SSH Security Breach: Researchers Discover Vulnerability in Crypto Keys

A team of researchers from the University of California, San Diego, and the Massachusetts Institute of Technology has uncovered a significant security vulnerability in the cryptographic keys used to safeguard data in SSH connections.

This vulnerability manifests during computational errors in the connection establishment process, affecting keys that employ the RSA algorithm. The issue pertains to approximately one billion out of 3.2 billion examined signatures (over 30%), with one in a million signatures potentially exposing a host’s private key.

The discovery is remarkable, as most SSH software, including OpenSSH, has long implemented countermeasures for signature verification errors. It was previously believed that SSH traffic was secure against such attacks, unlike the TLS protocol.

Keegan Ryan, one of the study’s authors, emphasized that even rare instances of key leakage are significant, given the vast volume of internet traffic. He asserts the necessity of protection against such occurrences, as a single incorrect signature could reveal a key.

The new study demonstrates that passive attacks on SSH and IPsec are feasible thanks to lattice attacks, which allow key reconstruction from a faulty signature. This enables an attacker to monitor connections and intercept data as soon as a suitable error is detected.

An analysis of extensive SSH and IPsec data revealed several vulnerable implementations linked to hardware faults. Of the 5.2 billion SSH records examined, more than 590,000 invalid RSA signatures were found, leading to the retrieval of private keys for 189 unique RSA public keys.

The compromised keys were associated with devices using individual private SSH implementations, lacking standard countermeasures. Among the manufacturers of these devices are Cisco, Zyxel, Hillstone Networks, and Mocana.

Ryan stated that the causes of these errors could be varied, including software glitches and hardware malfunctions. He underscores the importance of countermeasures that detect and suppress such errors.

The study confirms the need for developing more robust protocols and implementations to protect against computational errors, akin to the protection provided by TLS 1.3 and some configurations of IPsec.