Security '01 Abstract
Timing Analysis of Keystrokes and Timing Attacks on SSH
Dawn Xiaodong Song, David Wagner and Xuqing Tian,
University of California, Berkeley
SSH is designed to provide a secure channel between
two hosts. Despite the encryption and authentication
mechanisms it uses, SSH has two weakness: First, the
transmitted packets are padded only to an eight-byte
boundary (if a block cipher is in use), which reveals the
approximate size of the original data. Second, in interactive
mode, every individual keystroke that a user types
is sent to the remote machine in a separate IP packet immediately
after the key is pressed, which leaks the interkeystroke
timing information of users' typing. In this
paper, we show how these seemingly minor weaknesses
result in serious security risks.
First we show that even very simple statistical techniques
suffice to reveal sensitive information such as the
length of users' passwords or even root passwords. More
importantly, we further show that by using more advanced
statistical techniques on timing information collected
from the network, the eavesdropper can learn significant
information about what users type in SSH sessions.
In particular, we perform a statistical study of
users' typing patterns and show that these patterns reveal
information about the keys typed. By developing a
Hidden Markov Model and our key sequence prediction
algorithm, we can predict key sequences from the interkeystroke
timings. We further develop an attacker system,
Herbivore , which tries to learn users' passwords by
monitoring SSH sessions. By collecting timing information
on the network, Herbivore can speed up exhaustive
search for passwords by a factor of 50. We also propose
In general our results apply not only to SSH, but also
to a general class of protocols for encrypting interactive
traffic. We show that timing leaks open a new set of
security risks, and hence caution must be taken when
designing this type of protocol.
- View the full text of this paper in
The Proceedings are published as a collective work, © 2001 by the USENIX Association. All Rights Reserved. Rights
to individual papers remain with the author or the author's employer.
Permission is granted for the noncommercial reproduction of the complete
work for educational or research purposes. USENIX acknowledges all
trademarks within this paper.
- If you need the latest Adobe Acrobat Reader, you can download it from Adobe's site.
- To become a USENIX Member, please see our Membership Information.