Is PuttyGen secure?
is swirling the mouse around in a little area sufficiently random to generate a good SSH-RSA key?
Yes, it is. Nobody can predict how you move the mouse, and even if you are asked to copy a pattern, you won't be able to.
You don't need to generate the random code elsewhere IF you can be sure that you Windows computer is not infected with malware capable of intercepting the key generation. A fresh installed, disconnected Windows machine is secure enough.
As of 2019, the answer appears to by simply "we don't know". It is probably fine, though.
This is how Puttygen generates keys:
[A] quick look at the Puttygen source code indicates that it seems to generates private keys solely based on mouse movements. It fills an array with the time of mouse movement events in the even cells and the mouse position in the odd cells, sprinkles some magic shuffling over it, and calls some RSA/DSA/EC* key generator with the array as argument.
In a search for evidence to support or refute the unpredictability of mouse movements, I found nothing. Nobody seems to have conducted any research on the topic.
For now, I would advise to use methods of which we are quite confident to be secure. Modern operating systems provide these (/dev/urandom
on Linux and CryptGenRandom
in Microsoft Windows), since the entropy has to be gathered from system sources. An individual program has much less opportunity to generate proper randomness, so software should use the system's source of randomness. Software like ssh-keygen
does this.
This comes down to how much entropy is in mouse motion and how it is digested to give the key.
I found this post that discusses experiments with mouse movements. It used a smooth mouse motion sampled at irregular intervals that are of course rounded to a whole pixel. It showed that this leads to a Gaussian distribution of acceleration with a few bits of entropy per event. It estimated that a few seconds of movement would generate 128bits of entropy.
What is remarkable about the experiment in that post is that it is just based on smooth motion. PuttyGen has you waggle your mouse around. That will give some unpredictable values. If you had thousands of volunteers waggle a mouse and ran each trace through, say, SHA256, you wouldn't expect any predictability.
Another answer says that PuttyGen runs its mouse trace through a cryptographic key generator algorithm. We can expect that to make good use of the entropy in the trace. So it seems like a satisfactory approach.
Update It occurs to me that we are used to applications using /dev/urandom
so it seems suspicious that PuttyGen uses mouse movements. Yet very few systems have hardware random number generators the standard mechanism for pseudo random numbers is to sample noise from device drivers then hash that. Given that sampling a smooth mouse movement generates noise, and a user waggling it gives unpredictability, PuttyGen is simply doing something equivalent of typical secure random number generators. Why? Either they don’t trust windows to do what Linux does, or they don’t trust windows to hide official random numbers from attackers, or they suspect attacker might be able to replace the official source with a predicable one. There are probably a huge number of cases where a user wouldn’t bother to help generate unobservable pseudo random numbers. So PuttyGen is a special case of a high paranoia scenario where the end user will invest time and effort to obtain a secure key.