November 27, 2023 at 08:30AM
Passive network attackers can obtain private RSA host keys from a vulnerable SSH server by observing computational faults during connection establishment, according to a new study. These attackers can then intercept sensitive data and conduct adversary-in-the-middle attacks. The research highlights the importance of encrypting protocol handshakes, binding authentication to sessions, and separating authentication from encryption keys. TLS version 1.3, released in 2018, prevents passive eavesdropping by encrypting the handshake. The study also identified 189 RSA public keys from Cisco, Hillstone Networks, Mocana, and Zyxel that were susceptible to the attack.
Key takeaways from the meeting notes:
1. Researchers have identified a vulnerability in SSH servers that allows passive network attackers to obtain private RSA host keys by observing computational faults during the connection establishment process.
2. SSH is a secure protocol for transmitting commands and logging into computers over an unsecured network. It uses cryptography for authentication and encryption.
3. Host keys are cryptographic keys used to authenticate computers in the SSH protocol.
4. If a fault occurs during signature computation in a signing implementation using CRT-RSA, an attacker can potentially compute the signer’s private key.
5. A passive adversary can track legitimate connections until they observe a faulty signature, allowing them to masquerade as the compromised host and intercept sensitive data.
6. The researchers used a lattice-based key recovery fault attack to retrieve private keys corresponding to 189 unique RSA public keys from devices manufactured by Cisco, Hillstone Networks, Mocana, and Zyxel.
7. TLS version 1.3, released in 2018, encrypts the handshake that establishes the connection, preventing passive eavesdroppers from accessing signatures.
8. The researchers emphasized the importance of encrypting protocol handshakes, binding authentication to a session, and separating authentication from encryption keys in ensuring cryptographic security.
9. This discovery follows the disclosure of the Marvin Attack, a variant of the ROBOT Attack that exploited security weaknesses in PKCS #1 v1.5 to decrypt RSA ciphertexts and forge signatures.
10. Follow the company on Twitter and LinkedIn for more exclusive content.