4.18.1 Key exchange algorithm selection

PuTTY supports a variety of SSH-2 key exchange methods, and allows you to choose which one you prefer to use; configuration is similar to cipher selection (see section 4.20).

PuTTY currently supports the following key exchange methods:

• ‘NTRU Prime / Curve25519 hybrid’: ‘Streamlined NTRU Prime’ is a lattice-based algorithm intended to resist quantum attacks. In this key exchange method, it is run in parallel with a conventional Curve25519-based method (one of those included in ‘ECDH’), in such a way that it should be no less secure than that commonly-used method, and hopefully also resistant to a new class of attacks.
• ‘ECDH’: elliptic curve Diffie-Hellman key exchange, with a variety of standard curves and hash algorithms.
• The original form of Diffie-Hellman key exchange, with a variety of well-known groups and hashes:
  • ‘Group 18’, a well-known 8192-bit group, used with the SHA-512 hash function.
  • ‘Group 17’, a well-known 6144-bit group, used with the SHA-512 hash function.
  • ‘Group 16’, a well-known 4096-bit group, used with the SHA-512 hash function.
  • ‘Group 15’, a well-known 3072-bit group, used with the SHA-512 hash function.
  • ‘Group 14’: a well-known 2048-bit group, used with the SHA-256 hash function or, if the server doesn't support that, SHA-1.
  • ‘Group 1’: a well-known 1024-bit group, used with the SHA-1 hash function. Neither we nor current SSH standards recommend using this method any longer, and it's not used by default in new installations; however, it may be the only method supported by very old server software.
• ‘Diffie-Hellman group exchange’: with this method, instead of using a fixed group, PuTTY requests that the server suggest a group to use for a subsequent Diffie-Hellman key exchange; the server can avoid groups known to be weak, and possibly invent new ones over time, without any changes required to PuTTY's configuration. This key exchange method uses the SHA-256 hash or, if the server doesn't support that, SHA-1.
• ‘RSA-based key exchange’: this requires much less computational effort on the part of the client, and somewhat less on the part of the server, than Diffie-Hellman key exchange.
• ‘GSSAPI key exchange’: see section 4.18.1.1.

If the first algorithm PuTTY finds is below the ‘warn below here’ line, you will see a warning box when you make the connection, similar to that for cipher selection (see section 4.20).

• 4.18.1.1 GSSAPI-based key exchange