[Resource Topic] 2023/1711: Passive SSH Key Compromise via Lattices

Welcome to the resource topic for 2023/1711

Passive SSH Key Compromise via Lattices

Authors: Keegan Ryan, Kaiwen He, George Arnold Sullivan, Nadia Heninger


We demonstrate that a passive network attacker can opportunistically obtain private RSA host keys from an SSH server that experiences a naturally arising fault during signature computation. In prior work, this was not believed to be possible for the SSH protocol because the signature included information like the shared Diffie-Hellman secret that would not be available to a passive network observer. We show that for the signature parameters commonly in use for SSH, there is an efficient lattice attack to recover the private key in case of a signature fault. We provide a security analysis of the SSH, IKEv1, and IKEv2 protocols in this scenario, and use our attack to discover hundreds of compromised keys in the wild from several independently vulnerable implementations.

ePrint: https://eprint.iacr.org/2023/1711

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .