How faulty signatures could alert hackers and how to prevent them by default
Recently, The Hacker News published an article citing academic research published in November of 2023 titled “Passive SSH Key Compromise via Lattices.” The research outlined a hypothetical technique that could be used to extract private RSA keys if all of the following conditions were present:
The research suggests that under these conditions, they were able to discover 189 compromised keys in the wild because they were implemented with these specific vulnerabilities.
DigiCert welcomes this and all research that improves standards for digital trust in every ecosystem. With DigiCert’s acquisition of Mocana, who was cited along with Cisco, Hillstone Networks and Zyxel as the brands whose customers may have deployed this rare vulnerability, DigiCert is taking this research very seriously and has already taken countermeasures (outlined below) to prevent such an attack—no matter how rare.
DigiCert also respectfully encourages an open dialogue for the entire industry to arrive at root causes and actionable solutions. Similar to Cisco and Zyxel, the team at DigiCert Labs investigated immediately but were likewise unable to replicate the exact issue identified in the research. Additionally, our findings also conclude that the research speculated the potential root causes, including memory errors, flawed math operations in software, legacy software versions, etc. that could rarely cause incorrect or flawed RSA signatures.
Prior to this research, DigiCert had already deployed a feature—now a countermeasure—for all customers and partners to ensure that if such a scenario were replicated, no RSA keys would be extractable. The DigiCert TrustCore SDK library (formerly Mocana) already includes an automated flag for RSA signature validation and integrity. Customers using our RSA libraries, who have not already enabled this flag have been strongly encouraged to enable it immediately and in-turn enforce signature validation during the signing process—a fundamental of managing trust. Enable by default will be DigiCert’s standard going forward. This prevents any potentially unsafe outputs from being finalized.
No. This attack—passive or active—would not break RSA because it does not attack RSA directly. Rather, it exploits an unexpected or faulty implementation behavior that is known to be outdated and does not employ TLS version 1.3.
The research underscores the need for adopting a crypto-agile paradigm and crypto-agility practices, particularly for anyone still using any TLS version that predates TLS 1.3 which was deployed in 2018. The latest algorithms and techniques are the best counter measure. Any “set-it-and-forget-it” notion of cryptographic practices will undermine digital trust and potentially expose vulnerabilities over time, especially as quantum computing becomes a reality.
This kind of research will likely increase in frequency and severity as quantum computing becomes more stable and accelerates testing and decrypting of hard math algorithms. Organizations will need to react more quickly to possible vulnerabilities in their ecosystems. To prepare for Post-Quantum Cryptography or PQC, steps should be taken immediately to discover, identify, map a comprehensive book of record for all cryptographic assets. Automation tools should be in place to rotate certificates and keys for crypto agility.
If you have research, testing or vulnerabilities that may involve DigiCert or any of DigiCert’s customers directly or indirectly, please contact us immediately at Labs@DigiCert.com and Compliance@DigiCert.com or by calling (801) 896-7973.