This whitepaper demonstrates that a passive network attacker can opportunistically obtain private RSA host keys from an SSH server that experiences a naturally arising fault during signature computation. In prior work, this was not believed to be possible for the SSH protocol because the signature included information like the shared Diffie-Hellman secret that would not be available to a passive network observer. The paper shows that for the signature parameters commonly in use for SSH, there is an efficient lattice attack to recover the private key in case of a signature fault. The authors provide a security analysis of the SSH, IKEv1, and IKEv2 protocols in this scenario, and use their attack to discover hundreds of compromised keys in the wild from several independently vulnerable implementations.
481aab67e2963f899f4d0981c2be3f03e3ff14965119cb78e929b36c27b58597This paper investigates the security of Diffie-Hellman key exchange as used in popular Internet protocols and find it to be less secure than widely believed. First, they present Logjam, a novel flaw in TLS that lets a man-in-the-middle downgrade connections to "export-grade" Diffie-Hellman. To carry out this attack, the researchers implement the number field sieve discrete log algorithm. After a week-long precomputation for a specified 512-bit group, they can compute arbitrary discrete logs in that group in about a minute. They found that 82% of vulnerable servers use a single 512-bit group, allowing them to compromise connections to 7% of Alexa Top Million HTTPS sites. They go on to consider Diffie-Hellman with 768- and 1024-bit groups. They estimate that even in the 1024-bit case, the computations are plausible given nation-state resources. A small number of fixed or standardized groups are used by millions of servers; performing precomputation for a single 1024-bit group would allow passive eavesdropping on 18% of popular HTTPS sites, and a second group would allow decryption of traffic to 66% of IPsec VPNs and 26% of SSH servers. A close reading of published NSA leaks shows that the agency's attacks on VPNs are consistent with having achieved such a break. They conclude that moving to stronger key exchange methods should be a priority for the Internet community.
34229b5a84df1c71f6a8f6c2fbd22fb444d37a13ea7fdfe2f50f3fe60983e984
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed