[ISN] Security firm discounts password threat

From: InfoSec News (isnat_private)
Date: Sun Aug 26 2001 - 02:53:52 PDT

  • Next message: InfoSec News: "[ISN] FBI's 'Carnivore' Might Target Wireless Text"

    http://investor.cnet.com/investor/news/newsitem/0-9900-1028-6962993-0.html?tag=ats
    
    By: Robert Lemos
    8/24/01 2:15 PM
    Source: News.com  
    
    Network security company SSH Communications said Friday that it is
    investigating claims that advanced pattern recognition can be used to
    weaken the security around an encryption standard used to protect
    connections between computers.
    
    The standard, known as secure shell, or SSH, encrypts the data
    traveling between an administrator's computer and a remote server,
    allowing for much more secure communications, even over the Internet.
    
    That security, however, was called into question at a technical
    security conference last week, when three University of
    California-Berkeley researchers outlined a process by which guessing
    passwords sent using SSH can be made an estimated 50 times easier.
    
    While the company acknowledged the research, SSH Communications called
    the problems highlighted by the paper "theoretical."
    
    "As we have taken a look at this particular problem, we don't feel it
    is a practical threat to secure shell users," said Albert David,
    senior director of technical services and operations for the Helsinki,
    Finland-based company.
    
    The problem with the program is not in a weakness in the encryption
    but the mere fact that the application is interactive. Once logged
    into the server from a remote computer, every keystroke on the remote
    machine is sent one by one to the server.
    
    The three Berkeley researchers showed that by analyzing the times
    between each letter of a password typed in, pattern recognition can be
    used to narrow the possible number of candidates for the password.
    
    For example, typing in "er"--two letters adjacent on the QWERTY
    keyboard--takes less time on average than "qz"--letters separated by a
    row of keys.
    
    In addition, an attacker monitoring the encrypted channel can
    determine the length of the password, another key piece of information
    that makes brute-force guessing of the password much easier.
    
    "The factor of 50 is just taking into account the timing latencies,"
    said Dawn Xiaodong Song, the graduate student who presented the paper
    at the Usenix Security Conference in Boston last week. "We showed that
    the attacker can also learn the precise lengths of the password, which
    gives them a big advantage."
    
    Song said the group of researchers, including professor David Wagner
    and graduate student Xuqing Tian, had talked with both SSH
    Communications and the Open SSH Project.
    
    While the technique can be used to guess the administrator's password
    for a server, because the initial log-on using SSH is sent as one
    packet of data, the timing technique is less useful for actually
    breaking into a server, Song said.
    
    SSH Communications intends to continue studying the research.
    
    "We are always looking at ways to improve our security," David said.
    "If there is a way to make SSH stronger, we will try."
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Sun Aug 26 2001 - 05:03:47 PDT