Experts discover passive method of extracting private RSA keys from SSH connections

A new study has shown that it is possible for passive network attackers to obtain private RSA host keys from a vulnerable SSH server by observing naturally ....

by Vikash Kumawat
0 comments 200 views

A new study has shown that it is possible for passive network attackers to obtain private RSA host keys from a vulnerable SSH server by observing naturally occurring computational errors when a connection is established.

The Secure Shell (SSH) protocol is a method of securely transmitting commands and logging into a computer over an unsecured network. Based on a client-server architecture, SSH uses cryptography to authenticate and encrypt connections between devices.

The host key is a cryptographic key used to authenticate a computer in the SSH protocol. Host keys are key pairs that are typically generated using a public-key cryptosystem such as RSA.

“If a signing implementation using CRT-RSA has a fault during signature computation, an attacker who observes this signature may be able to compute the signer’s private key,” a group of academics from the University of California, San Diego, and Massachusetts Institute of Technology said in a paper this month.

In other words, a passive adversary can quietly observe legitimate connections without risking detection unless they spot a flawed signature that exposes the private key. The bad actor can then pose as a compromised host to intercept sensitive data and conduct adversary-in-the-middle (AITM) attacks.

The researchers described the method as a lattice-based key recovery fault attack, which allowed them to retrieve the private keys corresponding to 189 unique RSA public keys that were subsequently traced to devices from four manufacturers: Cisco, Hillstone Networks, Mocana, and Zyxel.

It is worth noting that the release of TLS version 1.3 in 2018 acts as a countermeasure by encrypting the handshake that establishes the connection, thus preventing passive eavesdroppers from accessing the signature.

“These attacks provide a concrete illustration of the value of several design principles in cryptography: encrypting protocol handshakes as soon as a session key is negotiated to protect metadata, binding authentication to a session, and separating authentication from encryption keys,” the researchers said.

The findings come two months after the disclosure of Marvin Attack, a variant of the ROBOT (short for “Return Of Bleichenbacher’s Oracle Threat”) Attack which allows a threat actor to decrypt RSA ciphertexts and forge signatures by exploiting security weaknesses in PKCS #1 v1.5.

You may also like

Leave a Comment

Are you sure want to unlock this post?
Unlock left : 0
Are you sure want to cancel subscription?

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More

-
00:00
00:00
Update Required Flash plugin
-
00:00
00:00