A recent study showcased a method through which passive network attackers can acquire private RSA host keys from susceptible SSH servers by exploiting computational faults during the connection establishment process.
SSH, a secure network transmission protocol, relies on cryptography for secure connections and uses host keys, generated through public-key systems like RSA, for authenticating computers.
Researchers from the University of California, San Diego, and Massachusetts Institute of Technology detailed in their paper how observing faults in signing computations (particularly in CRT-RSA implementations) could enable an attacker to deduce the signer’s private key. This flaw allows passive observation of legitimate connections until a faulty signature is witnessed, revealing the private key.
This method enables adversaries to impersonate compromised hosts, intercept sensitive data, and conduct adversary-in-the-middle (AitM) attacks without immediate detection.
The study successfully retrieved private keys corresponding to 189 RSA public keys associated with devices from Cisco, Hillstone Networks, Mocana, and Zyxel.
TLS version 1.3, introduced in 2018, combats such attacks by encrypting the connection-establishing handshake, barring passive eavesdroppers from accessing signatures.
The researchers emphasized the importance of encrypting protocol handshakes, binding authentication to sessions, and segregating authentication from encryption keys as essential cryptographic design principles.
This revelation follows the recent disclosure of the Marvin Attack, a variant of the ROBOT Attack, exploiting security weaknesses in PKCS #1 v1.5 to decrypt RSA ciphertexts and forge signatures.