CNET también está disponible en español.

Ir a español

Don't show this again

Tech Industry

Security firm discounts password threat

Network security company SSH Communications investigates researchers' claim that pattern recognition can be used to weaken the security on its widely used SSH protocol.

Network security company SSH Communications said Friday that it is investigating claims that advanced pattern recognition can be used to weaken the security around an encryption standard used to protect connections between computers.

The standard, known as secure shell, or SSH, encrypts the data traveling between an administrator's computer and a remote server, allowing for much more secure communications, even over the Internet.

That security, however, was called into question at a technical security conference last week, when three University of California-Berkeley researchers outlined a process by which guessing passwords sent using SSH can be made an estimated 50 times easier.

While the company acknowledged the research, SSH Communications called the problems highlighted by the paper "theoretical."

"As we have taken a look at this particular problem, we don't feel it is a practical threat to secure shell users," said Albert David, senior director of technical services and operations for the Helsinki, Finland-based company.

The problem with the program is not in a weakness in the encryption but the mere fact that the application is interactive. Once logged into the server from a remote computer, every keystroke on the remote machine is sent one by one to the server.

The three Berkeley researchers showed that by analyzing the times between each letter of a password typed in, pattern recognition can be used to narrow the possible number of candidates for the password.

For example, typing in "er"--two letters adjacent on the QWERTY keyboard--takes less time on average than "qz"--letters separated by a row of keys.

In addition, an attacker monitoring the encrypted channel can determine the length of the password, another key piece of information that makes brute-force guessing of the password much easier.

"The factor of 50 is just taking into account the timing latencies," said Dawn Xiaodong Song, the graduate student who presented the paper at the Usenix Security Conference in Boston last week. "We showed that the attacker can also learn the precise lengths of the password, which gives them a big advantage."

Song said the group of researchers, including professor David Wagner and graduate student Xuqing Tian, had talked with both SSH Communications and the Open SSH Project.

While the technique can be used to guess the administrator's password for a server, because the initial log-on using SSH is sent as one packet of data, the timing technique is less useful for actually breaking into a server, Song said.

SSH Communications intends to continue studying the research.

"We are always looking at ways to improve our security," David said. "If there is a way to make SSH stronger, we will try."