Post-Quantum SSH

The Secure Shell (SSH) protocol

The Secure Shell (SSH) protocol is one of the most widely-used security protocols in use today; it protects the information exchanged between clients and servers. SSH is secure against today’s classical computers, however as its security relies in part on asymmetric cryptography, SSH is unfortunately vulnerable to attacks in the future from quantum computers

 

Both the RSA and Elliptic Curve Diffie-Hellman asymmetric algorithms which set up the SSH exchange will succumb to the Shor quantum algorithm on a sufficiently large quantum computer. While a quantum computer of that size and stability may be 5 to 15 years off, cryptographers from around the world are working to identify new, quantum-safe algorithms now.

Post-Quantum Cryptography SSH

Given the importance of SSH, the early planning for the transition to post-quantum cryptography needs to start soon.  Asymmetric cryptography in SSH needs to be migrated in two places:

  • Key exchange: during this step, the server and client exchange cryptographic messages using asymmetric key exchange algorithms (such as RSA and ECDH) that will be used to derive a symmetric key. That symmetric key will be used to encrypt the rest of the session. Those asymmetric key exchange algorithms will need to be replaced with quantum-safe algorithms. As described above, the symmetric key algorithms used in key exchange (e.g., AES) aren’t as vulnerable to quantum computers so we simply need to increase the key length to secure the symmetric cryptography against a quantum adversary.
  • Authentication: during this step, the server (and optionally the client) proves its identity using its public key. The signature algorithms (such as RSA or ECDSA) are not quantum safe and must be updated.

Until we gain full confidence in the new post-quantum cryptographic schemes, it is recommended to use them in what we call hybrid mode. To achieve this, both key exchanges and signatures are performed in parallel, generating both a classical exchange/signature and a post-quantum one. The resulting messages/signatures are combined, offering the security against quantum attacks, while maintaining the security of today’s schemes.

A fork of OpenSSH

OpenSSH is an open-source implementation of the Secure Shell (SSH) protocol. The Open Quantum Safe OpenSSH repository contains a fork of OpenSSH 7.7 that adds quantum-resistant key exchange and signature algorithms using liboqs for prototyping purposes. The post-quantum key exchange algorithms FrodoKEM and SIKE, and the signature algorithms Picnic and qTESLA, co-developed by Microsoft, have been integrated into this project.

liboqs and this integration into OpenSSH are designed for prototyping and evaluating quantum-resistant cryptography. The security of proposed quantum-resistant algorithms may rapidly change as research advances, and any specific PQ algorithm may ultimately prove be completely insecure against either classical or quantum computers.

More information

For more information on Microsoft’s work in Post-Quantum Cryptography, see our main project page: https://www.microsoft.com/en-us/research/project/post-quantum-cryptography/