PuTTY vulnerability vuln-p521-bias

Scope and Impact of the Vulnerability

  • Only NIST P‑521 client ECDSA keys used with PuTTY or Pageant are affected.
  • Server host keys are not impacted; signatures are computed by the (typically OpenSSH) server, not PuTTY.
  • Keys are at risk if used to authenticate to rogue/compromised servers or for non‑SSH signing; passive traffic capture alone is insufficient.
  • Smartcard/hardware-token keys that never let PuTTY see the private key are reported as safe.
  • Many users note they never used P‑521 (defaults favor other algorithms), so practical impact may be limited but key rotation is still advised.

Technical Cause and Cryptographic Discussion

  • Vulnerability stems from biased ECDSA nonces: PuTTY derived a 512‑bit value (via SHA‑512) and reduced it modulo a ~521‑bit group order.
  • For P‑521 this yields nonces whose top 9 bits are always zero, making private keys recoverable from ≈60 signatures via lattice attacks.
  • Commenters stress this is an ECDSA nonce issue, not specific to P‑521 curves; any biased nonce in DSA/ECDSA can leak keys.
  • There is debate on deterministic nonce design and why RFC 6979 or rejection sampling weren’t adopted earlier; lesson highlighted: don’t “roll your own” variants of standard crypto constructions.
  • Some argue ECC has many footguns and prefer EdDSA (Ed25519) or large RSA; others counter that ECC’s main advantage is smaller key sizes at equivalent security, and EdDSA still relies on modular arithmetic.

Mitigations and Operational Practices

  • Recommended actions: rotate affected P‑521 client keys, avoid ECDSA for internal accounts, and consider Ed25519 or large RSA keys.
  • Hardware tokens with touch‑to‑sign are praised; remaining concern is malware misusing an unlocked agent.
  • Users discuss disabling EC in sshd_config, or just avoiding P‑521.

Tooling: PuTTY vs Alternatives

  • Several suggest dropping PuTTY in favor of Windows’ built‑in OpenSSH, WSL2, or third‑party SSH clients with better UX.
  • Others note corporate policies (e.g., blocked ssh-agent service) keep PuTTY/Pageant relevant.
  • GUI vs CLI trade‑offs are debated; some strongly prefer GUI session management.

Broader Themes

  • Thread highlights how subtle crypto mistakes survive for years and how underfunded reviews of entrenched tools are.
  • Mixed feelings about ECC trustworthiness and standardization, and frustration with the general state of cybersecurity.