Home

FAQ

Feedback

Licence

Updates

Mirrors

Keys

Links

Team
Download:
Stable
·
Snapshot

Docs

Changes

Wishlist
Ever since PuTTY 0.52, DiffieHellman key exchange (of the ordinary integer kind, not ellipticcurve) has been done using an exponent of smaller size than the prime modulus. Now it's using a fullsized exponent.
This was originally done to save time, because DiffieHellman was more computationally expensive even than an RSA privatekey operation of the same size (because in RSA you can use the Chinese remainder theorem to reduce the work).
A cryptography paper at the time gave a rationale for why it was OK to use short exponents, provided your DiffieHellman modulus is a safe prime (which all the standard SSH ones are, and group exchange is supposed to use safe primes as well).
However, there is of course a theoretical risk in trusting a piece of reasoning like that: it might be proved wrong by further research, or a new attack might be found against it, or a mistake in deployment might combine badly with taking that particular shortcut (e.g. suppose a misimplemented server didn't use safe primes for DH group exchange).
Now computers are significantly faster than they were in 2001, and PuTTY's arithmetic code is also more highly optimised than it was then. So I've decided it isn't worth taking that risk any more. From 0.77, PuTTY will use fullsized exponents for integer DiffieHellman.
This change is not classed as a vulnerability fix, because I don't know of any actual attacks against the previous strategy. It's more in the nature of "being extra cautious just in case".