PuTTY 0.81 security release
PuTTY 0.81, released today, fixes a critical vulnerability CVE-2024-31497 in the use of 521-bit ECDSA keys (ecdsa-sha2-nistp521). If you have used a 521-bit ECDSA private key with any previous version of PuTTY, consider the private key compromised: remove the public key from authorized_keys files, and generate a new key pair.However, this only affects that one algorithm and key size. No other size of ECDSA key is affected, and no other key type is affected.
(Thanks to Joe Nahmias).
(Log in to post comments)
PuTTY 0.81 security release
Posted Apr 16, 2024 15:34 UTC (Tue) by makendo (subscriber, #168314) [Link]
PuTTY 0.81 security release
Posted Apr 16, 2024 15:36 UTC (Tue) by intelfx (subscriber, #130118) [Link]
No, they meant exactly 521 bit.
PuTTY 0.81 security release
Posted Apr 16, 2024 16:04 UTC (Tue) by NYKevin (subscriber, #129325) [Link]
PuTTY 0.81 security release
Posted Apr 16, 2024 16:17 UTC (Tue) by alanjwylie (subscriber, #4794) [Link]
$ for x in {512..521}; do factor $x; done
512: 2 2 2 2 2 2 2 2 2
513: 3 3 3 19
514: 2 257
515: 5 103
516: 2 2 3 43
517: 11 47
518: 2 7 37
519: 3 173
520: 2 2 2 5 13
521: 521
PuTTY 0.81 security release
Posted Apr 16, 2024 18:20 UTC (Tue) by bbolli (guest, #19153) [Link]
factor {512..521}
PuTTY 0.81 security release
Posted Apr 16, 2024 20:26 UTC (Tue) by jreiser (subscriber, #11027) [Link]
PuTTY 0.81 security release
Posted Apr 16, 2024 20:53 UTC (Tue) by intelfx (subscriber, #130118) [Link]
I don't think that is relevant.
Reading the bulletin on the PuTTY project website, it seems the error was neither typographic nor number-theoretic. PuTTY used its own algorithm for deterministic nonces instead of the RFC (because that algorithm predated the RFC by 13 years), which used a 512-bit hash modulo the order of the ECC subgroup, and failed to account for the fact that the order in question might someday become larger than 512.
PuTTY 0.81 security release
Posted Apr 16, 2024 22:36 UTC (Tue) by ballombe (subscriber, #9523) [Link]
p=2^521-1 is prime and reduction modulo p can be done with just one shift, one masking and one substraction.
See <https://www.secg.org/SEC2-Ver-1.0.pdf> page 18.
Putty just did not anticipated than one standard would use a modulo larger than 2^512.
PuTTY 0.81 security release
Posted Apr 17, 2024 5:36 UTC (Wed) by oldtomas (guest, #72579) [Link]
PuTTY 0.81 security release
Posted Apr 17, 2024 14:37 UTC (Wed) by Klaasjan (subscriber, #4951) [Link]
PuTTY 0.81 security release
Posted Apr 17, 2024 16:59 UTC (Wed) by chris_se (subscriber, #99706) [Link]
The git commit message that fixes this is actually quite enlightening:
https://git.tartarus.org/?p=simon/putty.git;a=commit;h=c1...
To me this shows that when you see some minor issue when implementing crypto, you better fix it regardless, because even if you are relatively sure that it's OK for now, it will come to bite you in the back at some later point in time.
Also, IMHO these kind of issues are another reason to avoid DSA/ECDSA. The fact that the signature is linearly dependent on a product of the private key and a nonce makes attacks such as these even remotely feasible. There are better alternatives available (e.g. EdDSA) that don't suffer from this underlying design issue in the basic algorithm.
PuTTY 0.81 security release
Posted Apr 17, 2024 10:49 UTC (Wed) by ciakval (subscriber, #140828) [Link]
It seems like the download page was not yet updated to 0.81, even though the link on the home page says so:
The latest version is 0.81. Download it here.
The files for the 0.81 version seem to be reachable from a 0.81 release page.