PuTTY wish rsa-gen-side-channels

Home | FAQ | Feedback | Licence | Updates | Mirrors | Keys | Links | Team
Download: Stable · Snapshot | Docs | Changes | Wishlist

summary: RSA key generation with side-channel safety (probabilistic only)
class: wish: This is a request for an enhancement.
fixed-in: 6520574e584351f6c3af1fabcb6951db8ea98066 (0.77)

In side-channels, we rewrote most of the PuTTY cryptography code to eliminate timing and cache side channels (as far as our own test suite can determine). This rewrite covered all the crypto that PuTTY itself performs during a network connection (with the exception of the Blowfish and Arcfour ciphers, which are both below our current security-warning threshold).

However, it did not cover PuTTYgen's key generation code in full – partly because we didn't know how, and also because it seemed less critical given that key generation is done offline and can't be timed by the other party in a network connection.

Key-pair generation for discrete-log public-key systems (i.e. any of the DSA family, integer or elliptic-curve) became side-channel safe automatically when we rewrote the underlying primitives, because in those cryptosystems, the private key is a random integer and the public key is derived from it by an exponentiation. And both the operations of inventing a random integer and exponentiation are covered by the previous rewrite.

But RSA key generation is based on inventing primes and keeping them secret, and at the time, we were not aware of any technique for doing that in a way that kept the primes secret even from side-channel attacks on the same machine.

(Integer DSA also requires inventing primes, but in DSA, the primes are not secret: they're published as part of the public key, and it's even safe to reuse them between different people's public keys.)

This is now fixed: if you're using PuTTYgen's default probabilistic prime generation, then even if hostile code on the same machine can somehow collect timing traces from PuTTYgen or examine its effects on the cache, those traces should not reveal the prime factors of the RSA key.

This does not affect the non-default provable prime generation, however. RSA key generation with the provable-prime option will still have variable timing depending on the primes chosen. We still don't know of a reliable way to make that safe.

If you want to comment on this web site, see the Feedback page.
Audit trail for this wish.
(last revision of this bug record was at 2021-12-29 16:30:25 +0000)