Control: tags -1 + security Hi Matt,
On Tue, Sep 24, 2024 at 08:55:29PM -0700, Matt Taggart wrote: > Severity: grave > > The paper, > > Passive SSH Key Compromise via Lattices > Keegan Ryan, Kaiwen He, George Arnold Sullivan, and Nadia Heninger > https://eprint.iacr.org/2023/1711.pdf > > details an attack that allows a passive observer to potentially compromise > RSA host keys. They also include details on internet-wide scans to measure > the prevalence of vulnerable signatures in the wild. As far as I understand things, a key component in executing the attack is the CPU of the ssh server doing a computational mistake during a modulo operation involved in creating a RSA signature. The paper mentions that less than 0.05% of observed signatures were invalid and a fraction of them allowed key recovery. Isn't this a hardware vulnerability like rowhammer, spectre or meltdown? The section about counter measures indicates that validating the signature before sending it and furthermore says that OpenSSH includes this counter measure via OpenSSL since 2001. Would you be able to give more detail on why you think this is a grave problem now? Helmut
