In-memory keys are better protected by OpenSSH in the future. This should make sidechannel attacks on the main memory such as Specter, Meltdown, Rowhammer and RAMBleed more difficult. For this purpose, the private SSH keys are encrypted in memory with a symmetric key. This “is derived from a relatively large ‘prekey’ consisting of random data (currently 16 KB),” writes OpenSSH developer Damien Miller.
Attackers would have to restore the entire symmetric key with high accuracy before they could recover the private SSH key, writes Miller. “The current generation of attacks, however, has bit error rates that make it unlikely when applied cumulatively to the entire key.”
Only recently, a variant of the Rowhammer attack was introduced, with which the memory can be read out. To demonstrate the practical implications of this attack called RAMBleed, the explorers read an RSA key of an OpenSSH server on a Linux system. At the same time, it eased the attack that RSA already knows only a fragment of a private key. The rest can be calculated from it. The symmetric encryption of the OpenSSH keys in the work memory is intended to protect against such attack scenarios or at least make them much more difficult.
For eternity, however, securing the keys should not be. “Hopefully we can remove this in a few years, when the computer architecture has become less uncertain,” writes Miller.
