PuTTY wish arcfour

This is a mirror. The primary PuTTY web site can be found here.

Home | Licence | FAQ | Docs | Download | Keys | Links
Mirrors | Updates | Feedback | Changes | Wishlist | Team

summary: The Arcfour cipher isn't supported
class: wish: This is a request for an enhancement.
difficulty: fun: Just needs tuits, and not many of them.
priority: low: We aren't sure whether to fix this or not.
fixed-in: 2005-09-04 (0.59) (0.60)

PuTTY doesn't support the "arcfour" (RC4) cipher in SSH-2. Arcfour is notable for being substantially faster than any cipher that PuTTY currently supports. Unfortunately, the way it's specified for SSH-2, without discarding the first 1024 bytes of keystream, it's rather weaker than it could be (though not dangerously so). On the other hand, not being a CBC-mode block cipher, it doesn't suffer from the problems described in ssh2-cbc-weakness.

Using arcfour (or any other stream cipher) in SSH-1 would be a very bad idea. The lack of a MAC makes it very easy for an attacker to modify the data stream.

Update: Ben Harris has written an Internet-Draft (draft-harris-ssh-arcfour-fixes, now RFC 4345) describing a way of using Arcfour reasonably securely with SSH-2, and PuTTY now implements this. Note that this document defines the "arcfour256" and "arcfour128" ciphers; PuTTY still does not support the less secure "arcfour" cipher, and we have no plans to make it do so.

(Support was first added in 2005-04-22, but uonly under private names defined in an earlier draft: "arcfour256-draft-00@putty.projects.tartarus.org" and so on. Only from 2005-09-04 do we support the IETF names, which also appear in OpenSSH from 4.2.)

Audit trail for this wish.


If you want to comment on this web site, see the Feedback page.
(last revision of this bug record was at 2006-01-24 11:14:48 +0000)