Thanks for all the comments.  I think we're all pretty much on the same
page.

First order of business is to look at how much of a weakness this may be.
Then, implement several potential solutions.  Finally, test to see if the
"fixes" improved the situation.

I like the idea of mainly patching the username and passwd transfer.  But
there may be some utility to having interactive sessions as bullet proof as
possible.

I will pitch the idea to my group.  If they agree to work on it, we will
have something by the end of the quarter (bar F).

--Kevin




On Fri, Sep 12, 2008 at 7:01 AM, Mike M <the.lists@mgm51.com> wrote:

quoted text
> On 9/10/2008 at 2:58 PM Kevin Neff wrote:
>
> |Hi,
> |
> |Some secure protocols like SSH send encrypted keystrokes
> |as they're typed.  By doing timing analysis you can figure
> |out which keys the user probably typed (keys that are
> |physically close together on a keyboard can be typed
> |faster).  A careful analysis can reveal the length of
> |passwords and probably some of password itself.
>  =============
>
>
> >> (keys that are physically close together on a keyboard
> >> can be typed faster).
>
>
> I do not agree with that statement.   Using two fingers I can hit the "A"
> and
> "L" keys nearly simultaneously (probably could even hit them simultaneously
> if
> I tried enough).
>
> The statement seems to rely upon the typist being a one-finger typer.