Passive SSH Key Compromise via Lattices.

[ice80]

https://eprint.iacr.org/2023/1711.pdf

Passive SSH Key Compromise via Lattices | Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

doi.org

...passive network attacker can opportunisti-
cally obtain private RSA host keys from an SSH server that expe-
riences a naturally arising fault during signature computation.

...RSA digital signatures can reveal a signer’s secret key if a computa-
tional or hardware fault occurs during signing with an unprotected
implementation using the Chinese Remainder Theorem and a de-
terministic padding scheme like PKCS#1 v1.5. This attack requires only a
single faulty signature, the public key, and a single GCD compu-
tation, and it has been exploited extensively in the cryptographic
side channel literature on active fault attacks

...research identified four manufacturers of devices susceptible to
this key recovery attack. We disclosed the issue to Cisco on February
7, 2023 and to Zyxel on March 1, 2023.

Спойлер: credits

Credits:
------------------------------------------------
Keegan Ryan
kryan@ucsd.edu
University of California, San Diego
La Jolla, California, USA
Kaiwen He
khe01@mit.edu
University of California, San Diego
La Jolla, California, USA
Massachusetts Institute of Technology
Cambridge, Massachusetts, USA
George Arnold Sullivan
gsulliva@ucsd.edu
University of California, San Diego
La Jolla, California, USA
Nadia Heninger
nadiah@cs.ucsd.edu
University of California, San Diego
La Jolla, California, USA

CCS ’23, November 26–30, 2023, Copenhagen, Denmark
© 2023 Copyright held by the owner/author(s).
ACM ISBN 979-8-4007-0050-7/23/11.

Passive SSH Key Compromise via Lattices | Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

doi.org

[/HIDE]