Traffic Analysis Countermeasures for OpenSSH

OpenSSH is a popular program for logging in to other computers securely. It makes extensive use of cryptography to ensure that the communication is private and can't be tampered with. Unfortunately, it does not include any countermeasures to prevent an eavesdropper from learning about the information from watching the timing of information transmission.

Over the past 10 years, there has been some discussion and several patches concerning keystroke timing being revealed by the timing of openssh packet network transmission. The issue is that keystroke timing is correlated with the plaintext, and openssh users expect their communications to be kept entirely secret.

Despite some excellent ideas and patches, such as Jason Coit's patch there has been little done to address this problem. As far as I can tell, the only countermeasure implemented in OpenSSH is that the server will echo back dummy messages (rather than nothing) when users enter passwords. But users expect all of their communication to be secret... not just their passwords! (There is no project called "SecurePasswordShell"!)

I think Jason's approach is spot on:

  1. keystrokes should be only sent at predetermined intervals (eg: every 50ms, or 20 times a second)
  2. cover traffic at these fixed transmission times should be sent even if no keystroke is pressed. This can be turned off whenever a user is idle for 3 seconds.
The security of Jason's proposal is clear: no information is leaked, except the timing of when the user starts and stops a typing spurt. This is because the same traffic pattern is created, regardless of the timing of the keystrokes.

I have implemented the first of Jason's countermeasures in this patch to OpenSSH: openssh-timing.diff. To send information every 50ms, you would add "-o HideInputTiming 0.05" to the ssh command.