Exposed or leaked public and private keys can severely risk the security of apps and accounts. Researchers have presented a new security tool – Driftwood – to prevent such exposures.
About Driftwood Security Tool
Researchers from Truffle Security have presented “Driftwood” – a tool that detects leaked keys and prevents private keys exposure.
As elaborated in their recent post, the researchers used this tool to detect hundreds of exposed keys.
With this tool we found the private keys for hundreds of TLS certificates, and SSH keys that would have allowed an attacker to compromise millions of endpoints/devices.
Encryption keys play an important role in securing most online services and communications. This includes everything from the commonly used TLS/SSH encryption to the more robust programs such as messenger and email apps.
Accidental exposure of such keys could give unhindered access to unsolicited or even malicious intruders. Hence, it is essential to keep these as private as possible. Nonetheless, detecting a potential key exposure is often tricky and goes unnoticed until malicious exploitation. Driftwood should supposedly fill this security gap.
The researchers used Driftwood to dozens of GitHub users’ private keys from a 50,000 sample. These exposed keys lead to sensitive repositories such as those belonging to Oracle, IBM, and Arm.
Apart from the asymmetric keys, the researchers could also find roughly 2500 private keys for symmetric encryption from the sample.
Based on these findings, the researchers have decided to open-source Driftwood after inputting the relevant data.
We compiled a database of billions of TLS and SSH public keys that we know pair with sensitive private keys. Driftwood will take a given Private Key, extract its public key component, and then post the public key to our database to see whether it pairs with a known sensitive key.
Interested users can easily get this tool from GitHub.
Recently, TruffleHog security also released another security tool, “TruffleHog” to detect secret keys in JavaScript.