Uncovering a Passive Approach to Extracting Private RSA Keys from SSH Tunnels

A recent study has shed light on the potential for passive network attackers to obtain Private RSA Keys from SSH Tunnels. This is achieved by capitalizing on the identification of inherent computational issues that surface during the connection establishment process.

[FREE E-BOOK] The Definite Blueprint for Cybersecurity in Manufacturing

The Secure Shell (SSH) protocol serves as a secure method for transmitting commands and facilitating remote login to a computer system across an untrusted network. The Secure Shell (SSH) is a network protocol that uses cryptographic techniques to verify the authenticity of users and encrypts data transmissions within a client-server framework.

The Secure Shell (SSH) protocol makes use of a host key as a cryptographic element for authenticating computers. Public-key cryptosystems, like the widely employed RSA algorithm, are frequently utilized in generating host keys, forming a pair of cryptographic keys.

In a recent publication, scholars from UC San Diego and MIT have asserted that in the event of a problem during signature calculation in a signing implementation using CRT-RSA, an adversary with access to the resulting signature may be capable of calculating the signer’s private key. This underscores the potential vulnerability associated with computational hiccups in the cryptographic processes employed by SSH.

Essentially, an adversary, not actively compromising the system, can discreetly observe legitimate connections without raising suspicion. They remain undetected until they detect an error in the signature, thereby exposing the private key. This vulnerability leads to a form of attack known as an adversary in the middle (AitM), where an individual with malicious intent adopts the identity of a trusted host to illicitly acquire sensitive information.

The researchers successfully executed a “lattice-based key recovery fault attack” to recover the private keys associated with 189 unique RSA public keys. These keys were subsequently traced back to devices manufactured by Cisco, Hillstone Networks, Mocana, and Zyxel.

It’s essential to acknowledge that TLS 1.3, introduced in 2018, offers a protective safeguard by employing encryption during the handshake process for connection establishment. This encryption renders it unfeasible for passive eavesdroppers to access signatures.

According to the investigators, these attacks serve as a tangible demonstration of the significance of various design principles in the field of cryptography. Specifically, they highlight the importance of promptly encrypting protocol handshakes to safeguard metadata once a session key has been agreed upon. Additionally, the attacks underscore the necessity of linking authentication to a session and the separation of authentication from encryption keys. This emphasis on cryptographic best practices is vital for maintaining the integrity and security of sensitive information in digital communication.

The Marvin Attack was discovered roughly two months after the emergence of the ROBOT (Return Of Bleichenbacher’s Oracle Threat) Attack. This exploit empowers adversaries to decrypt RSA ciphertexts and produce counterfeit signatures by leveraging vulnerabilities in PKCS #1 v1.5.

In conclusion, as the cybersecurity landscape continually evolves, researchers, developers, and industry practitioners must collaborate in fortifying cryptographic protocols against emerging threats like the Marvin and ROBOT attacks. Staying ahead of vulnerabilities ensures the ongoing integrity and security of digital communication systems.