Security firm discounts password threat

[InfoSec News <isn () c4i org>]

http://investor.cnet.com/investor/news/newsitem/0-9900-1028-6962993-0.html?tag=ats

By: Robert Lemos
8/24/01 2:15 PM
Source: News.com  

Network security company SSH Communications said Friday that it is
investigating claims that advanced pattern recognition can be used to
weaken the security around an encryption standard used to protect
connections between computers.

The standard, known as secure shell, or SSH, encrypts the data
traveling between an administrator's computer and a remote server,
allowing for much more secure communications, even over the Internet.

That security, however, was called into question at a technical
security conference last week, when three University of
California-Berkeley researchers outlined a process by which guessing
passwords sent using SSH can be made an estimated 50 times easier.

While the company acknowledged the research, SSH Communications called
the problems highlighted by the paper "theoretical."

"As we have taken a look at this particular problem, we don't feel it
is a practical threat to secure shell users," said Albert David,
senior director of technical services and operations for the Helsinki,
Finland-based company.

The problem with the program is not in a weakness in the encryption
but the mere fact that the application is interactive. Once logged
into the server from a remote computer, every keystroke on the remote
machine is sent one by one to the server.

The three Berkeley researchers showed that by analyzing the times
between each letter of a password typed in, pattern recognition can be
used to narrow the possible number of candidates for the password.

For example, typing in "er"--two letters adjacent on the QWERTY
keyboard--takes less time on average than "qz"--letters separated by a
row of keys.

In addition, an attacker monitoring the encrypted channel can
determine the length of the password, another key piece of information
that makes brute-force guessing of the password much easier.

"The factor of 50 is just taking into account the timing latencies,"
said Dawn Xiaodong Song, the graduate student who presented the paper
at the Usenix Security Conference in Boston last week. "We showed that
the attacker can also learn the precise lengths of the password, which
gives them a big advantage."

Song said the group of researchers, including professor David Wagner
and graduate student Xuqing Tian, had talked with both SSH
Communications and the Open SSH Project.

While the technique can be used to guess the administrator's password
for a server, because the initial log-on using SSH is sent as one
packet of data, the timing technique is less useful for actually
breaking into a server, Song said.

SSH Communications intends to continue studying the research.

"We are always looking at ways to improve our security," David said.
"If there is a way to make SSH stronger, we will try."


-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.