Experts Uncover Passive Method to Extract Private RSA Keys from SSH Connections


Nov 27, 2023NewsroomServer Security / Encryption

A new study has demonstrated that it’s possible for passive network attackers to obtain private RSA host keys from a vulnerable SSH server by observing when naturally occurring computational faults that occur while the connection is being established.

The Secure Shell (SSH) protocol is a method for securely transmitting commands and logging in to a computer over an unsecured network. Based on a client-server architecture, SSH uses cryptography to authenticate and encrypt connections between devices.

A host key is a cryptographic key used for authenticating computers in the SSH protocol. Host keys are key pairs that are typically generated using public-key cryptosystems like RSA.


“If a signing implementation using CRT-RSA has a fault during signature computation, an attacker who observes this signature may be able to compute the signer’s private key,” a group of academics from the University of California, San Diego, and Massachusetts Institute of Technology said in a paper this month.

In other words, a passive adversary can quietly keep track of legitimate connections without risking detection until they observe a faulty signature that exposes the private key. The bad actor can then masquerade as the compromised host to intercept sensitive data and stage adversary-in-the-middle (AitM) attacks.

The researchers described the method as a lattice-based key recovery fault attack, which allowed them to retrieve the private keys corresponding to 189 unique RSA public keys that were subsequently traced to devices from four manufacturers: Cisco, Hillstone Networks, Mocana, and Zyxel.

It’s worth noting that the release of TLS version 1.3 in 2018 acts as a countermeasure by encrypting the handshake that establishes the connection, thus preventing passive eavesdroppers from accessing the signatures.


“These attacks provide a concrete illustration of the value of several design principles in cryptography: encrypting protocol handshakes as soon as a session key is negotiated to protect metadata, binding authentication to a session, and separating authentication from encryption keys,” the researchers said.

The findings come two months after the disclosure of Marvin Attack, a variant of the ROBOT (short for “Return Of Bleichenbacher’s Oracle Threat”) Attack which allows a threat actor to decrypt RSA ciphertexts and forge signatures by exploiting security weaknesses in PKCS #1 v1.5.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Products You May Like

Articles You May Like

U.K. Hacker Linked to Notorious Scattered Spider Group Arrested in Spain
WeLiveSecurity wins Best Cybersecurity Vendor Blog award!
Grandoreiro Banking Trojan Hits Brazil as Smishing Scams Surge in Pakistan
Phishing Attacks Targeting US and European Organizations Double
Cryptojacking Campaign Targets Misconfigured Kubernetes Clusters

Leave a Reply

Your email address will not be published. Required fields are marked *