A team of academic researchers from universities in California and Massachusetts demonstrated that it's possible under certain conditions for passive network attackers to retrieve secret RSA keys from naturally occurring errors leading to failed SSH connection attempts. SSH is a cryptographic network protocol for secure communication, widely employed in remote system access, file transfers, and system administration tasks. RSA is a public-key cryptosystem used in SSH for user authentication. It uses a private, secret key to decrypt communication that is encrypted with a public, shareable key. A paper published by university researchers Keegan Ryan, Kaiwen He, Nadia Heninger, and George Arnold Sullivan, shows that it's possible for a passive network attacker to obtain a private RSA key from SSH servers experiencing faults during signature computation. "If a signing implementation using CRT-RSA has a fault during signature computation, an attacker who observes this signature may be able to compute the signer's private key," the researchers say in the technical paper. The Chinese Remainder Theorem is used with the RSA algorithm to lower the bit size for the public key and speed up the decryption time. "These attacks exploit the fact that if an error is made while computing modulo one prime, say q, then the resulting invalid signature"s" is equivalent to the correct signature modulo one prime factor p, but not q," the researchers further explain. Given a large enough pool of data, an attacker can find and leverage many opportunities for exploitation. It was addressed in TLS 1.3 by encrypting the handshake that establishes the connection, thus preventing passive eavesdroppers from reading the signatures. SSH was previously assumed to be safe from this attack but the researchers proved that it is possible to retrieve RSA secrets using lattice-based attacks that recover the private key from partially known nonces. The researchers note that their tests do not include results "For RSA-1024,SHA512 because the number of unknown bits in the hash is well beyond what we can brute force or solve with lattices." Using their lattice attack, the researchers managed to find 4,962 invalid signatures that revealed the factorization of the corresponding RSA public key, thus allowing the retrieval of private keys corresponding to 189 unique RSA public keys. Many of the retrieved secrets came from devices with vulnerable implementations, the largest number of signatures coming from Zyxel devices. The researchers disclosed the issue to Cisco and Zyxel earlier this year and the vendors investigated for the cause. The company told the researchers that it was looking into mitigations in Cisco IOS and IOS XE Software. Zyxel found that the ZLD firmware version the researchers used in the experiment had switched to using OpenSSL, which eliminates the risk. The researchers warn that if signing implementations using the Chinese Remainder Theorem algorithm with RSA have a fault when computing the signature, an attacker observing the signature may be able to computer the signer's private key. To counter an attacker's ability to retrieve the secret key, the researchers recommend implementations that validate signatures before sending them, such as the OpenSSH suite that relies on OpenSSL to generate signatures. New Marvin attack revives 25-year-old decryption flaw in RSA. Bounty offered for secret NSA seeds behind NIST elliptic curves algo.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000