mirror of
https://git.tartarus.org/simon/putty.git
synced 2025-01-09 17:38:00 +00:00
08d17140a0
This removes both uses of SHA-1 in the file format: it was used as the MAC protecting the key file against tamperproofing, and also used in the key derivation step that converted the user's passphrase to cipher and MAC keys. The MAC is simply upgraded from HMAC-SHA-1 to HMAC-SHA-256; it is otherwise unchanged in how it's applied (in particular, to what data). The key derivation is totally reworked, to be based on Argon2, which I've just added to the code base. This should make stolen encrypted key files more resistant to brute-force attack. Argon2 has assorted configurable parameters for memory and CPU usage; the new key format includes all those parameters. So there's no reason we can't have them under user control, if a user wants to be particularly vigorous or particularly lightweight with their own key files. They could even switch to one of the other flavours of Argon2, if they thought side channels were an especially large or small risk in their particular environment. In this commit I haven't added any UI for controlling that kind of thing, but the PPK loading function is all set up to cope, so that can all be added in a future commit without having to change the file format. While I'm at it, I've also switched the CBC encryption to using a random IV (or rather, one derived from the passphrase along with the cipher and MAC keys). That's more like normal SSH-2 practice. |
||
|---|---|---|
| .. | ||
| sclog | ||
| agenttest.py | ||
| agenttestdata.py | ||
| agenttestgen.py | ||
| colours.txt | ||
| cryptsuite.py | ||
| desref.py | ||
| display.txt | ||
| eccref.py | ||
| lattrs.txt | ||
| mpu-check.pl | ||
| numbertheory.py | ||
| primegen.py | ||
| scocols.txt | ||
| ssh.py | ||
| testcrypt.py | ||
| utf8.txt | ||
| vt100.txt | ||
| windowchange.py | ||