CVE-2024-31497
The vulnerability found in PuTTY, spanning versions 0.68 to 0.80 before the update in 0.81, involves a critical flaw in the generation of ECDSA (Elliptic Curve Digital Signature Algorithm) nonces, particularly affecting the NIST P-521 elliptic curve. This issue is deemed necessary because the mechanism used to generate signatures from ECDSA private keys on the NIST P521 curve relies on data that appears random but isn't truly so. Over time, this "random" data can be collected and analyzed to reconstruct an SSH private key, posing a significant security threat to all affected versions.
Why did this happen?
Putty implemented a pseudo-random number generator before Microsoft itself issued a standard. This method consisted of using a cryptographic nonce (sometimes called k) with a deterministic process, which avoided the need for random numbers altogether (since there was no standard for them). At the time, it was a clever workaround that computed a secure hash with the input data of the message to be signed and also the private key. This secure hash was designed to be indistinguishable from random data.
Technical details
Putty used a SHA-512 hash and then reduced it to a modulus q, where q was the order of the group used in the Digital Signature Algorithm system. This q was around 160 bits, for the Elliptic-Curve Digital Signature Algorithm; q is larger than or equal to the size of the curve modulus — 256, 384, and 521 bits for standard NIST curves. When q is smaller than the hash, i.e., trimmed down, it is not usually a problem for randomness. However, in the case of P521, where q is 521 bits, reducing a 512-bit number by 521 bits means the number remains unchanged mainly because q is bigger. This results in the top 9 bits of the reduced number always being zero because the original 512-bit number doesn't fill the 521 bits. This is where the security weakness lies, since those bits do not vary as they ideally should--allowing for the piecing together of a private key from just a few dozen signed messages.
How does it work--in layman's terms?
Imagine having a key that not only unlocks your front door but also grants access to various secure areas, such as your office or personal vault. Now, let's say there's a design flaw in this key that's been discovered by two sharp-eyed researchers, Fabian Bäumer and Marcus Brinkmann. They have named this flaw CVE-2024-31497.
Here's where it gets worrying: if someone obtains a few messages you've previously sealed with this key, along with the key's blueprint (think of it as the public profile of your key), they can craft a copy. With this counterfeit key, they can masquerade as you, gaining access to all the secured areas as if they were you, completely undetected.
Solution: Revoke all old public keys
The immediate solution? You need to discard this compromised key. This means wiping it from any system it was used on, like digital lockboxes or databases. Then, create a new key, one that is not vulnerable to this issue.
Thankfully, this issue only affects a specific type of key, typically used with certain software, such as PuTTY and Pageant. Therefore, if you're using this type of key, it's essential to act promptly to ensure your digital world remains secure against intruders.
Then ensure you've updated to the latest version of Putty before using your newly generated keys.