The paper “On the Security of SSH Client Signatures” by Fabian Bäumer, Marcus Brinkmann, Maximilian Radoy, Jörg Schwenk, and Juraj Somorovsky won a Distinguished Paper Award at ACM CCS 2025. The renowned conference took place from October 13-17, 2025, in Taipei, Taiwan. In their paper “On the Security of SSH Client Signatures,” the researchers analyze the security of SSH client keys and signatures and reveal a specific vulnerability in PuTTY (CVE-2024-31497).
To the Paper
On the Security of SSH Client Signatures Fabian Bäumer (Ruhr University Bochum), Marcus Brinkmann (Ruhr University Bochum), Maximilian Radoy (Paderborn University), Jörg Schwenk (Ruhr University Bochum), Juraj Somorovsky (Paderborn University)
Abstract: Administrators and developers use SSH client keys and signatures for authentication, for example, to access internet backbone servers or to commit new code on platforms like GitHub. However, unlike servers, SSH clients cannot be measured through internet scans. We close this gap in two steps. First, we collect SSH client public keys. Such keys are regularly published by their owners on open development platforms like GitHub and GitLab. We systematize previous non-academic work by subjecting these keys to various security tests in a longitudinal study. Second, in a series of black-box lab experiments, we analyze the implementations of algorithms for SSH client signatures in 24 popular SSH clients for Linux, Windows, and macOS. We extracted 31,622,338 keys from three public sources in two scans. Compared to previous work, we see a clear tendency to abandon RSA signatures in favor of EdDSA signatures. Still, in January 2025, we found 98 broken short keys, 139 keys generated from weak randomness, and 149 keys with common or small factors—the large majority of the retrieved keys exposed no weakness. Weak randomness can not only compromise a secret key through its public key, but also through signatures. It is well-known that a bias in random nonces in ECDSA can reveal the secret key through public signatures. For the first time, we show that the use of deterministic nonces in ECDSA can also be dangerous: The private signing key of a PuTTY client can be recovered from just 58 valid signatures if ECDSA with NIST curve P-521 is used. PuTTY acknowledged our finding in CVE-2024-31497, and they subsequently replaced the nonce generation algorithm.
The following papers by HGI/CASA scientists were also presented at the conference:
Noise and Stress Don’t Help With Learning: A Qualitative Study to Inform Design of Effective Cybersecurity Awareness in Manufacturing Environments Lina Brunken (Ruhr University Bochum), Markus Schöps (Ruhr University Bochum), Annalina Buckmann (Ruhr University Bochum), Florian Meißner (Macromedia University of Applied Sciences), M. Angela Sasse (Ruhr University Bochum)
Finding SSH Strict Key Exchange Violations by State Learning Fabian Bäumer (Ruhr University Bochum), Marcel Maehren (Ruhr University Bochum), Marcus Brinkmann (Ruhr University Bochum), Jörg Schwenk (Ruhr University Bochum)
On Hyperparameters and Backdoor-Resistance in Horizontal Federated Learning Simon Lachnit (Ruhr University Bochum), Ghassan Karame (Ruhr University Bochum)
General note: In case of using gender-assigning attributes we include all those who consider themselves in this gender regardless of their own biological sex.