CVE-2024-31497
The vulnerability found in PuTTY, spanning versions 0.68 to 0.80 prior to the update in 0.81, involves a critical flaw in the generation of ECDSA (Elliptic Curve Digital Signature Algorithm) nonces, particularly affecting the NIST P-521 elliptic curve. This issue is deemed critical because the mechanism used to generate signatures from ECDSA private keys on the NIST P521 curve relies on data that appears random but isn’t truly so. Over time, this "random" data can be collected and analyzed to reconstruct an SSH private key, posing a significant security threat to all affected versions.
Why did this happen?
Putty implemented a pseudo random number generator before there existed a standard issued by Microsoft themselves. This method consisted of using a cryptographic nonce (sometimes called k) with a deterministic method, this avoided the need for random numbers at all (since there was no standard for it). At the time it was a clever workaround that computed a secure hash with the input data of the message to be signed and also the private key. This secure hash was designed to be indistinguishable from random data.
Technical details
Putty used a SHA-512 hash, and then reduced it to modulus q where q was the order of the group used in the Digital Signature Algorithm system. This q was around 160 bits. For the elliptic-curve Digital Signature Algorithm q is larger or equal to the size of the curve modulus--256, 384, and 521 bits for standard NIST curves. When q is smaller than the hash, i.e. trimmed down, it is not usually a problem for randomness. However, in the case of P521 where q is 521 bits, reducing a 512-bit number by 521 bits means the number remains largely unchanged because q is actually bigger. This results in the top 9 bits of the reduced number to always be zero because the original 512 bit doesn't fill the 521 bits completely. This is where the security weakness lies, since those bits do not vary as they ideally should--allowing for the piecing together of a private key from just a few dozen signed messages.
How does it work--in layman's terms?
Imagine you have a key that not only unlocks your front door but also gives you access to various secure areas like your office or your personal vault. Now, let's say there's a design flaw in this key that's been discovered by two sharp-eyed researchers, Fabian Bäumer and Marcus Brinkmann. They have named this flaw CVE-2024-31497.
Here's where it gets worrying: if someone gets their hands on a few messages you've previously sealed with this key, along with the key’s blueprint (think of it as the public profile of your key), they can craft a copy. With this counterfeit key, they can masquerade as you, gaining access to all the secured areas as if they were you, completely undetected.
Solution: Revoke all old public keys
The immediate solution? You need to discard this compromised key. This means wiping it from any system it was used on—like digital lockboxes or databases. Then, create a brand-new key, one without this vulnerability.
Thankfully, this issue only affects a specific type of key typically used with certain software like PuTTY and Pageant. So, if you're using this type of key, it's crucial to act swiftly to ensure your digital world remains locked tight against intruders.
Then ensure you've updated to the latest version of Putty before using your newly generated keys.