[Security] keystroke and timing attacks against IM traffic?

Florian Zeitz florian.zeitz at gmx.de
Mon Aug 4 21:48:02 CDT 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> During an IM session earlier today, Jonathan Schleifer mentioned to me 
> that he thinks the work of Song, Wagner, and Tian on SSH might apply 
> equally to instant messaging traffic:
> 
> http://www.cs.berkeley.edu/~daw/papers/ssh-use01.pdf
> 
> For an opposing view see:
> 
> http://www.cs.virginia.edu/~evans/cs588-fall2001/projects/reports/team4.pdf
> 
> It seems to me quite possible that IM traffic is more susceptible to 
> attacks of this kind than SSH is, especially given the existence of 
> things like chat state notifications:
> 
> http://www.xmpp.org/extensions/xep-0085.html
> 
> Thoughts?
> 
> /psa

I personally totally fail to see how this attack applies to IM/XMPP.
They are specifically taking advantage of the fact that SSH sends
characters one-by-one in interactive mode to make brute-forcing easier
by comparing the timing with gathered statistics for certain character
combinations.
This does not apply to XMPP at all. There is no traffic sent giving an
attacker any clue how much time went by between a user typing two
characters (AFAIK that is). Additionally typing notifications are not a
good indicator of the length of a message, because a user might also
delete characters (I have personally been typing rather short messages
for minutes and rather long ones in seconds).
If Jonathan has any other attacks in mind or found a way to apply this
technique to XMPP I'd really like to hear about it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIl79Z0JXcdjR+9YQRAn1+AJsH2lQFVAsPSkAD9n2hTUTHXpez7ACfQAQt
MFqGYIW1dRPUkAvysh+nfGc=
=LO4R
-----END PGP SIGNATURE-----


More information about the Security mailing list