vulnerabilities in RSA to watch for

[perkelix]

As per this article, RSA key exchanges in some SSH implementations are subject to interception. It might be worth investigating if this can be audited.

[BenBE]

Only the failure case (when the bug happens) can be actively detected with certainty, but this is subject to the bug actually happening while the audit is performed.

On the other hand, depending on the SSH implementation one might try to test whether the system errors out if a calculation with this bug is being processed. Although this might however not indicate whether the implementation errors out when sending such wrong communications itself …

[jtesta]

Thanks for the heads up!

It seems like a test for this issue would be to simply validate the RSA signatures we receive while running scans. If it fails, we report it in the UI (actually computing the private key wouldn't be necessary). Only 1-3 RSA validations would need to be done per connection, which would not be expensive, CPU-wise.

The one requirement for implementation would be that it must be written in native Python; one of the design goals of ssh-audit is to remain library dependency-free. So we couldn't use a crypto library. Python does have large-number support already, so we'd just need to do our own PKCSv1.5 de-encapsulation and some modulus exponentiation, and maybe that's it.

Though, as the paper itself states, finding this vulnerability would be quite rare. And its possibly not reproduceable through subsequent scans.

I'd happily accept a PR that observes the above requirement, but personally, given how rare this issue is (as well as implementation- specific), its not a priority for me to chase down.

Thanks again for letting me know about this paper!