Passive SSH key compromise via lattices
Author(s)
Ryan, Keegan; He, Kaiwen; Sullivan, George; Heninger, Nadia
Download3576915.3616629.pdf (1.084Mb)
Publisher with Creative Commons License
Publisher with Creative Commons License
Creative Commons Attribution
Terms of use
Metadata
Show full item recordAbstract
We demonstrate that a passive network attacker can opportunistically obtain private RSA host keys from an SSH server that experiences a naturally arising fault during signature computation. In prior work, this was not believed to be possible for the SSH protocol because the signature included information like the shared Diffie-Hellman secret that would not be available to a passive network observer. We show that for the signature parameters commonly in use for SSH, there is an efficient lattice attack to recover the private key in case of a signature fault. We provide a security analysis of the SSH, IKEv1, and IKEv2 protocols in this scenario, and use our attack to discover hundreds of compromised keys in the wild from several independently vulnerable implementations.
Date issued
2023-11-15Department
Massachusetts Institute of Technology. Department of Electrical Engineering and Computer SciencePublisher
ACM|Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security
Citation
Ryan, Keegan, He, Kaiwen, Sullivan, George and Heninger, Nadia. 2023. "Passive SSH key compromise via lattices."
Version: Final published version
Collections
The following license files are associated with this item: