Re: Packet Timing and Data Leaks

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]



This isn't steganography but a timing attack. However, the timing attack isn't focused on the cipher but the user. Basically, let's assume that you are an attacker. All you have are the timing sequences of packets between a client and a host. The question is if you can take the timing between each packet to tell you anything about the data being sent.

You can make some assumptions -
1) It's an interactive session.
2) The person behind the interactive session is trained in touch typing (this won't work as well with self taught/hunk and peck/whatever typists as well because the "fist" (if we want to go back the old Morse code terminology is going be much more idiosyncratic and harder to model).

What you know is that it takes a certain amount of time for a finger to travel from the home row to a specific key and from that key to another key in a well known language. You also know that SSH doesn't delay sending packets and that each individual character is represented by a new packet. As such the pause between each individual packet roughly corresponds to the time between each key press.

Since you can model the time between key presses (given that person is trained in touch typing) for pairs of letters you may be able to use that to gain some entry into what the person is actually typing during the session.

If you can figure out even a relatively small percentage of letters you can possibly recreate large portions of the text and, from that, maybe even figure out the encryption key being used.

The Soviets did something similar to this when they bugged the American embassy in Moscow. However, in this case they did timing attack on the movement of the type ball in IBM Selectrics which might have made it easier.


On 8/5/23 3:07 PM, Nico Kadel-Garcia wrote:
On Thu, Aug 3, 2023 at 2:35 PM Chris Rapier <rapier@xxxxxxx> wrote:

Howdy all,

So, one night over beers I was telling a friend how you could use the
timing between key presses on a type writer to extract information.
Basically, you make some assumptions about the person typing (touch
typing at so many words per second and then fuzzing the parameters until
words come out).

The I found a paper written back in 2001 talked about using the
interpacket timing in interactive sessions to leak information.

I'm sure this has been addressed (or dismissed) but I'm looking for the
specific section of code that might deal with this. Any pointers?



Why would any code "deal with this"? What you're describing is a form
of steganography, embedding another subtler, more dangerous message
inside the larger, safer, apparent message. Because there are so many
ways to hide such data, it's not even theoretically possible to avoid
altogether. OpenSSH would be the wrong layer of the stack to
manipulate this, especially given the attempts to improve interactive
behavior by improving responsiveness and reducing latency. If you're
making a system as swift and responsive as possible, it becomes very
difficult to regulate the timing of what may be human driven
interactions. And if you're going to manipulate packet delays.....
that's at the network layer or data layer, layer 2 or layer 3 of the
OSI stack. OpenSSH is more at the transport layer.

I don't see how OpenSSH could be written to avoid this.without
sacrificing responsive of interactive sessions.
openssh-unix-dev mailing list

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux