Behold, James Wilkinson <james@xxxxxxxxxxxxxxxxxxx> hath decreed: > On the possibility of "sniffing" a password sent through a SSH-encrypted > tunnel: > > There were a series of papers some time ago -- one of them is at > http://www.cs.virginia.edu/cs588/projects/reports/team4.pdf -- which > claimed that it was possible to guess which keys a user presses by > measuring the time between keystrokes. > I'm not privvy to the intricacies to the ssh authentication protocol, but why doesn't/can't the ssh client simply not send any of the password until the user presses Enter, thereby defeating this attack against an initial ssh authentication (presumably the ssh client knows when the server is asking for a password)? As for other passwords, such as sent to sudo once the connection is established, the connection is encrypted, so it seems unlikely the attack would work. And if all else fails, the ssh client could (maybe it already does) insert some artificial random delays into transmissions coming from key entries. -- prothonotar at tarnation.dyndns.org "Every man is a mob, a chain gang of idiots." - Jonathan Nolan, /Memento Mori/
Attachment:
pgpWvsXiqt3w8.pgp
Description: PGP signature
