Passive SSH key compromise via lattices

• dc.contributor.author: Ryan, Keegan
• dc.contributor.author: He, Kaiwen
• dc.contributor.author: Sullivan, George
• dc.contributor.author: Heninger, Nadia
• dc.date.issued: 2023-11-15
• dc.identifier.uri: https://hdl.handle.net/1721.1/153136
• dc.description.abstract: We demonstrate that a passive network attacker can opportunistically obtain private RSA host keys from an SSH server that experiences a naturally arising fault during signature computation. In prior work, this was not believed to be possible for the SSH protocol because the signature included information like the shared Diffie-Hellman secret that would not be available to a passive network observer. We show that for the signature parameters commonly in use for SSH, there is an efficient lattice attack to recover the private key in case of a signature fault. We provide a security analysis of the SSH, IKEv1, and IKEv2 protocols in this scenario, and use our attack to discover hundreds of compromised keys in the wild from several independently vulnerable implementations.
• dc.publisher: ACM|Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security
• dc.relation.isversionof: https://doi.org/10.1145/3576915.3616629
• dc.source: Association for Computing Machinery
• dc.type: Article
• dc.identifier.citation: Ryan, Keegan, He, Kaiwen, Sullivan, George and Heninger, Nadia. 2023. "Passive SSH key compromise via lattices."
• dc.contributor.department: Massachusetts Institute of Technology. Department of Electrical Engineering and Computer Science
• dc.identifier.mitlicense: PUBLISHER_CC
• dc.eprint.version: Final published version
• dc.language.rfc3066: en