Private RSA Key Extraction Research: In a recent study, researchers have uncovered a concerning vulnerability that allows passive network attackers to potentially access private RSA host keys from susceptible SSH servers. This exploit capitalizes on the observation of natural computational faults occurring during the connection establishment process.
Delving into the technical landscape, the Secure Shell (SSH) protocol, a crucial tool for securely transmitting commands and logging into computers over unsecured networks, relies on a client-server architecture. The bedrock of SSH lies in its adept use of cryptography to authenticate and encrypt connections between devices.
At the heart of this issue is the host key, a cryptographic key integral to authenticating computers in the SSH protocol. Generated using public-key cryptosystems like RSA, the vulnerability arises when a signing implementation using CRT-RSA encounters a fault during signature computation. In simpler terms, an attacker, through astute observation of such faults, could potentially unravel the private key of the signer.
Imagine a passive adversary quietly observing legitimate connections, patiently waiting for a faulty signature to expose the coveted private key. This revelation opens the door for the malicious actor to seamlessly pose as the compromised host, a gateway for intercepting sensitive data and executing adversary-in-the-middle (AitM) attacks.
The researchers aptly termed this method a lattice-based key recovery fault attack, successfully extracting private keys linked to 189 unique RSA public keys associated with devices from prominent manufacturers like Cisco, Hillstone Networks, Mocana, and Zyxel.
However, amidst these security concerns, there’s a glimmer of hope. The release of TLS version 1.3 in 2018 acts as a formidable countermeasure by encrypting the handshake during connection establishment. This proactive step thwarts passive eavesdroppers from accessing signatures and provides a safeguard against such vulnerabilities.
The researchers emphasized the broader implications of these findings, stating, “These attacks vividly illustrate the importance of several cryptography design principles: encrypting protocol handshakes immediately after negotiating a session key to protect metadata, binding authentication to a session, and segregating authentication from encryption keys.”
In the backdrop of this revelation, it’s worth noting that the security community is still grappling with the aftermath of the Marvin Attack. This variant of the ROBOT Attack, disclosed two months prior, exploits vulnerabilities in PKCS #1 v1.5, enabling threat actors to decrypt RSA ciphertexts and forge signatures. These developments underscore the ever-evolving landscape of cybersecurity, urging a collective effort to fortify our digital defenses against emerging threats.