I probably shouldn't quote and entire message from another mailing list.... But, it's short... Attached at the bottow is the entire message posted the other day to the openssh-unix-dev mailing list <openssh-unix-dev@xxxxxxxxxxx>. A few of the URL's are included in-line. On Tue, Oct 09, 2001 at 11:01:03AM -0400, Michael T. Babcock wrote: > On Tue, Oct 09, 2001 at 10:54:13AM -0400, Michael H. Warfield wrote: > > On Tue, Oct 09, 2001 at 03:44:47PM +0200, Robert van der Meulen wrote: > > Yeah, I've seen some comments and a patch or two on the OpenSSH > > mailing list and some chatter on the SSH mailing list. I think you could > > find a patch, which includes some time randomizers and some idle time > > packets, just by searching archives on the mailings lists for the last > > couple of months. > I'd be interested in any such patches you might be able to dig up or know of. An idle random-packet generator would be quite interesting, especially if it meant that the two sides sometimes acknowledged (echo'd) the packets and other times didn't, to simulate interactive and non-interactive packets. It would have to send the packets sometimes individually like random key strokes, and other times in chunks like an X application. <Your line wrap didn't> http://www.silicondefense.com/software/ssh/ssh-2.9.2-diffs http://www.silicondefense.com/software/ssh/opens3h-2.9p2.tar.gz > If anyone here knows of any cryptographers that have actually looked at these types of traffic analysis attacks and preventative measures, feel free to post links. http://paris.cs.berkeley.edu/~dawnsong/ssh-timing.html > -- > Michael T. Babcock > CTO, FibreSpeed Ltd. > > Linux-crypto: cryptography in and on the Linux system > Archive: http://mail.nl.linux.org/linux-crypto/ Mike -- Michael H. Warfield | (770) 985-6132 | mhw@xxxxxxxxxxxx (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! ===== Begin Forwarded Message from <openssh-unix-dev@xxxxxxxxxxx> ===== > From owner-openssh-unix-dev@xxxxxxxxxxx Fri Oct 5 21:23:13 2001 Return-Path: <owner-openssh-unix-dev@xxxxxxxxxxx> Message-ID: <3BBE5CB6.A5788E59@xxxxxxxxxxxxxxxxxx> Date: Fri, 05 Oct 2001 18:21:58 -0700 From: "C. Jason Coit" <jasonc@xxxxxxxxxxxxxxxxxx> To: openssh-unix-dev@xxxxxxxxxxx Subject: Defeating Timing Attacks Sender: owner-openssh-unix-dev@xxxxxxxxxxx Hello, In response to the timing analysis attacks presented by Dawn Song et. al. in her paper http://paris.cs.berkeley.edu/~dawnsong/ssh-timing.html we at Silicon Defense developed a patch for openssh to avoid such measures. Timing Analysis Evasion changes were developed by C. Jason Coit and Roel Jonkman of Silicon Defense. These changes cause SSH to send packets unless request not to, exactly every 50 ms. IF no data is ready to be sent, SSH will send a bogus packet with 16 bytes of data (which is the same size as most keystrokes). Thus someone performing timing analysis cannot determine the inter keystroke timing of a user. SSH will send bogus data for about 1 second after the last keystroke. This both increases the difficulty of determining exact password lengths and conserves bandwidth when a user is idle (e.g. taking a coffee break). Both the Server and the Client exhibit this behavior and yet our code places no limit on the data rate(i.e. if the server needs to respond with large amounts of data it will be able to do so with large packets and without the 50 ms timing constraint). The patch is currently for openssh 2.9.2 only (should not be hard to port) and is available below as well as on the Silicon Defense web site http://www.silicondefense.com/software/ssh/ssh-2.9.2-diffs There is also a tarbal version of the the patched 2.9.2 openssh code available for download. http://www.silicondefense.com/software/ssh/opens3h-2.9p2.tar.gz -- +-- --+ | C. Jason Coit Programmer/Analyst | | *Silicon Defense - Technical Support for Snort* | | http://www.silicondefense.com/ | +-- -+ Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/
