Home
|
FAQ
|
Feedback
|
Licence
|
Updates
|
Mirrors
|
Keys
|
Links
|
Team
Download:
Stable
·
Snapshot
|
Docs
|
Privacy
|
Changes
|
Wishlist
weakdh.org points out that 1024-bit Diffie-Hellman groups are susceptible to precomputation by a well-resourced attacker.
The fixed 1024-bit Oakley Group 2 used in the diffie-hellman-group1-sha1 SSH key exchange method is also used by other protocols, so looks like an attractive target.
By default, PuTTY now warns if the diffie-hellman-group1-sha1 key exchange method is negotiated. Existing saved sessions which match PuTTY's old defaults will be changed accordingly (except for a corner case where a session was saved with an unreleased development snapshot between the points where we added ECDH and made this change, a period of about 18 months). Non-default settings will be left alone, on the assumption that the user knows what they're doing.
The other fixed group, the 2048-bit one used in diffie-hellman-group14-sha1, is still allowed (although you can configure it not to be). PuTTY's default is to prefer ECDH (Elliptic-Curve Diffie-Hellman) or DH group exchange above any fixed groups, if the server claims to support them.
If the server chooses Oakley Group 2 during group exchange (as the weakdh.org paper claims is quite common), PuTTY does not complain. (This exchange is protected by the host key, so an active attacker shouldn't be able to substitute the prime of their choice.)