Time and Tide Wait for No Protocol
Subject:   easy maybe
Date:   2002-01-05 11:35:18
From:   xinwenfu
For dawn Song's attack to SSH password, maybe a simple change to the SSH protocol can solve the problem.

Why sending the password letter one by one? Collect them together (we know when the user ends the password input) and then send it out in one packet. That is it.

Take it easy!

Full Threads Oldest First

Showing messages 1 through 2 of 2.

  • easy maybe
    2002-02-10 08:42:02  res [View]

    Read the article again -- I'm afraid you completely missed the point. SSH already does this; the timing attack is entirely unrelated.
    • easy maybe
      2003-04-05 13:58:50  anonymous2 [View]

      Actually res, I think you have missed the point being made by xinwenfu.

      When a user authenticates to some system or service while using an SSH connection (not authentication of the SSH connection itself), SSH could be patched to spot that a password is being typed and rather than send each character at a time (suseptable to the timeing attack), it should gather them and send then in a single packet, just like it does already for it's own connections.

      It's a good idea but I suspect a little difficult to achive because it would be quite hard for SSH to spot the very different password mechanisums of the many and various systems and services in use in the real world.