The 2nd SPIQE Workshop on Secure Protocol Implementations in the Quantum Era is this year associated with EuroS&P in Lisbon, Portugal! Come to Lisbon in July and present your academic or industry talk on meeting the challenges in actually bringing PQC into the real world safely! Submission deadline is March, 13, see our call for papers for details!
https://spiqe.cool #PQC #EuroSP #cryptoWe've released #PuTTY version 0.81. This is a SECURITY UPDATE, fixing a #vulnerability in ECDSA signing for #SSH.
If you've used a 521-bit ECDSA key (ecdsa-sha2-nistp521) with any previous version of PuTTY, consider it compromised! Generate a new key pair, and remove the old public key from authorized_keys files.
Other key types are not affected, even other sizes of ECDSA. In particular, Ed25519 is fine.
This vulnerability has id CVE-2024-31497. Full information is at https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-p521-bias.html
PuTTY vulnerability vuln-p521-bias
PuTTY 0.81 has been fixed to use a more secure nonce generation (RFC6979 by Thomas Pornin). Filezilla Client 3.67.0 also includes a fixed version of PuTTY. Git Tortoise and WinSCP also ship with a bundled PuTTY, but no update is available yet. 🤞
Using recent versions of the attack by Albrecht/Heninger, we can calculate the private key from 58 PuTTY P-521 signatures with a 50% probability (59 sigs: 94% success, 60 sigs: 100% success).
https://eprint.iacr.org/2020/1540 Shout out to Julian Nowakowski for helping us understand the math!
On Bounded Distance Decoding with Predicate: Breaking the "Lattice Barrier" for the Hidden Number Problem
The attack on ECDSA with biased nonces is a standard technique. An attacker collects at least 521/9≈58 signatures from signed Git commits or victim logins into the attacker's SSH server. A bit of math allows the attacker to calculate the private key offline.
For DSA (160 bit) and ECDSA P-256/P-384, the modulo is so small that a 512 bit number wraps around often, and the output looks pseudo-random. Not so for P-521! Here the modulo is a no-op, and the high 9 bits of the nonce are always zero! This is enough to allow an attack!
Many programs use random nonces 🎲, but some, including PuTTY, generate them deterministically 🧮from the private key and the message to be signed. PuTTY uses SHA-512(ID || SHA-512(x) || SHA1(m)) modulo group size as a pseudo-random nonce. Can you see a problem? 🤔
Each (EC)DSA signature needs a secret number only used once ("nonce"). If the nonce is revealed, reused, or in biased (not fully random), an attacker can use the signatures to recover the private key, which is bad. So, randomness and secrecy of nonces is super important.
We found a critical vulnerability in
#PuTTY SSH client with NIST P-521 keys, that allows private key recovery from only 60 signatures, CVE-2024-31497! If you use
#Putty or
#Filezilla with ECDSA P-521, upgrade now and generate a new key! Joint work with
@Skrillor!
thx @lambdafu, @Skrillor et al @ RUB for the excellent research on the [Terrapin Attack](https://terrapin-attack.com).
The #Terrapin Scanner is available here:
https://github.com/RUB-NDS/Terrapin-Scanner
For Your reference:
- CVE-2023-48795: General Protocol Flaw
- CVE-2023-46445: Rogue Extension Negotiation Attack in AsyncSSH
- CVE-2023-46446: Rogue Session Attack in AsyncSSH
Simon Tatham
DFN-CERT