Differences

This shows you the differences between the selected revisions of the page.

2021-12-06 2022-06-09
no need to refer to ssh versions (martin) 5.20.4 putty tools 0.77: PuTTYgen command-line configuration + prime method comment (martin)
Line 50: Line 50:
  * For EdDSA, the only valid sizes are 255 bits (these keys are also known as Ed25519 and are commonly used) and 448 bits (Ed448, which is much less common at the time of writing). (256 is also accepted for backward compatibility, but the effect is the same as 255.)   * For EdDSA, the only valid sizes are 255 bits (these keys are also known as Ed25519 and are commonly used) and 448 bits (Ed448, which is much less common at the time of writing). (256 is also accepted for backward compatibility, but the effect is the same as 255.)
-===== Selecting the Prime Generation Method =====+===== [[method]] Selecting the Prime Generation Method =====
On the //Key// menu, you can also optionally change the method for generating the prime numbers used in the generated key. This is used for RSA and DSA keys only. (The other key types don't require generating prime numbers at all.) On the //Key// menu, you can also optionally change the method for generating the prime numbers used in the generated key. This is used for RSA and DSA keys only. (The other key types don't require generating prime numbers at all.)
Line 69: Line 69:
The other methods cause PuTTYgen to use numbers that it is sure are prime, because it generates the output number together with a proof of its primality. This takes more effort, but it eliminates that theoretical risk in the probabilistic method. The other methods cause PuTTYgen to use numbers that it is sure are prime, because it generates the output number together with a proof of its primality. This takes more effort, but it eliminates that theoretical risk in the probabilistic method.
 +
 +There in one way in which PuTTYgen's proven primes method is not strictly better than its probable primes method. If you use PuTTYgen to generate an RSA key on a computer that is potentially susceptible to timing- or cache-based side-channel attacks, such as a shared computer, the probable primes method is designed to resist such attacks, whereas the proven primes methods are not. (This is only a concern for RSA keys; for other key types, primes are either not secret or not involved.)
You might choose to switch from probable to proven primes if you have a local security standard that demands it, or if you don't trust the probabilistic argument for the safety of the usual method. You might choose to switch from probable to proven primes if you have a local security standard that demands it, or if you don't trust the probabilistic argument for the safety of the usual method.
-For RSA keys, there's also an option on the //Key// menu to use 'strong' primes as the prime factors of the public key. A 'strong' prime is a prime number chosen to have a particular structure that makes certain factoring algorithms more difficult to apply, so some security standards recommend their use. However, the most modern factoring algorithms are unaffected, so this option is probably not worth turning on unless you have a local standard that recommends it.+For RSA keys, there's also an option on the //Key// menu to use '==strong==' primes as the prime factors of the public key. A 'strong' prime is a prime number chosen to have a particular structure that makes certain factoring algorithms more difficult to apply, so some security standards recommend their use. However, the most modern factoring algorithms are unaffected, so this option is probably not worth turning on unless you have a local standard that recommends it.
===== [[generate]] The Generate Button ===== ===== [[generate]] The Generate Button =====
Line 191: Line 193:
You can also use WinSCP ''[[commandline#keygen|/keygen]]'' command-line switch to convert the private key from other formats. You can also use WinSCP ''[[commandline#keygen|/keygen]]'' command-line switch to convert the private key from other formats.
 +
 +===== PuTTYgen Command-line Configuration =====
 +
 +PuTTYgen supports a set of command-line options to configure many of the same settings you can select in the GUI. This allows you to start it up with your own preferences ready-selected, which might be useful if you generate a lot of keys. (For example, you could make a Windows
 +shortcut that runs PuTTYgen with some command line options, or a batch file or Powershell script that you could distribute to a whole organisation containing your local standards.)
 +
 +//Note that WinSCP has ''[[commandline#keygen|/keygen]]'' command-line switch that can be used to convert the private keys automatically.//
 +
 +The options supported on the PuTTYgen command line are:
 +
 +| ''-t <keytype>'' | [[#type|Type of key]] to generate. You can select ''rsa'', ''dsa'', ''ecdsa'' or ''eddsa''. |
 +| ''-b <bits>'' | [[#size|Size of the key]] to generate, in bits. |
 +| ''%%--primes <method>%%'' | [[#method|Method for generating prime numbers]]. You can select ''probable'', ''proven'', and ''proven-even''. |
 +| ''%%--strong-rsa%%'' | When generating an RSA key, make sure the prime factors of the key modulus are [[#strong|strong primes]]. |
 +| ''%%--ppk-param%% <key>=<value>'' | Allows setting [[#save_params|details of the PPK save file format]]. \\ Aspects to change are specified as a series of ''%%<key>=<value>%%'' pairs separated by commas. The keys are: \\ ''version'' – The PPK format version: either ''3'' or ''2''. \\ ''kdf'' – The variant of Argon2 to use: ''argon2id'', ''argon2i'', and ''argon2d''. \\ ''memory'' – The amount of memory needed to decrypt the key, in Kbyte. \\ ''time'' – Specifies how much time is required to attempt decrypting the key, in milliseconds. \\ ''passes'' – Alternative to ''time'': specifies the number of hash passes required to attempt decrypting the key. \\ ''parallelism'' – Number of parallelisable threads that can be used to decrypt the key. |
 +| ''-E <fptype>'' | Algorithm to use when [[#fingerprint|displaying key fingerprints]]. You can select ''sha256'' or ''md5''. |
 +

Last modified: by martin