OpenSSH 9.5 released with keystroke timing obfuscation

OpenSSH 9.5 released with keystroke timing obfuscation(lwn.net)

232 points by surteen 2 years ago | 58 comments

Tempest1981 2 years ago |

More from last month:

https://news.ycombinator.com/item?id=37307708 (258 comments)

dang 2 years ago | |

Thanks! Macroexpanded:

Keystroke timing obfuscation added to ssh(1) - https://news.ycombinator.com/item?id=37307708 - Aug 2023 (255 comments)

also:

Timing Analysis of Keystrokes and Timing Attacks on SSH (2001) [pdf] - https://news.ycombinator.com/item?id=18557916 - Nov 2018 (17 comments)

throw0101a 2 years ago |

More importantly (IMHO):

    ssh-keygen(1): generate Ed25519 keys by default. Ed25519 public keys
    are very convenient due to their small size. Ed25519 keys are
    specified in RFC 8709 and OpenSSH has supported them since version 6.5
    (January 2014).

* https://www.openssh.com/releasenotes.html#9.5

Previously, if you didn't specify "-t", you got RSA keys; now you get Ed25519, and if you want RSA you have to ask for it.

NIST's publication of FIPS 186-5 in February (2023) added Ed25519 and Ed448 as approved (? allowed?) algorithms:

* https://csrc.nist.gov/publications/detail/fips/186/5/final

* https://en.wikipedia.org/wiki/EdDSA#Standardization_and_impl...

Partly one of the reasons given for the default switch:

* https://lists.mindrot.org/pipermail/openssh-unix-dev/2023-Se...

Curious to know if/when the OpenSSH folks will add Ed448 (RFC 8709, like Ed25519).

jshier 2 years ago | |

Last I checked, Azure didn't support Ed25519 keys, so manual fallback to RSA will now be required.

https://feedback.azure.com/d365community/idea/1dca6716-dc25-...

akulbe 2 years ago | | |

That wouldn’t surprise me at all. I recently had issues with an EC2 instance in AWS that I couldn’t auth to, with an Ed25519-based key.

Turns out they didn’t even support it until ~2021.

These instances were created before then. It took quite a while to figure out what was going on.

milliams 2 years ago | | |

That seems like specifically Azure DevOps, not the Azure platform generally? I assume any OS running inside Azure Compute, or any other managed services will support Ed25519 fine?

prussian 2 years ago | | |

It's probably because FIPS 140-2 doesn't list it. I know machines booted with fips=1 and fips certified openssl, etc, openssh won't accept ed25519 keys for key auth.

nullc 2 years ago | |

> Curious to know if/when the OpenSSH folks will add Ed448

Yeah, it's a little weird feeling to downgrade in best-estimate security level to go from 4096 bit RSA to ed25519. Ed448 avoids that concern.

throw0101a 2 years ago | | |

RSA 3072 has the 'comparable' security of AES 128:

* https://www.keylength.com/en/4/

Going to 4096 doesn't get you much given you have weaker links in the security chain. The next step up would be AES 192 and RSA 7680, and then AES 256 with RSA 15360.

botanical 2 years ago | |

Somehow I've never heard of Curve448 or the company Rambus. It's giving me (unfounded) Crypto AG vibes.

https://en.wikipedia.org/wiki/Crypto_AG

mastax 2 years ago | | |

Strange, I didn't expect Rambus to be involved in cryptography, nor that they would give away the spec and implementation. I guess it was designed to be a smaller die-area solution for some of their silicon IP products, and opening it up just makes it more convenient for their customers to use. (And, hopefully, nobody is stupid enough to use some vendor's secret proprietary crypto in their chips).

I'd be interested to read a history of Rambus. They're a strange and somewhat controversial company. I lived through the controversy but I'm not certain I remember it correctly. From what I remember they patented some things related to DDR SDRAM, I'm not sure how much credit they deserve for developing those things or if they were just first to file. For part of the Pentium 4's lifecycle they convinced Intel to use Rambus' proprietary DRAM (RDRAM) which supposedly had some benefits but I just remember being overpriced. They shook down DDR manufacturers for patent licensing fees. Apparently the EU opened an antitrust investigation into them for getting their patents into the standard and then not licensing them freely enough. I'm not sure it's fair to call them a patent troll but I guess they're something similar to Fraunhofer or Synopsis.

brohee 2 years ago | | |

Rambus was pretty well known for using a submarine patent against RAM manufacturers back in late nineties https://www.edn.com/submarine-patents-could-torpedo-rambus/ followed by fifteen years of acting like a patent troll...

They may have good tech but have an history of being super shady.

tptacek 2 years ago | | |

This comment is cringe enough that it is making the rounds on multiple Slacks. It's fine that you've never heard of Curve448. That just means you're not a cryptography engineer. Most people aren't! But if you're not one of those, be a little careful about connecting the dots to things like "Crypto AG". Saying "I've never heard of Curve448, it sounds sketchy" is a little like a systems programmer saying "I've never heard of Paxos before, it sounds sketchy". Most systems programmers are never going to do anything with Paxos. But all the competent ones can look it up in about 20 seconds and confirm that it isn't a conspiracy.

rdtsc 2 years ago | | |

Not sure about Crypto AG level shardy. But they are still shady. When I see Rambus I think "patent troll".

https://en.wikipedia.org/wiki/Rambus

> Rambus was accused of shredding key documents prior to court hearings, the judge agreed and dismissed Rambus' case against Infineon. T

> On January 9, 2009, a Delaware federal judge ruled that Rambus could not enforce patents against Micron Technology Inc., stating that Rambus had a "clear and convincing" show of bad faith, and ruled that Rambus' destruction of key related documents (spoliation of evidence) nullified its right to enforce its patents against Micron.[28]

> Rambus engaged in intentional deceptive conduct in the context of the standard-setting process for example by not disclosing the existence of the patents which it later claimed were relevant to the adopted standard. This type of behavior is known as a "patent ambush".

> Ronald Black, Rambus's CEO, said, "Somehow we got thrown into the patent troll bunch...This is just not the case."[43]

See, they are the good guys after all. It came right from their CEO. /s

If someone is acting like this then shows up with a "here is a cool curve you can use", not surprising people will be suspicious. It's like that neighbor who has been suing everyone in the neighborhood, and calling the cops on kids playing outside, all of the sudden shows with a plate of cookies. People will think twice before trying a cookie.

throwaway9870 2 years ago | | |

Rambus is an interesting company. I can't vouch for their crypto offerings, but they have been around since the 90's and at one point pioneered high-speed DRAM interfaces. Lots of what we see in DDR today is based on ideas and concepts they pushed forward in their proprietary interface. Early on, they definitely did innovative work.

IIRC, their interfaces were used in some Sony play-stations and also some Intel systems.

throw0101a 2 years ago | | |

That particular curve was chosen for specific technical reasons:

* https://en.wikipedia.org/wiki/Curve448

DiabloD3 2 years ago | | |

My fellow comments aren't actually getting to the point: The original release of the Pentium 4 used Rambus RAM, instead of the JEDEC standard of the time.

This Pentium 4 was released in the year 2000.

So, yes, Rambus, the company, is a known quantity. Just weird they're into crypto now, because trying to wiggle into this already crowded patent landmine is certainty an... interesting choice.

pnpnp 2 years ago | |

What are the pros/cons of Ed448?

throw0101a 2 years ago | | |

> Ed25519 is one of the two digital signature algorithms today that use the EdDSA algorithm framework. The other is Ed448, which targets a higher security level (224-bit vs 128-bit) but is also slower and uses SHAKE256 (which is overkill and not great for performance).

* https://soatok.blog/2022/05/19/guidance-for-choosing-an-elli...

sigg3 2 years ago | |

This is great news and has a much larger impact than the featured feature IMO.

FiloSottile 2 years ago |

I'm very proud that we implemented server-side support for the keystroke timing obfuscation mechanism in golang.org/x/crypto/ssh already.

(I just clicked the Submit button! https://go.dev/cl/524775)

It's a small change, but it's a signal that we're much more on top of x/crypto/ssh maintenance, compared to a year ago when we had to scramble to implement rsa-sha2-256/512 support just hours before GitHub (rightfully) dropped SHA-1 support, potentially breaking every x/crypto/ssh client.

The main reason is that thanks to the funding of my clients (https://words.filippo.io/full-time-maintainer/) I was able to hire Nicola Murino, the maintainer of SFTPGo, to pick up maintenance of x/crypto/ssh. This is benefiting both my clients and the whole ecosystem, and is a little step in growing the professional maintainer model.

CodesInChaos 2 years ago | |

Why does the server side need support for that? Is it the ping/pong feature mentioned in the OpenSSH announcement?

throw0101a 2 years ago |

The link that was (originally) submitted is to LWN just posting the release notes. The direct link(s) to the release notes is:

* https://www.openssh.com/txt/release-9.5

* https://www.openssh.com/releasenotes.html#9.5

cabirum 2 years ago |

The release notes do not say why there is a need to obfuscate keystroke timings. I guess it is designed to mitigate some attack vector? Is it already being exploited in the wild or... let's say is purely of academic interest?

rollcat 2 years ago |

If you use OpenSSH (wink), please consider donating to OpenBSD, aka the upstream developers: https://www.openbsd.org/donations.html

devsda 2 years ago |

> This attempts to hide inter-keystroke timings by sending interactive traffic at fixed intervals (default: every 20ms) when there is only a small amount of data being sent. It also sends fake "chaff" keystrokes for a random interval after the last real keystroke. These are controlled by a new ssh_config ObscureKeystrokeTiming keyword.

So does it send these phantom keystrokes only when there are real keystrokes?

On first reading I thought it sends periodic+random keystrokes and so {Client,Server}AliveInterval option(s) may not be required to keep the connection alive. Need to try and confirm the behaviour.

This version also changes ssh-keygen to generate ed25519 keys by default. Time to update scripts that generate keys without a '-t' arg.

acquacow 2 years ago | |

It's 2023, you shouldn't be using the old rsa keys anyway.

tialaramex 2 years ago | | |

Meh. RSA is only used to sign things in SSH and the keys used are generated in a conventional way and with the parameters you'd be told to pick (e.g. exponent 65537)

I'd say at this point the risk of silly goofs in the curve code is similar to the risk from RSA given how well understood it is.

jsanford 2 years ago |

With the new default ObscureKeystrokeTiming setting, a single typed character now causes hundreds of packets on the wire instead of 3.

enbugger 2 years ago |

What are the downsides of this?

guerrilla 2 years ago |

It's nice to see that they take this seriously. I praise their risk aversion.