żěè¶ĚĘÓƵ

Some unbreakable encryption keys are accidentally leaking online

A widely used form of encryption called RSA is thought to be unbreakable, but an analysis of more than 5 billion server records has found that, in some cases, hardware errors can lead to secret keys being exposed
Faulty encryption can put data at risk
Yuichiro Chino/Getty Images

Hardware faults are leaking hundreds of supposedly unbreakable encryption keys on to the internet, researchers have found – and spy agencies may be exploiting the loophole to read secret messages.

RSA is a widely-used encryption scheme that depends on two numbers – a public key, which anyone can use to encrypt a message intended for a particular person, and a private key, which decrypts the messages and only that person has access to. Individuals can also use their private key to “sign” a message, allowing anyone to use their public key to verify the signature is genuine.

Normally, cracking someone’s private key would require an infeasible level of computation. But when Keegan Ryan at the University of California, San Diego, and his colleagues analysed around 5.2 billion server records gathered over the course of seven years, they found nearly 600,000 examples of incorrectly formed signatures with errors that could expose private RSA keys.

By exploiting these errors, the team was able to retrieve private keys from 4962 records. Because some of these records were duplicated, in total it identified 189 unique private keys.

“In our dataset, we found that about one in a million signatures leaked the private key,” says Ryan. “In an ideal world, that would be zero. This wouldn’t be possible. So the fact that it’s anything more than that is somewhat surprising.”

The researchers found devices made by four manufacturers could create signatures incorrectly, leaving them susceptible to this kind of attack. Two of the manufacturers contacted by the team – Cisco and Zyxel – said they had either fixed the error where possible or had stopped selling the devices it affected. The other two manufacturers didn’t respond. All four were separately contacted by żěè¶ĚĘÓƵ for this story, but haven’t responded.

“Our research showed that the total number of affected hosts has gone down over time, which is a good sign,” says Ryan. “As these devices update over time, there will be fewer vulnerable devices on the internet.”

The faults in these devices allow an attacker to quietly monitor legitimate connections until a faulty signature exposes a private key. This breach could enable them to undetectably impersonate the compromised host, intercepting sensitive data. “If the private key is exposed, then you don’t know if you’re talking to the correct server, or if you’re talking to an attacker,” says Ryan.

“This is an important result, reminding us that software and hardware flaws may weaken the security of paradigms regarded as bulletproof,” says independent cybersecurity researcher . “All that is needed is a small flaw, and suddenly things deemed unbreakable are in fact prone to easy and simple cryptanalysis. In this particular case, encryption and digital signatures were undermined.”

“This research demonstrates that hardware errors can contribute to implementation vulnerabilities as much as mistakes in coding,” says at the University of Surrey, UK. “Cheaper, error-prone hardware is widespread, so this will be of interest to anyone wishing to bypass RSA, and it’s difficult not to conclude that this will be governments wanting to eavesdrop.”

However, Olejnik is less certain that spy agencies will be able to leap in to exploit the issue. “It is an isolated issue of devices not used on massive scales,” he says. “It is unlikely usable for espionage, though it all depends where such devices are placed.” Fixing things should be relatively easy, says Olejnik – you just need to replace or patch the affected devices. “Patching is one of the most proactive security defences that an organisation can take,” says Ryan.

Reference:

Cryptology ePrint Archive