Post-quantum algorithms are now the default option in OpenSSH 9.0
OpenSSH has surprised and delighted the cyber world by switching to a hybrid post-quantum scheme in its latest version 9.0. The software now uses a combination of NTRU Prime, along with the old favorite X25519, to negotiate session keys that protect data in flight.
The release notes explain that the reason was to prevent “hack now, crack later” attacks, in which an attacker collects encrypted data so that it can be hacked using a quantum computer in the future. Previous versions of OpenSSH were vulnerable to this type of attack because the algorithms used to negotiate the encryption keys were based on mathematical problems that powerful quantum computers were expected to crack. Anyone sharing sensitive data over an OpenSSH connection risked data exposure in 10 to 15 years when quantum computers grew in power. Cloud Security Alliance argues this time may come as soon as 2030.
The OpenSSH team is to be applauded for taking a public stand at a time when most security products are in a holding pattern waiting for the NIST post-quantum process to complete. Although the timing of its release is surprising, with major announcements from NIST expected in the coming days, it shows that they value user security over the potential inconvenience of tweaking algorithms in subsequent releases.
In a protocol like OpenSSH, data is encrypted using a session key known only to the sender and receiver. To securely exchange the session key, the sender and receiver perform a cryptographic handshake, typically involving the use of vulnerable quantum algorithms such as RSA or ECDSA.
To defend against the quantum threat, a hybrid cryptographic scheme combines a vulnerable quantum algorithm with a post-quantum algorithm to strengthen the cryptographic handshake. The resulting session key is derived from the mix of key material agreed upon by both algorithms. To gain access to the session key, an attacker would have to break the quantum vulnerability algorithm as well as the post-quantum algorithm. This means that the session key is likely to be safe from hack now and decrypt later attacks.
You might be wondering what happens if the post-quantum algorithm breaks in the near future, as we recently saw with Rainbow. In such cases, the security of the connection collapses back to the security of the vulnerable quantum algorithm. This means that the data is perfectly secure against attackers today, but potentially vulnerable to quantum attacks in the future. In short, you have nothing to lose by experimenting with hybrid approaches. At worst, it’s no worse off, and at best, it’s quantum safe.
The main disadvantage of hybrid approaches is that they have not yet been widely standardized. This means that both the sender and receiver must be aware of the custom combination of algorithms being used. In the OpenSSH example, both the client and server must be running OpenSSH 9.0 to negotiate a quantum secure connection. If one endpoint is running software from a different project (ie not OpenSSH) or an older version, the connection would still be quantumly vulnerable.
Quantum presents both a threat and an opportunity to cyber security systems, and savvy companies are exploring both sides of the coin today.
OpenSSH has reminded the world that little is lost by aggressively adopting quantum secure algorithms, as long as a hybrid approach is used. If you combine these algorithms with quantum enhanced key generationyou can catapult yourself to the forefront of connection security and feel confident that you have taken all the precautions available today.
Bravo to OpenSSH for getting the ball rolling. Hopefully, other security products are poised to implement quantum security algorithms as soon as the NIST announcements are made.