If exploited, these flaws can allow attackers to gain unauthorized access to sensitive information or generally cause problems
Few days ago. The news was announced that un equipment of researchers for the University from California in San Diego has shown the capacity de recreate the keys RSA host private a server SSH through the analysis passive of SSH traffic.
The published research show which when digital signatures are used based on algorithm RSA in SSH, ties them togetherwhichs that use the Lattice method (Fault Attack) for recreate la clef private RSA consist of suitable for digital signatures in the case de a leak de or hardware during the signature calculation process. The essence of the method is which al compare correct and incorrect RSA digital signatures, you can determine the greatest common divider, thus generating a of the prime numbers used for generate la clef.
RSA encryption is based on the exponentiation operation of a large number, while the public key contains the modulus and degree. The module is formed from two random prime numbers, which only the owner of the private key knows. The attack can be applied to RSA implementations using the Chinese remainder theorem and deterministic padding schemes such as PKCS#1 v1.5.
An attack can be carried out on servers in which, due to a combination of circumstances or actions of the attacker, Failures may occur during digital signature calculation when establishing an SSH connection. Failures can be software (incorrect execution of mathematical operations, memory corruption) or hardware (errors in the operation of NVRAM and DRAM or failures during power outages).
One of the options to stimulate failures could be RowHammer class attacks, that among other things, allows remotely or when processing JavaScript code in a browser achieve distortion of the content of individual memory bits during intensive cyclic reading of data from neighbors. memory cells. Another option to cause failures could be the exploitation of vulnerabilities that cause buffer overflows and data corruption with keys in memory.
To carry out an attack, it is enough to passively monitor legitimate connections to the SSH server until a faulty digital signature is identified in the traffic, which can be used as a source of information to reconstruct the RSA private key. After recreating the host's RSA key, an attacker can use a MITM attack to silently redirect requests to a fake host posing as a compromised SSH server and intercept data transmitted to this server.
By examining a collection of intercepted network data that included approximately 5200 billion records associated with the use of the SSH protocol, researchers identified approximately 3200 billion public host keys and digital signatures used during the negotiation of SSH sessions. Of these, 1.200 billion (39,1%) were generated using the RSA algorithm.
The group of researchers mentions that:
In 593671 cases (0,048%) the RSA signature was corrupted and could not be verified, while for 4962 failed signatures, we were able to use the Lattice factorization method to determine the private key from the known public key, resulting in reconstructing 189 unique RSA key pairs (in many cases, the same failed keys and devices were used to generate different corrupted signatures). It took approximately 26 CPU hours to recreate the keys.
The issue only affects specific implementations of the SSH protocol, mainly used in embedded devices. In addition, it is mentioned that OpenSSH is not affected by this problem because it uses the OpenSSL (or LibreSSL) library to generate keys, which has been protected against flaw attacks since 2001.
Additionally, in OpenSSH, the ssh-rsa digital signature scheme (based on sha1) has been deprecated since 2020 and disabled in version 8.8 (support for the rsa-sha2-256 and rsa-sha2-512 schemes remains). The attack could potentially be applicable to the IPsec protocol, but the researchers did not have enough experimental data to confirm such an attack in practice.
Finally, if you are interested in being able to know more about it, you can consult the details in the following link