Home
|
FAQ
|
Feedback
|
Licence
|
Updates
|
Mirrors
|
Keys
|
Links
|
Team
Download:
Stable
·
Pre-release
·
Snapshot
|
Docs
|
Privacy
|
Changes
|
Wishlist
Ever since PuTTY 0.52, Diffie-Hellman key exchange (of the ordinary integer kind, not elliptic-curve) has been done using an exponent of smaller size than the prime modulus. Now it's using a full-sized exponent.
This was originally done to save time, because Diffie-Hellman was more computationally expensive even than an RSA private-key operation of the same size (because in RSA you can use the Chinese remainder theorem to reduce the work).
A cryptography paper at the time gave a rationale for why it was OK to use short exponents, provided your Diffie-Hellman modulus is a safe prime (which all the standard SSH ones are, and group exchange is supposed to use safe primes as well).
However, there is of course a theoretical risk in trusting a piece of reasoning like that: it might be proved wrong by further research, or a new attack might be found against it, or a mistake in deployment might combine badly with taking that particular shortcut (e.g. suppose a mis-implemented server didn't use safe primes for DH group exchange).
Now computers are significantly faster than they were in 2001, and PuTTY's arithmetic code is also more highly optimised than it was then. So I've decided it isn't worth taking that risk any more. From 0.77, PuTTY will use full-sized exponents for integer Diffie-Hellman.
This change is not classed as a vulnerability fix, because I don't know of any actual attacks against the previous strategy. It's more in the nature of "being extra cautious just in case".