On Wed, 10 Sep 2008, Kevin Neff wrote: > Hi, > > Some secure protocols like SSH send encrypted keystrokes > as they're typed. By doing timing analysis you can figure > out which keys the user probably typed (keys that are > physically close together on a keyboard can be typed > faster). A careful analysis can reveal the length of > passwords and probably some of password itself. > > The paper: > > http://portal.acm.org/citation.cfm? > id=1267612.1267637&coll=Portal&dl=GUIDE&CFID=1943417&C > FTOKEN=28290455 > > I'm seriously considering implementing a fix for this > weakness. Is there any interest in incorporating this > sort of thing into openBSD?
Be warned: implementing any sort of time-based events in the current SSH mainloop is annoyingly difficult. If you can do it cleanly, then we are interested. -d
