Recover a RSA private key from a TLS session with Perfect Forward Secrecy

They always taught us that the only thing it can be pulled out from a SSL/TLS session using strong authentication and latest state-of-art (Perfect Forward Secrecy) ciphersuites is the public key of the certificate exchanged during the TLS handshake, an insufficient condition to place a MiTM attack without to generate alarms on the validity of the TLS connection and certificate itself. Anyway, this is not always true. In certain circumstances it is possible to derive the private key of server regardless the size of modulus used. Even RSA keys of 4096 bits can be factored at the cost of a few CPU cycles and
computational resources. All that needed is the generation of a faulty digital signature from server, an event that can be observed when occuring error conditions such as CPU overheating and/or hardware faults. Because of these premises devices like firewall, switch, router and other embedded appliances are more exposed than traditional IT servers or clients. During the talk, the author will explain the theory behind the attack, how common are the factors that make it possible, and his customized implementation of the technique. At the end a proof-of-concept able to work both in passive mode (i.e. only sniffing the network traffic) and in active mode (namely, partecipating directly in the establishment of TLS handshakes) will be released.

Język prezentacji: angielski