Post a reply

Options
Add an Attachment

If you do not want to add an Attachment to your Post, please leave the Fields blank.

(maximum 10 MB; please compress large files; only common media, archive, text and programming file formats are allowed)

Options

Topic review

jpantera

Follow-up detail on ECDSA Details

Thank you Martin,

What specifically is a "ECDSA" type key? When I state we use RSA-type SSH keys, that is the option we choose in PuTTYgen, when we create the public and private key pair. Is there an alternative option called "ECDSA" (I will review in the morning), or is this some crypto library or something we'd have to add or specifically remove when we create the keys with PuTTYgen?

Also we always add a passphrase to our keys. Were we to have a key that had ECDSA type, and it had a passphrase, would the passphrase save us from this hack, or does the issue circumvent the use of the passphrase?

Thanks again,
Joe P.
martin

Re: PuTTY issue fixed in version 6.3.3, documentation states issue in WinSCP versions 5.9.5 – 6.3.2

That information is actually inaccurate. The problem in present in WinSCP (and bundled PuTTYgen) since 5.8.1 (in other words any version of WinSCP before 6.3.3 that already supports ECDSA keys):
See Issue 2285 – NIST P521 private keys are exposed by biased signature generation
Though if you are only using RSA keys, you are not affected. The problem is only with specific types of ECDSA keys.
jpantera

PuTTY issue fixed in version 6.3.3, documentation states issue in WinSCP versions 5.9.5 – 6.3.2

Hello Martin & WinSCP Support,
We were contacted by our security resources about this bug found specifically in PuTTY, but also affected is WinSCP:
https://bugzilla.redhat.com/show_bug.cgi?id=2275183

### Affected Products

- PuTTY 0.68 - 0.80

The following (not necessarily complete) list of products bundle an
affected PuTTY version and are therefore vulnerable as well:

- FileZilla 3.24.1 - 3.66.5
- WinSCP 5.9.5 - 6.3.2
- TortoiseGit 2.4.0.2 - 2.15.0
- TortoiseSVN 1.10.0 - 1.14.6

We actually have a system where we've created SSH keys with PuTTY, that is version 5.9.4 (WinSCP), so it's outside of the affected range 5.9.5 – 6.3.2.

For SSH keys (I believe we always use RSA type, and always with a passphrase attached), do we have any concern, if they were created with a WinSCP version 5.9.4 version?

Thank you,
Joe P.