ui_puttygen » Revisions »
Differences
This shows you the differences between the selected revisions of the page.
| 2021-02-26 | 2021-05-20 | ||
| Restored revision 1578928085. Undoing revision 1614293910. (martin) (hidden) | 5.18.5 SSH private key tools (PuTTYgen and Pageant) upgraded to PuTTY 0.75 (Upgraded default SSH key fingerprint format to OpenSSH-style SHA-256 + PuTTYgen now supports alternative provable-prime generation algorithm for RSA and DSA) (martin) | ||
| Line 1: | Line 1: | ||
| ====== Using PuTTYgen ====== | ====== Using PuTTYgen ====== | ||
| - | PuTTYgen is a key generator. It generates pairs of [[public_key|public and private keys]] to be used with WinSCP. PuTTYgen generates RSA, DSA, ECDSA, and Ed25519 keys. | + | PuTTYgen is a key generator. It generates pairs of [[public_key|public and private keys]] to be used with WinSCP. PuTTYgen generates RSA, DSA, ECDSA, and EdDSA keys. |
| ===== Obtaining and Starting PuTTYgen ===== | ===== Obtaining and Starting PuTTYgen ===== | ||
| Line 31: | Line 31: | ||
| Before generating a key pair using PuTTYgen, you need to select which type of key you need. | Before generating a key pair using PuTTYgen, you need to select which type of key you need. | ||
| - | The current version of the SSH protocol, SSH-2, supports several different key types. PuTTYgen can generate: | + | The current version of the SSH protocol, SSH-2, supports several different key types, although specific servers may not support all of them. PuTTYgen can generate: |
| * An RSA key for use with the %%SSH-2%% protocol. | * An RSA key for use with the %%SSH-2%% protocol. | ||
| * A DSA key for use with the %%SSH-2%% protocol. | * A DSA key for use with the %%SSH-2%% protocol. | ||
| * An ECDSA (elliptic curve %%DSA%%) key for use with the %%SSH-2%% protocol. | * An ECDSA (elliptic curve %%DSA%%) key for use with the %%SSH-2%% protocol. | ||
| - | * An Ed25519 key (another elliptic curve algorithm) for use with the %%SSH-%%2 protocol. | + | * An EdDSA key (Edwards-curve DSA, another elliptic curve algorithm) for use with the %%SSH-%%2 protocol. |
| PuTTYgen can also generate an %%RSA%% key suitable for use with the old %%SSH-1%% protocol (which only supports %%RSA%%); for this, you need to select the //%%SSH-1%% (%%RSA%%)// option. Since the %%SSH-1%% protocol is no longer considered secure, it's rare to need this option. | PuTTYgen can also generate an %%RSA%% key suitable for use with the old %%SSH-1%% protocol (which only supports %%RSA%%); for this, you need to select the //%%SSH-1%% (%%RSA%%)// option. Since the %%SSH-1%% protocol is no longer considered secure, it's rare to need this option. | ||
| Line 44: | Line 44: | ||
| The //Number of bits// input box allows you to choose the strength of the key PuTTYgen will generate. | The //Number of bits// input box allows you to choose the strength of the key PuTTYgen will generate. | ||
| - | For RSA, 2048 bits should currently be sufficient for most purposes. | + | * For RSA and DSA, 2048 bits should currently be sufficient for most purposes. |
| - | For ECDSA, only 256, 384, and 521 bits are supported. (%%ECDSA%% offers equivalent security to %%RSA%% with smaller key sizes.) | + | * For ECDSA, only 256, 384, and 521 bits are supported. (%%ECDSA%% offers equivalent security to %%RSA%% with smaller key sizes.) |
| - | For Ed25519, the only valid size is 256 bits. | + | * For EdDSA, the only valid sizes are 255 bits (these keys are also known as Ed25519 and are commonly used) and 448 bits (Ed448, which is much less common at the time of writing – //This feature is available only in PuTTYgen 0.75 included in the latest beta release.//). &beta (256 is also accepted for backward compatibility, but the effect is the same as 255.) |
| + | |||
| + | ===== Selecting the prime generation method ===== | ||
| + | |||
| + | //This feature is available only in PuTTYgen 0.75 included in the latest beta release.// &beta | ||
| + | |||
| + | On the //Key// menu, you can also optionally change the method for generating the prime numbers used in the generated key. This is used for RSA and DSA keys only. (The other key types don't require generating prime numbers at all.) | ||
| + | |||
| + | The prime-generation method does not affect compatibility: a key generated with any of these methods will still work with all the same SSH servers. | ||
| + | |||
| + | If you don't care about this, it's entirely sensible to leave it on the default setting. | ||
| + | |||
| + | The available methods are: | ||
| + | |||
| + | * //Use probable primes (fast)// | ||
| + | |||
| + | * //Use proven primes (slower)// | ||
| + | |||
| + | * //Use proven primes with even distribution (slowest)// | ||
| + | |||
| + | The //probable primes// method sounds unsafe, but it's the most commonly used prime-generation strategy. There is in theory a possibility that it might accidentally generate a number that isn't prime, but the software does enough checking to make that probability vanishingly small (less than 1 in 2^80, or 1 in 10^24). So, in practice, nobody worries about it very much. | ||
| + | |||
| + | The other methods cause PuTTYgen to use numbers that it is sure are prime, because it generates the output number together with a proof of its primality. This takes more effort, but it eliminates that theoretical risk in the probabilistic method. | ||
| + | |||
| + | You might choose to switch from probable to proven primes if you have a local security standard that demands it, or if you don't trust the probabilistic argument for the safety of the usual method. | ||
| + | |||
| + | For RSA keys, there's also an option on the //Key// menu to use 'strong' primes as the prime factors of the public key. A 'strong' prime is a prime number chosen to have a particular structure that makes certain factoring algorithms more difficult to apply, so some security standards recommend their use. However, the most modern factoring algorithms are unaffected, so this option is probably not worth turning on unless you have a local standard that recommends it. | ||
| ===== [[generate]] The Generate Button ===== | ===== [[generate]] The Generate Button ===== | ||
| Line 64: | Line 90: | ||
| The //Key fingerprint// box shows you a fingerprint value for the generated key. This is derived cryptographically from the public key value, so it doesn't need to be kept secret; it is supposed to be more manageable for human beings than the public key itself. | The //Key fingerprint// box shows you a fingerprint value for the generated key. This is derived cryptographically from the public key value, so it doesn't need to be kept secret; it is supposed to be more manageable for human beings than the public key itself. | ||
| - | The fingerprint value is intended to be cryptographically secure, in the sense that it is computationally infeasible for someone to invent a second key with the same fingerprint, or to find a key with a particular fingerprint. | + | The fingerprint value is intended to be cryptographically secure, in the sense that it is computationally infeasible for someone to invent a second key with the same fingerprint, or to find a key with a particular fingerprint. So some utilities, such as the [[ui_pageant#list|Pageant key list box]] and the Unix ''ssh-add'' utility, will list key fingerprints rather than the whole public key. |
| + | |||
| + | By default, PuTTYgen will display fingerprints in the SHA-256 format. If you need to see the fingerprint in the older MD5 format (which looks like ''aa:bb:cc:...''), you can choose //Show fingerprint as MD5// from the //Key// menu, but bear in mind that this is less cryptographically secure; it may be feasible for an attacker to create a key with the same fingerprint as yours. //SHA-256 is available only in PuTTYgen 0.75 included in the latest beta release.// &beta | ||
| ===== [[comment]] Setting a Comment for Your Key ===== | ===== [[comment]] Setting a Comment for Your Key ===== | ||
| Line 95: | Line 123: | ||
| This file is in PuTTY's native format (''*.PPK''); it is the one you will need to tell WinSCP to use for [[ui_login_authentication|authentication]]. | This file is in PuTTY's native format (''*.PPK''); it is the one you will need to tell WinSCP to use for [[ui_login_authentication|authentication]]. | ||
| + | |||
| + | (You can optionally [[#save_params|change some details]] of the PPK format for your saved key files. But the defaults should be fine for most purposes.) | ||
| If you have started PuTTYgen from //[[ui_login_authentication#private_key_tools|SSH > Authentication page]]// of Advanced Site Settings dialog, WinSCP automatically detects the saved key and will insert its path it into //[[ui_login_authentication#private_key|Private key file]]// box. | If you have started PuTTYgen from //[[ui_login_authentication#private_key_tools|SSH > Authentication page]]// of Advanced Site Settings dialog, WinSCP automatically detects the saved key and will insert its path it into //[[ui_login_authentication#private_key|Private key file]]// box. | ||
| Line 117: | Line 147: | ||
| WinSCP can [[ui_login_authentication#private_key_tools|show you the public key]] too. | WinSCP can [[ui_login_authentication#private_key_tools|show you the public key]] too. | ||
| + | |||
| + | ===== [[save_params]] Parameters for saving key files ===== | ||
| + | |||
| + | //This feature is available only in PuTTYgen 0.75 included in the latest beta release.// &beta | ||
| + | |||
| + | Selecting //Parameters for saving key files// from the //Key// menu lets you adjust some aspects of PPK-format private key files stored on disk. None of these options affect compatibility with SSH servers. | ||
| + | |||
| + | In most cases, it's entirely sensible to leave all of these at their default settings. | ||
| + | |||
| + | ==== PPK file version ==== | ||
| + | |||
| + | This defaults to version 3, which is fine for most uses. | ||
| + | |||
| + | You might need to select PPK version 2 if you need your private key file to be loadable in older versions of WinSCP or PuTTY, or in other tools which do not yet support the version 3 format (which was introduced in 2021). | ||
| + | |||
| + | The version 2 format is less resistant to brute-force decryption, and doesn't support any of the following options to control that. | ||
| + | |||
| + | ==== Options affecting passphrase hashing ==== | ||
| + | |||
| + | All of the following options only affect keys saved with passphrases. They control how much work is required to decrypt the key (which happens every time you type its passphrase). This allows you to trade off the cost of legitimate use of the key against the resistance of the encrypted key to password-guessing attacks. | ||
| + | |||
| + | These options only affect PPK version 3. | ||
| + | |||
| + | * //Key derivation function//: The variant of the Argon2 key derivation function to use. You might change this if you consider your exposure to side-channel attacks to be different to the norm. | ||
| + | |||
| + | * //Memory to use for passphrase hash//: The amount of memory needed to decrypt the key, in Kbyte. | ||
| + | |||
| + | * //Time to use for passphrase hash//: Controls how much time is required to attempt decrypting the key. You can either specify an approximate time in milliseconds (on this machine), or explicitly specify a number of hash passes (which is what the time is turned into during encryption). | ||
| + | |||
| + | * //Parallelism for passphrase hash//: Number of parallelisable threads that can be used to decrypt the key. The default, 1, forces the process to run single-threaded, even on machines with multiple cores. | ||
| ===== [[reloading]] Reloading a Private Key ===== | ===== [[reloading]] Reloading a Private Key ===== | ||