Uncovering SSH Vulnerability: Extracting RSA Keys from Server Signing Errors

ByThreat Analyst

20 November 2023

Recent academic research has uncovered a significant vulnerability in Secure Shell (SSH) servers, a widely used protocol for secure communication in tasks like remote system access, file transfers, and system administration. This vulnerability allows for the extraction of secret RSA keys due to signing errors, posing a serious threat to data security.

The Vulnerability Explained

SSH employs RSA, a public-key cryptosystem, for user authentication. RSA uses a private key to decrypt communications encrypted with a public key. Researchers from universities in California and Massachusetts demonstrated that, under certain conditions, passive network attackers could retrieve these secret RSA keys from naturally occurring errors during SSH connection attempts. These errors stem from faults in signature computation using the Chinese Remainder Theorem (CRT-RSA), a method to speed up decryption times in RSA. Such faults can expose the private key to an attacker who observes the faulty signature. For a detailed overview of the vulnerability, see BleepingComputer’s report on the SSH vulnerability.

Exploiting Signature Faults

The attacks exploit computational errors in the RSA algorithm. If an error occurs while computing modulo one prime factor, the resulting invalid signature can reveal information about the correct signature relative to another prime factor. Although rare, these errors are inevitable due to hardware flaws and can be leveraged by attackers given enough data. This vulnerability was previously known in older versions of TLS but was addressed in TLS 1.3. However, SSH was assumed to be safe from this attack, a belief that has now been proven false. The efficiency and success rate of these lattice attacks are discussed in RedPacket Security’s coverage of the SSH vulnerability.

Impact and Mitigation

The vulnerability primarily affects devices with vulnerable implementations, with the largest number of compromised signatures coming from Zyxel devices. Cisco and Zyxel were informed of this issue, with Cisco implementing mitigations in its ASA and FTD Software and investigating further mitigations for other software. Zyxel’s newer firmware versions, which use OpenSSL, are not affected by this vulnerability.

Research and Findings

The study, which builds on previous research in TLS security, demonstrates how a passive network attacker can opportunistically obtain private RSA host keys from an SSH server experiencing faults during signature computation. The researchers used a lattice attack to recover the private key in the case of a signature fault. Their research uncovered hundreds of compromised keys from various implementations. The Register provides an insightful analysis of the SSH server private key leakage.

Broader Implications

This finding has broader implications for network security, highlighting the vulnerability of even widely trusted protocols like SSH. It underscores the importance of robust implementation of cryptographic algorithms and the need for continuous vigilance in the face of evolving cyber threats.

Further Reading