From 39d1515ea672cb77aea1838cc087b55d1b1b3220 Mon Sep 17 00:00:00 2001 From: Jacob Nevins Date: Tue, 11 Jan 2022 23:57:20 +0000 Subject: [PATCH] Note side-channel resistance of probable primes. This came in around d8fda3b6da. --- doc/pubkey.but | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/doc/pubkey.but b/doc/pubkey.but index 469c9d7d..dd481a3e 100644 --- a/doc/pubkey.but +++ b/doc/pubkey.but @@ -177,6 +177,13 @@ are prime, because it generates the output number together with a proof of its primality. This takes more effort, but it eliminates that theoretical risk in the probabilistic method. +There in one way in which PuTTYgen's proven-primes method is not +strictly better than its probable-primes method. If you use PuTTYgen +to generate RSA or DSA keys on a computer that is potentially +susceptible to timing- or cache-based \i{side-channel attacks}, such +as a shared computer, the \q{probable primes} method is designed to +resist such attacks, whereas the \q{proven primes} methods are not. + You might choose to switch from probable to proven primes if you have a local security standard that demands it, or if you don't trust the probabilistic argument for the safety of the usual method. @@ -389,8 +396,8 @@ These options only affect PPK version 3. \dt Key derivation function \dd The variant of the \i{Argon2} key derivation function to use. -You might change this if you consider your exposure to side-channel -attacks to be different to the norm. +You might change this if you consider your exposure to \i{side-channel +attacks} to be different to the norm. \dt Memory to use for passphrase hash