PuTTY semi-bug deprecate-dh-group1

Home | FAQ | Feedback | Licence | Updates | Mirrors | Keys | Links | Team
Download: Stable · Pre-release · Snapshot | Docs | Changes | Wishlist

summary: Deprecate key exchange method diffie-hellman-group1-sha1
class: semi-bug: This might or might not be a bug, depending on your precise definition of what a bug is.
difficulty: fun: Just needs tuits, and not many of them.
priority: high: This should be fixed in the next release.
fixed-in: 34add87ad249205d4ed36381bfb506a431dc0e7a 2016-04-11 (0.68)

weakdh.org points out that 1024-bit Diffie-Hellman groups are susceptible to precomputation by a well-resourced attacker.

The fixed 1024-bit Oakley Group 2 used in the diffie-hellman-group1-sha1 SSH key exchange method is also used by other protocols, so looks like an attractive target.

By default, PuTTY now warns if the diffie-hellman-group1-sha1 key exchange method is negotiated. Existing saved sessions which match PuTTY's old defaults will be changed accordingly (except for a corner case where a session was saved with an unreleased development snapshot between the points where we added ECDH and made this change, a period of about 18 months). Non-default settings will be left alone, on the assumption that the user knows what they're doing.

The other fixed group, the 2048-bit one used in diffie-hellman-group14-sha1, is still allowed (although you can configure it not to be). PuTTY's default is to prefer ECDH (Elliptic-Curve Diffie-Hellman) or DH group exchange above any fixed groups, if the server claims to support them.

If the server chooses Oakley Group 2 during group exchange (as the weakdh.org paper claims is quite common), PuTTY does not complain. (This exchange is protected by the host key, so an active attacker shouldn't be able to substitute the prime of their choice.)


If you want to comment on this web site, see the Feedback page.
Audit trail for this semi-bug.
(last revision of this bug record was at 2017-02-16 00:27:35 +0000)