
2001 Oct 16
1
Defeating Timing Attacks Patch for OpenSSH 2.9.9p2 and 2.9p2
Hello, In response to the timing analysis attacks presented by Dawn Song et. al. in her paper http://paris.cs.berkeley.edu/~dawnsong/ssh-timing.html we at Silicon Defense developed a patch for openssh to avoid such measures. Timing Analysis Evasion changes were developed by C. Jason Coit and Roel Jonkman of Silicon Defense. These changes cause SSH to send packets unless request not to,
2003 Aug 09
0
Timing attacks and owl-always-auth
Hi All. Attached is a patch against OpenBSD, based in part on the owl-always-auth patch. The idea is that the only way out of auth_passwd for the failure case is the "return 0" at the bottom. I don't know if this is a good way to do it or not, it's presented for discussion. Also, I don't think 3.6.1p2 is quite right WRT these timing issues (eg, you get a fast failure
2016 Mar 16
2
Does SCTP help against TCP reset attacks?
Hello, i have a question regarding SCTP support of OpenSSH. (I have searched the list, and it seems to show up periodically every two years, and since it's that time again i dare to ask...) It can't be described better than what i've placed in a bug report yesterday, so please let me (mostly) copy & paste that: Hello. I don't know how you do it, i never managed a(n
2023 Apr 12
1
Defend against user enumeration timing attacks - overkill
Dear colleagues, I have a question about this commit: https://github.com/openssh/openssh-portable/commit/e9d910b0289c820852f7afa67f584cef1c05fe95#diff-a25e40214ca9c9f78abce22f23bf2abdb2a24384c6610d60bbb314aed534eb48R216 The function ensure_minimum_time_since effectively doubles the time spent in the input_userauth_request (mostly presumably in PAM). So if PAM processing is really slow, it will
2023 Jun 28
1
Defend against user enumeration timing attacks - overkill
Dear colleagues, May I ask you to explain whether I am wrong in my conclusions? On Wed, Apr 12, 2023 at 11:55?AM Dmitry Belyavskiy <dbelyavs at redhat.com> wrote: > > Dear colleagues, > > I have a question about this commit: > >
2010 Dec 27
3
openssh and keystroke timing attacks (again)
Hi all, Over the past 10 years, there has been some discussion and several patches concerning keystroke timing being revealed by the timing of openssh packet network transmission. The issue is that keystroke timing is correlated with the plaintext, and openssh users expect their communications to be kept entirely secret. Despite some excellent ideas and patches, such as Jason Coit's
2024 Apr 25
1
how to block brute force attacks on reverse tunnels?
On 25.04.24 17:15, openssh-unix-dev-request at mindrot.org digested: > Subject: how to block brute force attacks on reverse tunnels? > From: Steve Newcomb <srn at coolheads.com> > Date: 25.04.24, 17:14 > > For many years I've been running ssh reverse tunnels on portable Linux, > OpenWRT, Android etc. hosts so they can be accessed from a server whose > IP is stable
2024 Apr 25
1
how to block brute force attacks on reverse tunnels?
For many years I've been running ssh reverse tunnels on portable Linux, OpenWRT, Android etc. hosts so they can be accessed from a server whose IP is stable (I call such a server a "nexus host"). Increasingly there's a problem with brute force attacks on the nexus host's tunnel ports. The attack is forwarded to the portable tunneling host, where it fails, but it chews up
2023 Jun 28
1
Defend against user enumeration timing attacks - overkill
Dear Peter, I'm trying to balance the original problem statement (protection from users enumeration) and avoid doubling time here if the process has already taken a long time to provide faster auth method iteration. I believe that a better solution is to set some arbitrary (probably configurable) timeout and, in case when we spend more time than that value, avoid doubling it. On Wed, Jun 28,
2023 Jun 28
1
Defend against user enumeration timing attacks - overkill
Dmitry Belyavskiy wrote: > May I ask you to explain whether I am wrong in my conclusions? I guess it's not clear what problem you are trying to solve. //Peter
2000 Feb 24
1
Making password driven SSH 'immune' to MTM attacks.
[I know this is the 'port' list, but I can't find a better place to post this, and with the garbage going on @slashdot I figured I'd get this out. This belongs on sci.crypt or a general OpenSSH mailing list] First, a quick rehash of stuff everyone here already knows, OpenSSH can use two major forms of authentication: 1. Password 2. RSA keys The RSA method is good because it
2010 Jun 25
1
Compromised servers, SSH keys, and replay attacks
We had an incident recently where an openssh client and server were replaced with trojanned versions (it has SKYNET ASCII-art in the binary, if anyone's seen it. Anyone seen the source code ?). The trojan ssh & sshd both logged host/user/password, and probably had a login backdoor. Someone asked me what was their exposure if they used public/private keys instead of passwords. My
2008 Jun 12
2
Request for added functionality - tracking and blocking attacks
Somebody please forward this, if this is not an appropiate place to ask the OpenSSH developers for a new feature. As many of us have seen, any sshd left open on the internet eventually becomes the target of password guessing attacks. I am aware of tools for scanning the security logs, and manipulating iptables to block ongoing attacks, but I am not aware of a way to configure sshd itself to
2003 Apr 01
0
OpenSSH 3.6.1 released
OpenSSH 3.6.1 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. We would like to thank the OpenSSH community for their continued support to the project, especially those who contributed source and bought T-shirts or
2003 Apr 01
0
OpenSSH 3.6.1 released
OpenSSH 3.6.1 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. We would like to thank the OpenSSH community for their continued support to the project, especially those who contributed source and bought T-shirts or
2003 Mar 31
0
OpenSSH 3.6 released
OpenSSH 3.6 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. We would like to thank the OpenSSH community for their continued support to the project, especially those who contributed source and bought T-shirts or
2003 Mar 31
2
OpenSSH 3.6 released
OpenSSH 3.6 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. We would like to thank the OpenSSH community for their continued support to the project, especially those who contributed source and bought T-shirts or