Every version of PuTTY released over the past 7 years contains a critical vulnerability that allows for the recovery of certain types of secret encryption keys, specifically 521-bit ECDSA. An adversary in possession of a “few dozen signed messages” and the public key can recover the private key. I’m curious to know how widely this vulnerability is likely to be felt. I’m guessing most people have already replaced keys with only 512 bits, which I’m further guessing are already susceptible to factorization. Can anyone confirm or disabuse me of these guesses?
https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-p521-bias.html
@dangoodin ECDSA isn’t the same as RSA. A 521 bit ECDSA key is significantly more secure than the largest RSA key possible. It’s also quantum proof. 521 bit ECDSA is the go to for secure keys, so this is a pretty big issue
@malwaretech @dangoodin yes on ECDSA bits not being comparable with RSA bits, but I wouldn’t say P-521 is the go-to for anything. It’s a weird slow curve that’s very rarely used. The HTTPS public roots are P-384. Also definitely not quantum resistant.
@filippo there is some small irony here in that the people most likely impacted here are the configuration ricers, I doubt many people have/had P-521 keys on the go, other than people blindly trying to hit the highest numbers possible
@benjojo ironic but not illogical. The weirder parameters are the least scrutinized and the most likely to have bugs.
Now I kinda wish we could remove P-521 from Go, to discourage its use. It’s our job to know it’s not good/useful after all.
@filippo @dangoodin @benjojo aren't github keys mostly generated outside of putty or automatically by the git client?
@malwaretech @dangoodin @benjojo I’m not a Windows user so honestly I don’t know. I was just taking it as a representative sample. Is there something in the PuTTY UI that encourages selecting “stronger” parameters?
@filippo @dangoodin @benjojo It basically just gives you a couple of radio boxes and a dropdown, then psychology usually results in "bigger = better". But my sample is only infosec professionals, no idea what regular users do.
@malwaretech @filippo @dangoodin so I pulled the github keys of 1.4k people who follow me on github, and:
$ cat keys | awk '{print $1}' | sort | uniq -c
50 ecdsa-sha2-nistp256
1 ecdsa-sha2-nistp384
8 ecdsa-sha2-nistp521
3 sk-ecdsa-sha2-nistp256@openssh.com
14 sk-ssh-ed25519@openssh.com
828 ssh-ed25519
875 ssh-rsa
P521 is used more than P384, but it's all tiny volumes compared to the actually correct option of ed25519.
I don't think P521 (or, in general ECDSA) keys are that widely used, either that or my followers are smarter or dumber than the average
@benjojo the exception being yubikeys, which do p256
@eta Sometimes :tm:, because yubikeys compatibility along the ages is a bit of a mess, so not everyone who has yubikeys can/will have the ability to use P256, but the RSA path always works
@filippo The 2015 survey had ECDSA keys as near nil levels, but that was also before you could even slightly reliably use them. I don't have the DB on hand (I'm abroad right now), but I don't remember seeing P521 being popular at all
@filippo @malwaretech @dangoodin @benjojo In our own scan we got 45k (0.28%) P-521 keys across all of GitHub and GitLab.
@lambdafu @malwaretech @dangoodin @benjojo oh hey GitLab keys are scannable too?
@lambdafu @filippo @malwaretech @dangoodin 0.44% in my spot test ( https://benjojo.co.uk/u/benjojo/h/Cf8v9Dc539ty21y9K6 ), So not that far off