Protecting wolfSSH from Passive SSH Key Compromise

About the Compromise

Recently, a team led by Keegan Ryan from UCSD discovered that several implementations of the SSH protocol have been potentially leaking information about their keys and they came up with a way of exploiting it.

Every now and then, an RSA signature is made with a combination of padding and data that doesn’t verify correctly. If one saves billions of SSH signatures they can analyze the broken signatures and work out some keys.

The team released a paper [1] describing the issue and how it can be analyzed to obtain keys.

The wolfSSH Vulnerability

While wolfSSL verifies an RSA signature after producing it, and erroring out if it doesn’t verify, wolfSSH does not do this process. The compromise has not been proven against wolfSSH, the assumption is that it is possible. wolfSSH did not verify the RSA signatures after generation.

The Fix

As of wolfSSH v1.4.15, just released, we have added the verify step for RSA signatures. Luckily the time to verify an RSA signature is short compared to signing so there shouldn’t be a noticeable slowdown during the key exchange process.

References

  1. Keegan Ryan, Kaiwen He, George Arnold Sullivan, and Nadia Heninger. 2023. Passive SSH Key Compromise via Lattices. Cryptology ePrint Archive, Report 2023/1711. https://eprint.iacr.org/2023/1711.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now