Open in app

Sign in

Write

Sign in

Crazy Crypto: Meet CVE-2024–31497

Straight from the School of Cook Your Own Crypto

Prof Bill Buchanan OBE FRSE
Published in
3 min readApr 17, 2024

--

I review a good deal of cryptography code, and most of the code I observe has some form of vulnerability in its usage — usually though sloppy implementations. For some reason, some of those who create cryptography programs often struggle to understand that the methods they use are “Hazmat” (Hazardous Material) [here], and a single fault could bring down a whole system.

And, so now we see CVE-2024–31497 [here], and which affects PuTTY 0.69 to 0.81 [here]. The vulnerability affected the NIST P-521 private key and which can be revealed from just 60 digital signatures. Overall, NIST P-521 uses the secp521r1 curve and should be one of the most secure signature methods [here]:

Overall, ECDSA uses a nonce value (k) to create a signature. With this, we take a hash of a message and a nonce value, and then create a signature (r,s) using the private key. The signature is then verified with the associated public key:

The vulnerability was discovered by Fabian Bäumer and Marcus Brinkmann of the Ruhr University Bochum. It involves the creation of a SHA-512 hash, and then applying a (mod q) operation. The value of q has 160 bits (as borrowed from the DSA signature methods), which significantly reduced the security of P521, and where the nonce value (k) always had the nine most significant bits set to zero. Overall, if we use the same nonce value, we just need two signatures to reveal the signature:

ECDSA: Revealing the private key, if nonce known (NIST521p)

With an ECDSA signature, we sign a message with a private key (\(priv\)) and prove the signature with the public key…

asecuritysite.com

With ECDSA, we do not have a random number of the nonce, but use a deterministic method [here], but PuTTY used a method of taking a SHA-512 hash and then applying a (mod q) operation. Overall, only 512-bit ECDSA is affected, and no other curves are affected. Ed25519 is also still secure.

The signatures could be captured from a Git service, and which supports SSH commitment of code with signatures. Once cracked, an adversary would then commit new updates with malicious code, and introduce back doors within software supply chains. Other software which use PuTTY include:

  • FileZilla 3.24.1–3.66.5 (fixed in 3.67.0).
  • WinSCP 5.9.5–6.3.2 (fixed in 6.3.3).
  • TortoiseGit 2.4.0.2–2.15.0 (fixed in 2.15.0.1).
  • TortoiseSVN 1.10.0–1.14.6 (mitigation possible by configuring TortoiseSVN to use Plink from the latest PuTTY 0.81 release).
Cryptography
Cybersecurity

--

--

Prof Bill Buchanan OBE FRSE

Written by Prof Bill Buchanan OBE FRSE

28K Followers
Editor for

Professor of Cryptography. Serial innovator. Believer in fairness, justice & freedom. Based in Edinburgh. Old World Breaker. New World Creator. Building trust.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams