SSH Communications Security Information for VU#997481

Cryptographic libraries and applications do not adequately defend against timing attacks



Vendor Statement

RSA Timing Attacks in SSH Communications Security toolkit products

Security problems have been found and corrected in the following SSH toolkit products:

    • SSH IPSEC Express Toolkit (concerns only TLS option and RSA encryption use in IKE)
    • SSH Certificate/TLS Toolkit
Other SSH toolkit products are not affected.

For SSH IPSEC Express Toolkit customers:

RSA encryption is not widely used with IKE. If you use just RSA signatures for IKE authentication and do not have the TLS option, there are no security concerns and you do not need to apply the patch.

The recently appeared article, [1], presents a new timing attack on RSA operations. The attack uses statistical analysis from timing information from RSA private key operations on chosen input texts to retrieve bits from the private key. For the approach to work, a very accurate timing analysis is required, which makes the attack only feasible over local networks or between different processes on the same machine. A second prerequiste is the ability for the opponent to selectively choose a large number of bits of the input data to the private key operation. The opponent needs to be able to choose a large number (of the order 10^5 - 10^6) of such input texts.

This means the attack as presented in [1] does not apply to situations where the private key is used for generating digital signature on input data by first hashing the input data. If the owner of the private key hashes the input data, the opponent has lost the ability to choose bits in the input data to the private key operation. [If the input to the hash function can be chosen by the opponent, then the attack may still be possible for weak hash functions if the opponent can adaptively invert the hash function. For hash functions used in cryptography this is not possible, and the attack will not succeed].

In protocols such as IKE authenticated with signatures, the input data that is hashed contains random input from the owner of the private key. In this case there is no possibility for opponent to influence the input value to the private key operation and the attack will not work.

The attack is more relevant in cases where the private key is used for decryption such as in SSL/TLS. In this case, by using an active attack, the opponent can directly choose the value to be decrypted by the victim of the attack. When performing this attack the TLS negotiation will fail because the decrypted ciphertext will not have the correct PKCS1 padding. Therefore the attack is only likely to succeed in situations where the victim TLS server keeps allowing incoming connections from a source where the TLS handshake repeatedly fails.

The attack may also be relevant in IKE when authenticating using public key encryption.

The most effective prevention for this attack is well known, and is known as blinding. Essentially this consists of randomizing the input to the modular exponentation part of the RSA private key operation. The timing of the RSA decryption is then random, and this prevents timing analysis fromrevealing any key information. The effect of blinding on performance is acceptable, varying from 2%-10%.

Our IKE and TLS implementations do not at present use blinding for RSA private key decryption operations. A patch is now available from SSH.

[1] Remote Timing Attacks are Practical, by David Brumlay and Dan Boneh.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References



The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.