OpenSSH Bravely Responds to the Quantum Threat | by Duncan Jones | Cambridge Quantum | April 2022

Post-quantum algorithms are now the default choice in OpenSSH 9.0

Photo by Kid Circus on Unsplash

OpenSSH has surprised and delighted the cyber world by moving to a hybrid post-quantum scheme in its latest version 9.0. The software now uses a combination of NTRU Prime, alongside the old favorite X25519, to negotiate session keys that protect data during transfer.

The release notes explain that the rationale was to prevent “hack now, decrypt later” attacks, in which an attacker harvests encrypted data so that it can be hacked using a quantum computer at home. ‘coming. Previous versions of OpenSSH were vulnerable to this type of attack because the algorithms used to negotiate encryption keys were based on mathematical problems that powerful quantum computers are supposed to solve. Anyone who shared sensitive data over an OpenSSH connection risked being exposed to data 10 or 15 years from now when quantum computers increase in power. The Cloud Security Alliance says that moment could come as early as 2030.

The OpenSSH team should be applauded for taking a public stand at a time when most security products are awaiting completion of NIST’s post-quantum process. Although the timing of their release is surprising, with major announcements from NIST expected in the coming days, it shows that they value user safety above the potential drawbacks of adjusting algorithms in later releases. .

In a protocol like OpenSSH, data is encrypted using a session key known only to the sender and receiver. To securely exchange the session key, the sender and receiver perform a cryptographic handshake, which typically involves the use of quantum vulnerable algorithms, such as RSA or ECDSA.

To defend against the quantum threat, a hybrid encryption scheme combines a vulnerable quantum algorithm with a post-quantum algorithm to strengthen the cryptographic handshake. The resulting session key is derived from the mixture of keying material agreed upon by the two algorithms. To access the session key, an attacker would have to break the vulnerable quantum algorithm as well as the post-quantum algorithm. This means that the session key is likely to be immune to immediate hacking and subsequent decryption attacks.

You might be wondering what will happen if the post-quantum algorithm is broken in the near future, as we saw recently with Rainbow. In such cases, the security of the connection comes down to the security of the vulnerable quantum algorithm. This means that the data is perfectly protected against today’s attackers, but potentially vulnerable to quantum attacks in the future. In short, you lose nothing by experimenting with hybrid approaches. Worst-case scenario, you’re no worse off, and best-case scenario, you’re quantum safe.

The main disadvantage of hybrid approaches is that they have not yet been widely standardized. This means that both sender and receiver should be aware of the tailored combination of algorithms used. In the OpenSSH example, both client and server must be running OpenSSH 9.0 to negotiate a quantum secure connection. If one end is running software from a different project (i.e. not OpenSSH) or an older version, the connection would still be quantum vulnerable.

Quantum presents both a threat and an opportunity to cybersecurity systems, and smart enterprises today are exploring both sides of the coin.

OpenSSH reminded the world that little is lost by aggressively embracing secure quantum algorithms, provided a hybrid approach is used. If you combine these algorithms with quantum-enhanced key generation, you can catapult yourself to the forefront of connection security and be sure that you have taken all the precautions available today.

Kudos to OpenSSH for getting the ball rolling. Hopefully more security products are on the way to implementing quantum security algorithms as soon as NIST announcements are made.