Passive SSH Key Compromise via Lattices

Keegan Ryan; Kaiwen He; George Arnold Sullivan; Nadia Heninger

Paper 2023/1711

Passive SSH Key Compromise via Lattices

Keegan Ryan

, University of California, San Diego

Kaiwen He

, University of California, San Diego, Massachusetts Institute of Technology

George Arnold Sullivan

, University of California, San Diego

Nadia Heninger

, University of California, San Diego

Abstract

We demonstrate that a passive network attacker can opportunistically obtain private RSA host keys from an SSH server that experiences a naturally arising fault during signature computation. In prior work, this was not believed to be possible for the SSH protocol because the signature included information like the shared Diffie-Hellman secret that would not be available to a passive network observer. We show that for the signature parameters commonly in use for SSH, there is an efficient lattice attack to recover the private key in case of a signature fault. We provide a security analysis of the SSH, IKEv1, and IKEv2 protocols in this scenario, and use our attack to discover hundreds of compromised keys in the wild from several independently vulnerable implementations.

Metadata

Available format(s): PDF
Category: Attacks and cryptanalysis
Publication info: Published elsewhere. ACM CCS 2023
DOI: 10.1145/3576915.3616629
Keywords: RSA cryptanalysis lattices
Contact author(s): kryan @ ucsd edu
khe01 @ mit edu
gsulliva @ ucsd edu
nadiah @ cs ucsd edu
History: 2023-11-06: approved; 2023-11-05: received; See all versions
Short URL: https://ia.cr/2023/1711
License: CC BY

BibTeX

@misc{cryptoeprint:2023/1711,
      author = {Keegan Ryan and Kaiwen He and George Arnold Sullivan and Nadia Heninger},
      title = {Passive SSH Key Compromise via Lattices},
      howpublished = {Cryptology ePrint Archive, Paper 2023/1711},
      year = {2023},
      doi = {10.1145/3576915.3616629},
      note = {\url{https://eprint.iacr.org/2023/1711}},
      url = {https://eprint.iacr.org/2023/1711}
}