OpenSSH has minted their 9.0 release, and it includes a pair of security changes. Unlike most of the releases we cover here, this one has security hardening to prevent issues, not emergency fixes for current ones. First up, the venerable scp/rcp protocol has been removed. Your
scp commands will now use SFTP under the hood. The more interesting security change is the new default key exchange, the NTRU algorithm. NTRU is thought to be quantum-hard.
So quick primer: Modern encryption depends on trapdoor functions — calculations that are easy to perform in one direction, but very difficult to reverse. The first such scheme was the Diffie-Hellman key exchange, which uses large prime numbers multiplied together. The multiplication is easy, but factoring the result is a very hard problem. If a shortcut were ever found to make factoring easier, the security of Diffie-Hellman would suffer. Such a shortcut has theoretically been found in Shor’s Algorithm. (Similar shortucts have theoretically been found in other schemes, including elliptic curve.)
Shor’s Algorithm is actually quite clever. The video above explains it much better than I can, but the key is that it depends on a feature that can be built into quantum computers, so that many possible solutions can be processed at once, and the incorrect ones cancel out, leaving only a likely-to-be-correct output. The problem is that cutting-edge quantum computers have managed to factor 21 into its prime factors. Not a 21 digit number, mind you, but 21.
We’re a very long ways from the quantum computing crypto-apocalypse we’ve been promised. So why are projects implementing quantum-resistant protocols? The “capture now, decrypt later” scenario. Because it’s the key exchange protocol that will be potentially vulnerable, an entire SSH session can be captured now, and once a quantum computer exists that breaks the handshake, the entire session can be decrypted offline. It’s still anyone’s guess how long till a corporation or nation-state has a practical quantum computer. Even if it takes another 20 years, some data will still be sensitive and subject to…