Damian Gerow wrote:
"For this reason we now believe PuTTY's DSA implementation is probably OK. However, if you have the choice, we still recommend you use RSA instead."
Indeed so - but saying that (in their opinion) RSA IS implimented better and more securely in puTTY than DSA can hardly be the same as saying DSA should be avoided. As I understand it, the problem with DSA is that it is *very* dependent on the random number being random (collisions leading to weaknesses) - and everyone knows that windows is bad at RNG. What (as I understand it) the new putty scheme does is use the secret key to obfusc the random value a little - hashing it with both the private key and the hash of the message being signed - hoping to pull enough entropy out of those two to reduce the possibility of discovery of the random value due to it being limited to a subset of the "range" it should have. obviously, this approach won't produce gold from straw - you still have a limited set of possible values - but it should distribute them evenly across the range in a key-dependent manner, so that knowlege of the limited possible values would have to be per-key or involve knowledge of the private key (which is a game-over scenario anyhow) so my understanding of the above warning is that the games puTTY plays with the keyspace is *probably* enough to fix the lousy randomness of the windows platform - but they recommend that you use RSA where the randomness of a prng is not an issue.