Home
|
FAQ
|
Feedback
|
Licence
|
Updates
|
Mirrors
|
Keys
|
Links
|
Team
Download:
Stable
·
Pre-release
·
Snapshot
|
Docs
|
Privacy
|
Changes
|
Wishlist
When PuTTYgen is asked to generate an RSA key with a 2n-bit modulus, it does it by generating two n-bit primes and multiplying them together. (Adjusted appropriately if the requested length is odd.)
Implemented naïvely, this technique could generate either a (2n−1)-bit modulus or a 2n-bit one, because if each input prime is between 1/2 and 1 times 2n, then their product could be anywhere between 1/4 and 1 times 22n, and the bottom half of that range gives a key modulus one bit smaller than the user asked for.
Cryptographically, this is perfectly harmless (there's no significant difference in ease of factoring between a 2048- and 2047-bit key). But people often used to complain, so in 0.63 we introduced a check that would control the initial few bits of the primes just enough to guarantee their product was at least 1/2 × 22n.
Just before the 0.71 release, that checking code was rewritten to improve it in minor ways, and was not quite adequately tested, which reintroduced the bug where keys can be one bit short. In 0.72, that's now fixed again.