Source URL: https://crzphil.github.io/posts/ssh-obfuscation-bypass/
Source: Hacker News
Title: OpenSSH Keystroke Obfuscation Bypass
Feedly Summary: Comments
AI Summary and Description: Yes
**Summary:**
The text discusses a vulnerability discovered in OpenSSH version 9.5 related to keystroke timing attacks, specifically highlighting a bypass of the obfuscation measures intended to protect against such attacks. It provides insights into the inadequacy of the current mechanism and emphasizes the potential risks associated with metadata leakage in SSH sessions. The researcher created a tool (SSHniff) to demonstrate the exploit, underscoring its implications for security professionals working with SSH and cryptographic protocols.
**Detailed Description:**
This disclosure outlines significant security concerns surrounding OpenSSH’s implementation of keystroke obfuscation. OpenSSH introduced measures in version 9.5 to combat keystroke timing attacks by adding timing obfuscation and fake traffic (chaff packets) to obscure real keystrokes. Despite these enhancements, the researcher successfully found a method to bypass these obfuscation techniques.
### Major Points:
– **OpenSSH’s Vulnerability:**
– OpenSSH version 9.5 attempted to mitigate keystroke timing attacks through added obfuscation, yet was found to be ineffective when subjected to practical testing.
– The use of timing obfuscation involved fixed intervals of traffic (20ms) and chaff packets sent after each keystroke to confuse potential attackers.
– **Discovery of Bypass:**
– The researcher identified that despite the obfuscation, certain packets exhibited notable characteristics that allowed for the original keystrokes to be inferred.
– Through detailed analysis using tools like Wireshark and SSHniff, the researcher demonstrated how metadata could still leak sensitive information.
– **Impact on Confidentiality:**
– SSH sessions, although encrypted, leak metadata that can compromise confidentiality. The timing and size of packets can lead to potential attacks that infer commands or keystrokes.
– The findings highlight a fundamental issue in relying solely on encryption for security, especially when metadata is not adequately protected.
– **Tool Development:**
– The researcher developed SSHniff, a tool to automate the extraction of keystroke metadata and demonstrate the bypass of obfuscation in practical scenarios.
– The use of algorithms like Dynamic Time Warping (DTW) showcases how intercepted latencies can be leveraged to reconstruct command sequences.
### Practical Implications:
– Security professionals, particularly those involved in SSH and cryptographic communication, need to be aware of this loophole in OpenSSH’s attempts at obfuscation.
– Organizations must evaluate their reliance on default SSH configurations and consider additional layers of security, especially in environments where sensitive command execution is routine.
– Continuous monitoring and analysis of SSH traffic should be encouraged to detect anomalies that may indicate metadata leakage or attacks.
Overall, this issue emphasizes the importance of not just implementing security measures but also continuously assessing their effectiveness against evolving attack methodologies.