A significant vulnerability in the cryptographic keys utilised for computer-to-server SSH (Secure Shell) traffic has been uncovered that arises during the establishment of connections when a computational error occurs, which compromises a large portion of RSA cryptographic keys.
Researchers examined about 200 unique SSH keys scanned on the internet over seven years in a paper titled ‘Passive SSH key compromise via Lattices’. The paper is built on decades of research, tracing back to 1996 and 1997, when researchers initially identified vulnerabilities in RSA signatures resulting from computational errors.
The authors outlined how adversaries can exploit these errors to calculate the private section of the underlying key pairs.
By comparing an improperly formed signature to a valid one, an attacker could execute a greatest common denominator (GCD) mathematical operation, ultimately deriving one of the prime numbers crucial to the security of the key. This led to a series of attacks involving the intentional triggering of glitches during session negotiation, capturing the resulting flawed signature, and eventually compromising the key. Techniques for triggering errors included tampering with a computer’s power supply or using a laser on a smart card.
The recent paper describes an attack overcoming the challenge of missing key material in faulty SSH signatures by employing an advanced cryptanalytic technique based on lattice-based cryptography. Although first described in 2009, this paper demonstrates the practical implementation of the technique in a real-world attack using a naturally occurring corrupted SSH signature to recover the underlying RSA key.
The compromised keys were traced back to devices using custom, closed-source SSH implementations lacking the countermeasures found in widely used open-source libraries like OpenSSH. Manufacturers involved included Cisco, Zyxel, Hillstone Networks, and Mocana. Cisco and Zyxel responded to the researchers’ notification before the study’s completion, while Hillstone responded afterwards.
Once attackers possess the secret key through passive traffic observation, they can launch an active Man-in-the-middle attack against the SSH server, impersonating the server and responding to incoming SSH traffic from clients. This allows them to perform actions such as recovering the client’s login credentials. Similar post-exploit attacks are also possible against IPsec if faults expose their private keys.
As of now, the root cause of the faults is not fully understood, with some researchers linking it to flaws in cryptographic accelerators, as shown in the study from Zyxel and Hillstone.
While the vulnerability is minute in percentage terms, affecting approximately one in a million RSA signatures, its impact is substantial due to the sheer volume of signatures examined, totalling around 1 billion out of 3.2 billion.
The vulnerability specifically targets keys that work on the RSA cryptographic algorithm, constituting approximately one-third of the examined SSH signatures. Contrary to expectations, the researchers found that SSH, a widely used cryptographic protocol in secure shell connections for remote server access, is not immune to such attacks. The vulnerability occurs during the signature generation process when establishing a connection between a client and a server.
What adds to the surprise is that almost all SSH software has employed countermeasures for decades to detect and rectify signature vulnerabilities before sending them over the internet. This includes OpenSSH as well.
The researchers suggest that the findings may prompt a reevaluation of protocols, advocating for additional protection similar to those implemented in the Transport Security Layer (TLS). Since introducing TLS version 1.3 in 2018, the protocol has incorporated encryption for handshake messages during the negotiation of web or email sessions. This serves as an additional barrier in any computational error event.