MORE FUN WITH LATTICE-BASED CRYPTOGRAPHY — In a first, cryptographic keys protecting SSH connections stolen in new attack An error as small as a single flipped memory bit is all it takes to expose a private key.
Dan Goodin – Nov 13, 2023 12:30 pm UTC EnlargeGetty Images reader comments 91 with
For the first time, researchers have demonstrated that a large portion of cryptographic keys used to protect data in computer-to-server SSH traffic are vulnerable to complete compromise when naturally occurring computational errors occur while the connection is being established.
Underscoring the importance of their discovery, the researchers used their findings to calculate the private portion of almost 200 unique SSH keys they observed in public Internet scans taken over the past seven years. The researchers suspect keys used in IPsec connections could suffer the same fate. SSH is the cryptographic protocol used in secure shell connections that allows computers to remotely access servers, usually in security-sensitive enterprise environments. IPsec is a protocol used by virtual private networks that route traffic through an encrypted tunnel.
The vulnerability occurs when there are errors during the signature generation that takes place when a client and server are establishing a connection. It affects only keys using the RSA cryptographic algorithm, which the researchers found in roughly a third of the SSH signatures they examined. That translates to roughly 1 billion signatures out of the 3.2 billion signatures examined. Of the roughly 1 billion RSA signatures, about one in a million exposed the private key of the host.
While the percentage is infinitesimally small, the finding is nonetheless surprising for several reasonsmost notably because most SSH software in useincluding OpenSSHhas deployed a countermeasure for decades that checks for signature faults before sending a signature over the Internet. Another reason for the surprise is that until now, researchers believed that signature faults exposed only RSA keys used in the TLSor Transport Layer Securityprotocol encrypting Web and email connections. They believed SSH traffic was immune from such attacks because passive attackersmeaning adversaries simply observing traffic as it goes bycouldnt see some of the necessary information when the errors happened. Advertisement
The researchers noted that since the 2018 release of TLS version 1.3, the protocol has encrypted handshake messages occurring while a web or email session is being negotiated. That has acted as an additional countermeasure protecting key compromise in the event of a computational error. Keegan Ryan, a researcher at the University of California San Diego and one of the authors of the research, suggested it may be time for other protocols to include the same additional protection.
In an email, Ryan wrote: Even though the SSH protocol has been around for almost 18 years and is extremely widely deployed, were still finding new ways to exploit errors in cryptographic protocols and identifying vulnerable implementations. In our data, about one in a million SSH signatures exposed the private key of the SSH host. While this is rare, the massive amount of traffic on the Internet implies that these RSA faults in SSH happen regularly. Even though the vast majority of SSH connections are not affected, its still important that these failures are defended against. It only takes one bad signature in an unprotected implementation to reveal the key.
Its fortunate that the most popular SSH implementations include countermeasures to prevent RSA signature faults from leading to catastrophic key leakage, but implementations that did not were still common enough to appear in our data.
The new findings are laid out in a paper published earlier this month titled “Passive SSH Key Compromise via Lattices.” It builds on a series of discoveries spanning more than two decades. In 1996 and 1997, researchers published findings that, taken together, concluded that when naturally occurring computational errors resulted in a single faulty RSA signature, an adversary could use it to compute the private portion of the underlying key pair. Page: 1 2 3 Next → reader comments 91 with Dan Goodin Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Advertisement Promoted Comments jack1983 A link in this article, to a Wikipedia page on Man In the Middle attacks, is labeled as a "malory in the middle" attack. But, um, the Wikipedia page does not use the term "malory". I am confused by use of the word "malory".
Typo? Or am I missing something?Yes, it should read "Malcolm in the Middle". November 13, 2023 at 1:01 pm Channel Ars Technica ← Previous story Next story → Related Stories Today on Ars