Post-quantum crypto now in SSH
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 10 Feb 2022 15:46:27 UTC
Ed Maste has MFCed OpenSSH 8.7 to 13-STABLE, so I thought I'd point out a new feature. If you are concerned that adversaries might record SSH sessions and later decrypt them should quantum computers become practical in a number of years, well, you can take action now: KexAlgorithms ^sntrup761x25519-sha512@openssh.com This key exchange algorithm combines sntrup761 and x25519 (aka curve25519). The strength of the combined algorithm is determined by the stronger component. sntrup761 should be able to withstand attacks by quantum computers, but has not been as thoroughly researched. x25519 is a classical algorithm and vulnerable to quantum attack, but it is well established (it's already the default SSH KEX). There is no downside to enabling this KEX, other than a slightly larger overhead when a connection is established. This is measurable but not noticeable on a machine as slow as a PCEngines APU2. For the server, add KexAlgorithms +sntrup761x25519-sha512@openssh.com to /etc/ssh/sshd_config. (This will no longer be necessary starting with OpenSSH 8.9.) For the client, add KexAlgorithms ^sntrup761x25519-sha512@openssh.com to ~/.ssh/config. Note that the code has been in OpenSSH since 8.5, so there are any number of non-FreeBSD machines where this can also be enabled. -- Christian "naddy" Weisgerber naddy@mips.inka.de