Time and Tide Wait for No Protocol
Subject:   easy maybe
Date:   2002-02-10 08:42:02
From:   res
Response to: easy maybe

Read the article again -- I'm afraid you completely missed the point. SSH already does this; the timing attack is entirely unrelated.
Full Threads Oldest First

Showing messages 1 through 1 of 1.

  • easy maybe
    2003-04-05 13:58:50  anonymous2 [View]

    Actually res, I think you have missed the point being made by xinwenfu.

    When a user authenticates to some system or service while using an SSH connection (not authentication of the SSH connection itself), SSH could be patched to spot that a password is being typed and rather than send each character at a time (suseptable to the timeing attack), it should gather them and send then in a single packet, just like it does already for it's own connections.

    It's a good idea but I suspect a little difficult to achive because it would be quite hard for SSH to spot the very different password mechanisums of the many and various systems and services in use in the real world.