PuTTY vulnerability vuln-p521-bias
Scope and Impact of the Vulnerability
- Only NIST P‑521 client ECDSA keys used with PuTTY or Pageant are affected.
- Server host keys are not impacted; signatures are computed by the (typically OpenSSH) server, not PuTTY.
- Keys are at risk if used to authenticate to rogue/compromised servers or for non‑SSH signing; passive traffic capture alone is insufficient.
- Smartcard/hardware-token keys that never let PuTTY see the private key are reported as safe.
- Many users note they never used P‑521 (defaults favor other algorithms), so practical impact may be limited but key rotation is still advised.
Technical Cause and Cryptographic Discussion
- Vulnerability stems from biased ECDSA nonces: PuTTY derived a 512‑bit value (via SHA‑512) and reduced it modulo a ~521‑bit group order.
- For P‑521 this yields nonces whose top 9 bits are always zero, making private keys recoverable from ≈60 signatures via lattice attacks.
- Commenters stress this is an ECDSA nonce issue, not specific to P‑521 curves; any biased nonce in DSA/ECDSA can leak keys.
- There is debate on deterministic nonce design and why RFC 6979 or rejection sampling weren’t adopted earlier; lesson highlighted: don’t “roll your own” variants of standard crypto constructions.
- Some argue ECC has many footguns and prefer EdDSA (Ed25519) or large RSA; others counter that ECC’s main advantage is smaller key sizes at equivalent security, and EdDSA still relies on modular arithmetic.
Mitigations and Operational Practices
- Recommended actions: rotate affected P‑521 client keys, avoid ECDSA for internal accounts, and consider Ed25519 or large RSA keys.
- Hardware tokens with touch‑to‑sign are praised; remaining concern is malware misusing an unlocked agent.
- Users discuss disabling EC in sshd_config, or just avoiding P‑521.
Tooling: PuTTY vs Alternatives
- Several suggest dropping PuTTY in favor of Windows’ built‑in OpenSSH, WSL2, or third‑party SSH clients with better UX.
- Others note corporate policies (e.g., blocked ssh-agent service) keep PuTTY/Pageant relevant.
- GUI vs CLI trade‑offs are debated; some strongly prefer GUI session management.
Broader Themes
- Thread highlights how subtle crypto mistakes survive for years and how underfunded reviews of entrenched tools are.
- Mixed feelings about ECC trustworthiness and standardization, and frustration with the general state of cybersecurity.