Windows 10 v1803 with native OpenSSH client support. It is possible to "decrypt" RSA keys

The latest compilation 1803 finally brings native support for the OpenSSH application client in Windows 10 to generate and manage SSH keys and log in to remote hosts using the " ssh [email protected] -port " ssh [email protected] -port . It's a lot easier for administrators and more demanding users who will no longer have to use the not too intuitive Putty and PPK in most applications. Native support for OpenSSH applications now allows you to log in faster with a key (or without) to remote hosts, in the same convenient way as in Linux. Unfortunately, Ronnie Flather proved that Microsoft did not properly take care of the default security for the generated keys, which are passed to the " ssh-agent " service when trying to log in to the server using the private key.

Fortunately, not everyone believes in Microsoft. On the MSDN website, in an article describing the new function, we read something like :

OpenSSH in Windows 10

Microsoft rightly points out the problem with private keys: "they must be kept in a safe place and not passed on to outsiders". There is nothing to mention about the consequences.

Key storage and quick logging is performed by the ssh-agent service. All applications that are used as part of OpenSSH are located in the " c:\windows\system32\openssh " location:

OpenSSH in Windows 10 location

An article on the MSDN blog teaches how to use the integrated OpenSSH client with the Windows system - we use the ssh-agent and ssh-add commands to store the private key in the running session. The keys are secured when forwarding to the client using DPAPI (Data Protection Application Programming Interface) in such a way that the private keys are encoded in Base64 and saved in the registry: HKEY_LOCAL_MACHINE\SOFTWARE\OpenSSH\Agent\Keys .

Windows 10 saved SSH keys

Now it is possible to extract binary blobs from the registry and convert them to the original, unencrypted RSA private keys, which are saved by default to the location " %userprofile% ".

Access to the registry requires elevated privileges, but it is not a complicated task. Such an attack is possible to carry out. If the cybercriminals attack the selected organization, they will need a virus that will check if the ssh-agent is running, and if so, try to access the registry, steal RSA private keys that are easily encoded into the original Base64 cipher and read call addresses.

ssh-agent service in Windows 10

The author has proved that by copying the key to the Linux operating system, it is possible to log in to the server without providing a password (passphrase) to access the key.

Microsoft made this task easier for criminals who after intercepting a private key will not have to break the access password, which would not always be possible with high entropy .

Add new comment

The content of this field is kept private and will not be shown publicly.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.