1
0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-25 01:02:24 +00:00
putty-source/ssh
Simon Tatham cd60a602f5 Stop using short exponents for Diffie-Hellman.
I recently encountered a paper [1] which catalogues all kinds of
things that can go wrong when one party in a discrete-log system
invents a prime and the other party chooses an exponent. In
particular, some choices of prime make it reasonable to use a short
exponent to save time, but others make that strategy very bad.

That paper is about the ElGamal encryption scheme used in OpenPGP,
which is basically integer Diffie-Hellman with one side's key being
persistent: a shared-secret integer is derived exactly as in DH, and
then it's used to communicate a message integer by simply multiplying
the shared secret by the message, mod p.

I don't _know_ that any problem of this kind arises in the SSH usage
of Diffie-Hellman: the standard integer DH groups in SSH are safe
primes, and as far as I know, the usual generation of prime moduli for
DH group exchange also picks safe primes. So the short exponents PuTTY
has been using _should_ be OK.

However, the range of imaginative other possibilities shown in that
paper make me nervous, even so! So I think I'm going to retire the
short exponent strategy, on general principles of overcaution.

This slows down 4096-bit integer DH by about a factor of 3-4 (which
would be worse if it weren't for the modpow speedup in the previous
commit). I think that's OK, because, firstly, computers are a lot
faster these days than when I originally chose to use short exponents,
and secondly, more and more implementations are now switching to
elliptic-curve DH, which is unaffected by this change (and with which
we've always been using maximum-length exponents).

[1] On the (in)security of ElGamal in OpenPGP. Luca De Feo, Bertram
Poettering, Alessandro Sorniotti. https://eprint.iacr.org/2021/923
2021-11-28 12:19:34 +00:00
..
agentf.c Move the SSH implementation into its own subdirectory. 2021-04-22 18:09:13 +01:00
bpp1.c New Seat callback, seat_sent(). 2021-06-27 13:52:48 +01:00
bpp2.c New Seat callback, seat_sent(). 2021-06-27 13:52:48 +01:00
bpp-bare.c New Seat callback, seat_sent(). 2021-06-27 13:52:48 +01:00
bpp.h Move the SSH implementation into its own subdirectory. 2021-04-22 18:09:13 +01:00
censor1.c Move the SSH implementation into its own subdirectory. 2021-04-22 18:09:13 +01:00
censor2.c Move the SSH implementation into its own subdirectory. 2021-04-22 18:09:13 +01:00
channel.h Move the SSH implementation into its own subdirectory. 2021-04-22 18:09:13 +01:00
CMakeLists.txt Move the SSH implementation into its own subdirectory. 2021-04-22 18:09:13 +01:00
common.c Framework for announcing which Interactor is talking. 2021-10-30 18:20:33 +01:00
connection1-client.c New Seat query, has_mixed_input_stream(). 2021-11-06 14:48:26 +00:00
connection1-server.c Move the SSH implementation into its own subdirectory. 2021-04-22 18:09:13 +01:00
connection1.c Framework for announcing which Interactor is talking. 2021-10-30 18:20:33 +01:00
connection1.h Localise user_input to SSH connection layers. 2021-09-14 14:05:13 +01:00
connection2-client.c New Seat query, has_mixed_input_stream(). 2021-11-06 14:48:26 +00:00
connection2-server.c Move the SSH implementation into its own subdirectory. 2021-04-22 18:09:13 +01:00
connection2.c Framework for announcing which Interactor is talking. 2021-10-30 18:20:33 +01:00
connection2.h Localise user_input to SSH connection layers. 2021-09-14 14:05:13 +01:00
crc-attack-detector.c Move the SSH implementation into its own subdirectory. 2021-04-22 18:09:13 +01:00
gss.h Move the SSH implementation into its own subdirectory. 2021-04-22 18:09:13 +01:00
gssc.c Move the SSH implementation into its own subdirectory. 2021-04-22 18:09:13 +01:00
gssc.h Move the SSH implementation into its own subdirectory. 2021-04-22 18:09:13 +01:00
kex2-client.c Stop using short exponents for Diffie-Hellman. 2021-11-28 12:19:34 +00:00
kex2-server.c Stop using short exponents for Diffie-Hellman. 2021-11-28 12:19:34 +00:00
login1-server.c Localise user_input to SSH connection layers. 2021-09-14 14:05:13 +01:00
login1.c Framework for announcing which Interactor is talking. 2021-10-30 18:20:33 +01:00
mainchan.c Localise user_input to SSH connection layers. 2021-09-14 14:05:13 +01:00
nogss.c Move the SSH implementation into its own subdirectory. 2021-04-22 18:09:13 +01:00
nosharing.c Move the SSH implementation into its own subdirectory. 2021-04-22 18:09:13 +01:00
pgssapi.c Move the SSH implementation into its own subdirectory. 2021-04-22 18:09:13 +01:00
pgssapi.h Move the SSH implementation into its own subdirectory. 2021-04-22 18:09:13 +01:00
portfwd.c Pull out SOCKS protocol constants into a header. 2021-11-19 15:09:17 +00:00
ppl.h Framework for announcing which Interactor is talking. 2021-10-30 18:20:33 +01:00
scpserver.c Generalise strbuf_catf() into put_fmt(). 2021-11-19 11:32:47 +00:00
server.c New Seat query, has_mixed_input_stream(). 2021-11-06 14:48:26 +00:00
server.h Uppity: add command-line options to configure auth methods. 2021-09-28 18:09:36 +01:00
sesschan.c New Seat query, has_mixed_input_stream(). 2021-11-06 14:48:26 +00:00
sftp.c Move the SSH implementation into its own subdirectory. 2021-04-22 18:09:13 +01:00
sftp.h Move the SSH implementation into its own subdirectory. 2021-04-22 18:09:13 +01:00
sftpcommon.c Move the SSH implementation into its own subdirectory. 2021-04-22 18:09:13 +01:00
sftpserver.c Move the SSH implementation into its own subdirectory. 2021-04-22 18:09:13 +01:00
sharing.c New API for plug_closing() with a custom type enum. 2021-11-06 14:48:26 +00:00
signal-list.h Move the SSH implementation into its own subdirectory. 2021-04-22 18:09:13 +01:00
ssh.c New plug_closing error type for 'user abort'. 2021-11-06 14:48:26 +00:00
transient-hostkey-cache.c Move the SSH implementation into its own subdirectory. 2021-04-22 18:09:13 +01:00
transport2.c Framework for announcing which Interactor is talking. 2021-10-30 18:20:33 +01:00
transport2.h Spelling: standardise on "DSA", not "DSS". 2021-04-22 18:34:47 +01:00
ttymode-list.h Move the SSH implementation into its own subdirectory. 2021-04-22 18:09:13 +01:00
userauth2-client.c Framework for announcing which Interactor is talking. 2021-10-30 18:20:33 +01:00
userauth2-server.c Uppity: add stunt options for trivial authentication. 2021-06-19 21:34:56 +01:00
verstring.c Bug workaround to delay sending our SSH greeting. 2021-08-14 11:46:21 +01:00
x11fwd.c New API for plug_closing() with a custom type enum. 2021-11-06 14:48:26 +00:00
zlib.c Move the SSH implementation into its own subdirectory. 2021-04-22 18:09:13 +01:00