Researchers extract RSA keys from SSH server signing errors

Researchers extract RSA keys from SSH server signing errors

November 20, 2023 at 09:42AM

Academic researchers have discovered that passive network attackers can retrieve secret RSA keys from errors in SSH connection attempts. These attacks exploit faults during signature computation, allowing attackers to compute the private key. The researchers recommend implementing validation of signatures before sending them to prevent secret key retrieval. Cisco and Zyxel are investigating and mitigating the issue.

Key takeaways from the meeting notes are:

1. A team of academic researchers has discovered that passive network attackers can retrieve secret RSA keys from naturally occurring errors leading to failed SSH connection attempts.
2. SSH is a widely used cryptographic network protocol for secure communication, remote system access, file transfers, and system administration tasks.
3. RSA is a public-key cryptosystem used in SSH for user authentication. It utilizes a private key for decryption, which corresponds to a public, shareable key used for encryption.
4. The researchers demonstrate that hardware errors during signature computation in SSH servers can lead to the exposure of private RSA keys.
5. The Chinese Remainder Theorem (CRT) is employed with the RSA algorithm to decrease the bit size of the public key and increase decryption speed.
6. Attacks exploit errors in computing modulo prime factors, resulting in invalid signatures that can be leveraged to derive private keys.
7. While rare, such errors are unavoidable due to hardware flaws, providing opportunities for exploitation if a large enough pool of data is available.
8. The problem of exposing RSA secrets affects older TLS versions but has been mitigated in TLS 1.3 by encrypting the handshake process.
9. Lattice-based attacks can be used to retrieve RSA secrets, even from SSH which was previously assumed to be safe.
10. The researchers could not brute force or solve results with lattices for RSA-1024, SHA512 due to the number of unknown bits in the hash.
11. Intel Xeon E5-2699 was used in tests, resulting in the successful retrieval of private keys for 189 unique RSA public keys.
12. The majority of the retrieved secrets came from vulnerable devices, with Zyxel devices contributing the largest number of signatures.
13. The researchers have disclosed the issue to Cisco and Zyxel, and both vendors have taken steps to mitigate the risk.
14. Cisco introduced suitable mitigations in Cisco ASA and FTD Software and is exploring additional mitigations in Cisco IOS and IOS XE Software.
15. Zyxel addressed vulnerability in the ZLD firmware version used by switching to OpenSSL.
16. To counter the retrieval of secret keys by attackers, the researchers recommend validating signatures before sending them, such as using the OpenSSH suite that relies on OpenSSL for signature generation.

Full Article