![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
This is starting out with a warning: this article is really, REALLY deep computer security stuff, DO NOT dig into it if you don't have a minimal understanding of network encryption, SSH, RSA, etcetera! YOU WILL BE LOST!
RSA is a pretty much a deprecated encryption technique. While it was good in its day, it's somewhat broken and has been superseded by better methodologies, both because technology moves ever onward and because it's broken. Apparently it's mainly in use in old systems where companies haven't bothered to replace it: 'If it ain't broke, leave it alone', and just haven't budgeted the funds and time to get it done.
People who try to break computer security have found an interesting way to break RSA even worse. They monitor and sit and wait. The first thing that happens when establishing an SSH connection (and other secure types of connections) is a handshake - the computers send a few packets back and forth, exchange keys (encryption certificates), and get to know each other (proverbially). This handshake process is supposed to be encrypted and secured and not easily spied upon. Except sometimes it isn't.
Computers make mistakes. Sometimes the process that encrypts the handshake fails, it can be a memory bit failure, and this can reveal part of one of the private keys that provides the encryption to the handshake. These keys are generated by multiplying very large prime numbers. If you recover one of the keys, you can then recover the other key by dividing by great whomping big prime numbers. Once you break that, you have access to the certificates that created the secure connection and you can now sit in the middle and impersonate all traffic of either host.
This is what people in computer security call BAD.
OpenSSH applied fixes to try to prevent it, but some major vendors, including Cisco, roll their own code and had some pretty bad vulnerabilities to this problem. They might have fixed it, but when you're running closed-source software (where you've written your own code), rather than relying on an open software where there are tons of eyes looking for problems and testing, it's often weaker than the open source version such as OpenSSH.
Interesting times.
No real solid information as to whether or not this has been exploited in the wild as it's really hard to detect interception attacks like this.
https://arstechnica.com/security/2023/11/hackers-can-steal-ssh-cryptographic-keys-in-new-cutting-edge-attack/
RSA is a pretty much a deprecated encryption technique. While it was good in its day, it's somewhat broken and has been superseded by better methodologies, both because technology moves ever onward and because it's broken. Apparently it's mainly in use in old systems where companies haven't bothered to replace it: 'If it ain't broke, leave it alone', and just haven't budgeted the funds and time to get it done.
People who try to break computer security have found an interesting way to break RSA even worse. They monitor and sit and wait. The first thing that happens when establishing an SSH connection (and other secure types of connections) is a handshake - the computers send a few packets back and forth, exchange keys (encryption certificates), and get to know each other (proverbially). This handshake process is supposed to be encrypted and secured and not easily spied upon. Except sometimes it isn't.
Computers make mistakes. Sometimes the process that encrypts the handshake fails, it can be a memory bit failure, and this can reveal part of one of the private keys that provides the encryption to the handshake. These keys are generated by multiplying very large prime numbers. If you recover one of the keys, you can then recover the other key by dividing by great whomping big prime numbers. Once you break that, you have access to the certificates that created the secure connection and you can now sit in the middle and impersonate all traffic of either host.
This is what people in computer security call BAD.
OpenSSH applied fixes to try to prevent it, but some major vendors, including Cisco, roll their own code and had some pretty bad vulnerabilities to this problem. They might have fixed it, but when you're running closed-source software (where you've written your own code), rather than relying on an open software where there are tons of eyes looking for problems and testing, it's often weaker than the open source version such as OpenSSH.
Interesting times.
No real solid information as to whether or not this has been exploited in the wild as it's really hard to detect interception attacks like this.
https://arstechnica.com/security/2023/11/hackers-can-steal-ssh-cryptographic-keys-in-new-cutting-edge-attack/
no subject
Date: 2023-11-15 12:06 am (UTC)LOL!!!!!!!!!!!!!!!!
Hugs, Jon
no subject
Date: 2023-11-15 02:49 pm (UTC)I very plainly did put a warning at top.
no subject
Date: 2023-11-15 03:03 pm (UTC)no subject
Date: 2023-11-20 07:14 am (UTC)no subject
Date: 2023-11-20 07:20 am (UTC)Very good point. Yeah, I think this is more of a 'sniffing' and monitoring sort of exploit than an active 'let's screw up people's traffic' sort of exploit. You don't want to tip your hand by making your presence obvious.