PuTTY bug win-puttygen-entropy-rate-limit

This is a mirror. Follow this link to find the primary PuTTY web site.

Home | FAQ | Feedback | Licence | Updates | Mirrors | Keys | Links | Team
Download: Stable · Pre-release · Snapshot | Docs | Privacy | Changes | Wishlist

summary: Windows PuTTYgen's entropy collection worked badly with high-frequency mice
class: bug: This is clearly an actual problem we want fixed.
difficulty: fun: Just needs tuits, and not many of them.
priority: high: This should be fixed in the next release.
fixed-in: 5ad601ffcd5d09b5f22d998f71ce9ccdf35140f1 (0.77)

Windows PuTTYgen has always collected entropy for its key generation by asking the user to waggle the mouse over the PuTTYgen window, and collecting timing and coordinate data from the stream of mouse movement events until it thinks it has enough randomness to generate a key.

However, PuTTYgen's method for calculating when it had enough entropy did not take into account that some pointing devices (such as gaming-oriented mice) send mouse movement events at an extremely high rate like 1000 per second. If you were using a device like that, PuTTYgen would almost immediately fill its entropy buffer and start generating a key, almost as soon as the mouse twitched once.

This very likely led to PuTTYgen collecting less entropy than it should have, because in that initial tiny mouse twitch, all the movement events would have been pointing in the same direction and going at very nearly the same speed. There's no time for the user to wave their hand back and forth to introduce variation.

For 0.77, we've introduced a rate limit, so that PuTTY will no longer assume that a mouse event has the same entropy no matter how quickly they're arriving. Instead, it has an upper bound on the amount of entropy it thinks it can receive per unit time, so that even users with gaming mice will have to wave the mouse back and forth in a way that actually generates randomness.

(However, this is only one of PuTTYgen's entropy sources. We also use Windows's CryptGenRandom to supplement that mouse-based entropy collection. So keys generated by the previous PuTTYgen are not necessarily compromised.)


If you want to comment on this web site, see the Feedback page.
Audit trail for this bug.
(last revision of this bug record was at 2022-05-15 14:15:31 +0100)