Experts Discover Passive Method to Obtain Private RSA Keys from SSH Connections

Nov 27, 2023NewsroomServer Security / Encryption

A new study shows that it is possible for passive network attackers to obtain private RSA host keys from a vulnerable SSH server by observing what happens naturally. computational errors which occurs while the connection is being established.

The Secure Shell (SSH) protocol is a method for securely sending commands and logging into a computer using an unsecured network. Based on a client-server architecture, SSH uses cryptography to authenticate and encrypt connections between devices.

A host key a cryptographic key used for authenticating computers over the SSH protocol. Host keys are key pairs typically created using public-key cryptosystems such as RSA.


“If the implementation of signing using CRT-RSA has an error during the computation of the signature, an attacker looking at this signature can calculate the private key of the signer,” a group of academics from the University of California, San Diego, and the Massachusetts Institute of Technology SAYS in a paper this month.

In other words, a passive adversary can silently trace legitimate connections without risk of detection until they observe a false signature that reveals the private key. The bad actor can then impersonate the compromised host to intercept sensitive data and conduct adversary-in-the-middle (AitM) attacks.

The researchers described the method as a lattice-based key recovery fault attack, which allowed them to obtain private keys corresponding to 189 unique RSA public keys that were subsequently tracked by devices from four manufacturers: Cisco, Hillstone Networks, Mocana, and Zyxel.

It is worth noting that the release of TLS version 1.3 in 2018 acts as a countermeasure by encrypting the handshake that establishes the connection, thus preventing passive eavesdroppers from accessing signatures.


“These attacks provide a concrete illustration of the value of several cryptographic design principles: encryption of protocol handshakes when a session key is negotiated to protect metadata, binding to authenticate a session, and separate authentication from encryption keys,” the researchers said.

The findings come two months after the disclosure of the Marvin’s attacka variant of ROBOT (short for “Return Of Bleichenbacher’s Oracle Threat”) Attack that allows a threat actor to decrypt RSA ciphertexts and forge signatures by exploiting security weaknesses in PKCS #1 v1.5.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment