From dc9ab5e0f0c52f7f41960c807ae73a4e857a3df4 Mon Sep 17 00:00:00 2001 From: Jacob Nevins Date: Fri, 21 Oct 2022 17:46:38 +0100 Subject: [PATCH 1/5] Rename NTRU Prime / Curve25519 kex in UI. The previous name, which included '(quantum-resistant)', was too long to be completely seen in the Windows config dialog's kex list (which is narrower than the Gtk one, due to the Up/Down buttons). No point including that explanation if people can't actually read it, so we'll have to rely on docs to explain it. (I did try squashing the rest of the name to "SNTRUP/X25519 hybrid", but that wasn't enough.) As some sort of compensation, index it more thoroughly in the docs, and while I'm there, tweak the indexing of other key exchange algorithms too. --- config.c | 3 +-- doc/config.but | 16 ++++++++-------- doc/index.but | 10 ++++++++++ 3 files changed, 19 insertions(+), 10 deletions(-) diff --git a/config.c b/config.c index 3885c7be..8cdeee24 100644 --- a/config.c +++ b/config.c @@ -569,8 +569,7 @@ static void kexlist_handler(dlgcontrol *ctrl, dlgparam *dlg, { "Diffie-Hellman group exchange", KEX_DHGEX }, { "RSA-based key exchange", KEX_RSA }, { "ECDH key exchange", KEX_ECDH }, - { "NTRU Prime / Curve25519 hybrid kex" - " (quantum-resistant)", KEX_NTRU_HYBRID }, + { "NTRU Prime / Curve25519 hybrid kex", KEX_NTRU_HYBRID }, { "-- warn below here --", KEX_WARN } }; diff --git a/doc/config.but b/doc/config.but index 32973ed7..21ff0bb5 100644 --- a/doc/config.but +++ b/doc/config.but @@ -2347,17 +2347,17 @@ cipher selection (see \k{config-ssh-encryption}). PuTTY currently supports the following key exchange methods: -\b \q{NTRU Prime / Curve25519 hybrid}: NTRU Prime is a lattice-based -algorithm intended to resist quantum attacks. In this key exchange -method, it is run in parallel with a conventional Curve25519-based -method (one of those included in \q{ECDH}), in such a way that it -should be no \e{less} secure than that commonly-used method, and -hopefully also resistant to a new class of attacks. +\b \q{NTRU Prime / Curve25519 hybrid}: \q{\i{Streamlined NTRU Prime}} +is a lattice-based algorithm intended to resist \i{quantum attacks}. +In this key exchange method, it is run in parallel with a conventional +Curve25519-based method (one of those included in \q{ECDH}), in such +a way that it should be no \e{less} secure than that commonly-used +method, and hopefully also resistant to a new class of attacks. -\b \q{ECDH}: \i{elliptic curve} \i{Diffie-Hellman key exchange}, +\b \q{\i{ECDH}}: elliptic curve Diffie-Hellman key exchange, with a variety of standard curves and hash algorithms. -\b The original form of \q{Diffie-Hellman} key exchange, with a +\b The original form of \i{Diffie-Hellman key exchange}, with a variety of well-known groups and hashes: \lcont{ diff --git a/doc/index.but b/doc/index.but index ac1a317d..187f5a1e 100644 --- a/doc/index.but +++ b/doc/index.but @@ -688,6 +688,16 @@ saved sessions from \IM{group exchange} Diffie-Hellman group exchange \IM{group exchange} group exchange, Diffie-Hellman +\IM{ECDH} \q{ECDH} (elliptic-curve Diffie-Hellman) +\IM{ECDH} elliptic-curve Diffie-Hellman key exchange +\IM{ECDH} key exchange, elliptic-curve Diffie-Hellman +\IM{ECDH} Diffie-Hellman key exchange, with elliptic curves + +\IM{Streamlined NTRU Prime} Streamlined NTRU Prime +\IM{Streamlined NTRU Prime} NTRU Prime + +\IM{quantum attacks} quantum attacks, resistance to + \IM{repeat key exchange} repeat key exchange \IM{repeat key exchange} key exchange, repeat From 1d1d81d66e3fb997d598a8cf041eec4c916ebcdc Mon Sep 17 00:00:00 2001 From: Jacob Nevins Date: Fri, 21 Oct 2022 19:01:58 +0100 Subject: [PATCH 2/5] Fix regressions in Gtk host key "More info". A description like "SHA256 fingerprint:" could run into the previous public key blob; and add a missing colon. --- unix/dialog.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/unix/dialog.c b/unix/dialog.c index 0d9d9573..7e9051be 100644 --- a/unix/dialog.c +++ b/unix/dialog.c @@ -3682,6 +3682,7 @@ SeatPromptResult gtk_seat_confirm_ssh_host_key( /* We have to manually wrap the public key, or else the GtkLabel * will resize itself to accommodate the longest word, which will * lead to a hilariously wide message box. */ + put_byte(moreinfo, ':'); for (const char *p = item->text, *q = p + strlen(p); p < q ;) { size_t linelen = q-p; if (linelen > 72) @@ -3690,6 +3691,7 @@ SeatPromptResult gtk_seat_confirm_ssh_host_key( put_data(moreinfo, p, linelen); p += linelen; } + put_byte(moreinfo, '\n'); break; default: break; From 8c534c26fd8a8396a5386b416a74d557667357cb Mon Sep 17 00:00:00 2001 From: Jacob Nevins Date: Fri, 21 Oct 2022 19:43:26 +0100 Subject: [PATCH 3/5] Docs: note "wrong host key" warning is stronger. To try to prime readers learning the often-seen "unknown host key" warning to recognise the rarer and scarier "wrong host key" warning, if they see it. --- doc/gs.but | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/doc/gs.but b/doc/gs.but index 4eff8967..8b915dbf 100644 --- a/doc/gs.but +++ b/doc/gs.but @@ -80,10 +80,10 @@ PuTTY \I{host key cache}records the host key for each server you connect to, in the Windows \i{Registry}. Every time you connect to a server, it checks that the host key presented by the server is the same host key as it was the last time you connected. If it is not, -you will see a warning, and you will have the chance to abandon your -connection before you type any private information (such as a -password) into it. (See \k{errors-hostkey-wrong} for what that looks -like.) +you will see a stronger warning, and you will have the chance to +abandon your connection before you type any private information (such +as a password) into it. (See \k{errors-hostkey-wrong} for what that +looks like.) However, when you connect to a server you have not connected to before, PuTTY has no way of telling whether the host key is the From 5716c638a5719fd3268b6fac8cfa533d8af30ee8 Mon Sep 17 00:00:00 2001 From: Jacob Nevins Date: Fri, 21 Oct 2022 19:46:51 +0100 Subject: [PATCH 4/5] Docs: cross-reference host-key warning sections. The 'certified host key' variant of the host key warning always comes with a scary 'POTENTIAL SECURITY BREACH!' message. So the error message section with the scary title that should acknowledge that variant, and the section about that variant should mention the scary warning. --- doc/errors.but | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/doc/errors.but b/doc/errors.but index cea3201c..e3db184e 100644 --- a/doc/errors.but +++ b/doc/errors.but @@ -39,6 +39,9 @@ the one PuTTY has cached for this server}, means that PuTTY has connected to the SSH server before, knows what its host key \e{should} be, but has found a different one. +(If the message instead talks about a \q{certified host key}, see +instead \k{errors-cert-mismatch}.) + This may mean that a malicious attacker has replaced your server with a different one, or has redirected your network connection to their own machine. On the other hand, it may simply mean that the @@ -60,7 +63,8 @@ If you've configured PuTTY to trust at least one \k{config-ssh-kex-cert}), then it will ask the SSH server to send it any available certified host keys. If the server sends back a certified key signed by a \e{different} certification authority, PuTTY -will present this variant of the host key prompt. +will present this variant of the host key prompt, preceded by +\q{WARNING - POTENTIAL SECURITY BREACH!} One reason why this can happen is a deliberate attack. Just like an ordinary man-in-the-middle attack which substitutes a wrong host key, From bb1ebc9b57f4ae5425aae2275048e65a2da2aa8a Mon Sep 17 00:00:00 2001 From: Jacob Nevins Date: Fri, 21 Oct 2022 19:57:35 +0100 Subject: [PATCH 5/5] Docs: tweak certified-host-key warning responses. Mainly to try to clarify that if you're sat at this warning dialog/ prompt, no response you make to it will cause a new CA to be trusted for signing arbitrary host keys. --- doc/errors.but | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/doc/errors.but b/doc/errors.but index e3db184e..a35a7256 100644 --- a/doc/errors.but +++ b/doc/errors.but @@ -78,16 +78,17 @@ configuration, or if your CA configuration involves two overlapping domains, or something similar. So, unfortunately, you'll have to work out what to do about it -yourself: install a new CA key (if you're really sure you trust it), -or edit your configuration in some other way, or abandon the -connection. +yourself: make an exception for this specific case, or abandon this +connection and install a new CA key before trying again (if you're +really sure you trust the CA), or edit your configuration in some +other way, or just stop trying to use this server. If you're convinced that this particular server is legitimate even though the CA is not one you trust, PuTTY will let you cache the -certified host key in the same way as an uncertified one. Then that -particular certificate will be accepted on the next connection, even -though other certificates signed by the same CA will still be -rejected. +certified host key, treating it in the same way as an uncertified one. +Then that particular certificate will be accepted for future +connections to this specific server, even though other certificates +signed by the same CA will still be rejected. \H{errors-ssh-protocol} \q{SSH protocol version 2 required by our configuration but remote only provides (old, insecure) SSH-1}