Slashdot Mirror

← Back to Stories (view on slashdot.org)

SSH Taking Stand On Vulnerability

Posted by Hemos on from the spinning-the-press dept.

jeffy124 writes "SSH Communications is recognizing the vulnerability claim made by UC Berkeley researchers earlier this week. They say it is not a practical threat to the ssh protocol, people can still remain confident in keeping communications over ssh private. While this is true IMO, they are open to and will be researching techniques that would make the standard stronger, along with hopes of lessening this vulnerability."

3 of 90 comments (clear)

  1. Solution already exists. by Anonymous Coward · · Score: 2, Interesting

    There already is a solution to this. By using a buffer and a timer you can get multiple characters in a packet. This technique is used in the SNA session environment that utilizes emulators.

    Basically, keystroke input is placed in a buffer. The buffer sends its data when the buffer is full or when a buffer timer has expired. If you type very slowly, one character at a time is sent. However, if you type normally several characters are sent in each packet.

    The only drawback with this technique is that it can increase latency. If the input is only a single character, as would be the case in selecting a menu option, the user will experience latency as they wait for the timer to expire and send the keystroke. To reduce the latency to a minimum it becomes neccessary to very carefully adjust the buffer size for your particular application. Too small a buffer and the ability to guess password length still exists. Too large a buffer and latency becomes unaceptable.

  2. OpenSSh - no problem by cehf2 · · Score: 3, Interesting

    It appears, using openssh 2.9p2 (that currently in debian/unstable) that it sends the entire password in one TCP packet, so no problem there then.

  3. Mostly Nonsense by fanatic · · Score: 3, Interesting

    I tested in openSSH2.5.1p2 - the login password is sent in one packet, so the inter-key timing attack is crap for this.

    The interkey timing applies ONLY AFTER the initial login. The cracker would have to have to somehow know you were exceuting something that involved entering a password, then capture the packets with your keystrokes.

    This is getting way more play than it deserves, IMO.

    --
    "that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody