Home |
Licence |
FAQ |
Docs |
Download |
Keys |
Links
Mirrors |
Updates |
Feedback |
Changes |
Wishlist |
Team
PuTTY doesn't support the "arcfour" (RC4) cipher in SSH-2. Arcfour is notable for being substantially faster than any cipher that PuTTY currently supports. Unfortunately, the way it's specified for SSH-2, without discarding the first 1024 bytes of keystream, it's rather weaker than it could be (though not dangerously so). On the other hand, not being a CBC-mode block cipher, it doesn't suffer from the problems described in ssh2-cbc-weakness.
Using arcfour (or any other stream cipher) in SSH-1 would be a very bad idea. The lack of a MAC makes it very easy for an attacker to modify the data stream.
Update: Ben Harris has written an Internet-Draft (draft-harris-ssh-arcfour-fixes, now RFC 4345) describing a way of using Arcfour reasonably securely with SSH-2, and PuTTY now implements this. Note that this document defines the "arcfour256" and "arcfour128" ciphers; PuTTY still does not support the less secure "arcfour" cipher, and we have no plans to make it do so.
(Support was first added in 2005-04-22, but uonly under private names defined in an earlier draft: "arcfour256-draft-00@putty.projects.tartarus.org" and so on. Only from 2005-09-04 do we support the IETF names, which also appear in OpenSSH from 4.2.)
Audit trail for this wish.