@lambdafu

229 Followers
88 Following
54 Posts
I'm a tempura shrimp and you can't catch me! | 🦙 ALPACA Attack | 🦝 Raccon Attack | 😈 DEMONS Attack | @lambdafu on Twitter.
lambdafuApr 15, 2024
Simon TathamApr 15, 2024

We've released #PuTTY version 0.81. This is a SECURITY UPDATE, fixing a #vulnerability in ECDSA signing for #SSH.

If you've used a 521-bit ECDSA key (ecdsa-sha2-nistp521) with any previous version of PuTTY, consider it compromised! Generate a new key pair, and remove the old public key from authorized_keys files.

Other key types are not affected, even other sizes of ECDSA. In particular, Ed25519 is fine.

This vulnerability has id CVE-2024-31497. Full information is at https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-p521-bias.html

PuTTY vulnerability vuln-p521-bias

Show threadlambdafuApr 15, 2024
PuTTY 0.81 has been fixed to use a more secure nonce generation (RFC6979 by Thomas Pornin). Filezilla Client 3.67.0 also includes a fixed version of PuTTY. Git Tortoise and WinSCP also ship with a bundled PuTTY, but no update is available yet. 🤞
Show threadlambdafuApr 15, 2024
Using recent versions of the attack by Albrecht/Heninger, we can calculate the private key from 58 PuTTY P-521 signatures with a 50% probability (59 sigs: 94% success, 60 sigs: 100% success). https://eprint.iacr.org/2020/1540 Shout out to Julian Nowakowski for helping us understand the math!
On Bounded Distance Decoding with Predicate: Breaking the "Lattice Barrier" for the Hidden Number Problem

Show threadlambdafuApr 15, 2024
The attack on ECDSA with biased nonces is a standard technique. An attacker collects at least 521/9≈58 signatures from signed Git commits or victim logins into the attacker's SSH server. A bit of math allows the attacker to calculate the private key offline.
Show threadlambdafuApr 15, 2024
For DSA (160 bit) and ECDSA P-256/P-384, the modulo is so small that a 512 bit number wraps around often, and the output looks pseudo-random. Not so for P-521! Here the modulo is a no-op, and the high 9 bits of the nonce are always zero! This is enough to allow an attack!
Show threadlambdafuApr 15, 2024
Many programs use random nonces 🎲, but some, including PuTTY, generate them deterministically 🧮from the private key and the message to be signed. PuTTY uses SHA-512(ID || SHA-512(x) || SHA1(m)) modulo group size as a pseudo-random nonce. Can you see a problem? 🤔
Show threadlambdafuApr 15, 2024
Each (EC)DSA signature needs a secret number only used once ("nonce"). If the nonce is revealed, reused, or in biased (not fully random), an attacker can use the signatures to recover the private key, which is bad. So, randomness and secrecy of nonces is super important.
lambdafuApr 15, 2024
We found a critical vulnerability in #PuTTY SSH client with NIST P-521 keys, that allows private key recovery from only 60 signatures, CVE-2024-31497! If you use #Putty or #Filezilla with ECDSA P-521, upgrade now and generate a new key! Joint work with @Skrillor!
lambdafuJan 8, 2024
Show threadDFN-CERTJan 4, 2024

thx @lambdafu, @Skrillor et al @ RUB for the excellent research on the [Terrapin Attack](https://terrapin-attack.com).

The #Terrapin Scanner is available here:
https://github.com/RUB-NDS/Terrapin-Scanner

For Your reference:

- CVE-2023-48795: General Protocol Flaw
- CVE-2023-46445: Rogue Extension Negotiation Attack in AsyncSSH
- CVE-2023-46446: Rogue Session Attack in AsyncSSH

Terrapin Attack

lambdafuDec 19, 2023
lambdafuDec 18, 2023

We found a flaw in the SSH specification which allows a MitM attacker to drop certain messages from the secured connection. If you are using SSH, check this out: https://terrapin-attack.com 🐢

Joined work with Fabian Bäumer and Jörg Schwenk at Ruhr University Bochum, HGI, funded by CASA Excellence Cluster / DFG.

Terrapin Attack