Thanks for all the comments.  I think we're all pretty much on the same

page.
First order of business is to look at how much of a weakness this may be.

Then, implement several potential solutions.  Finally, test to see if the

"fixes" improved the situation.
I like the idea of mainly patching the username and passwd transfer.  But

there may be some utility to having interactive sessions as bullet proof as

possible.
I will pitch the idea to my group.  If they agree to work on it, we will

have something by the end of the quarter (bar F).
--Kevin
On Fri, Sep 12, 2008 at 7:01 AM, Mike M  wrote:
> On 9/10/2008 at 2:58 PM Kevin Neff wrote:

quoted text
>

> |Hi,

> |

> |Some secure protocols like SSH send encrypted keystrokes

> |as they're typed.  By doing timing analysis you can figure

> |out which keys the user probably typed (keys that are

> |physically close together on a keyboard can be typed

> |faster).  A careful analysis can reveal the length of

> |passwords and probably some of password itself.

>  =============

>

>

> >> (keys that are physically close together on a keyboard

> >> can be typed faster).

>

>

> I do not agree with that statement.   Using two fingers I can hit the "A"

> and

> "L" keys nearly simultaneously (probably could even hit them simultaneously

> if

> I tried enough).

>

> The statement seems to rely upon the typist being a one-finger typer.