Only affects RSA keys, and then only 1 in a million keys are vulnerable. So this is mostly of academic (rather than practical) interest, but nevertheless it will lead to further hardening of the SSH protocol which is nice.
Technology
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
It also appears to only affect non-OpenSSH secure shell implementations.
Oh, so like 3 users
Security of a sufficiently long RSA key was the one true constant in my life. Poof... There it goes!
Once attackers have possession of the secret key through passive observation of traffic, they can mount an active Mallory-in-the-middle
Mallory in the middle would be a sick punkrock band name though.
This is the best summary I could come up with:
Underscoring the importance of their discovery, the researchers used their findings to calculate the private portion of almost 200 unique SSH keys they observed in public Internet scans taken over the past seven years.
SSH is the cryptographic protocol used in secure shell connections that allows computers to remotely access servers, usually in security-sensitive enterprise environments.
The vulnerability occurs when there are errors during the signature generation that takes place when a client and server are establishing a connection.
Another reason for the surprise is that until now, researchers believed that signature faults exposed only RSA keys used in the TLS—or Transport Layer Security—protocol encrypting Web and email connections.
The researchers noted that since the 2018 release of TLS version 1.3, the protocol has encrypted handshake messages occurring while a web or email session is being negotiated.
The new findings are laid out in a paper published earlier this month titled "Passive SSH Key Compromise via Lattices."
The original article contains 596 words, the summary contains 157 words. Saved 74%. I'm a bot and I'm open source!