back to article OpenSSH takes aim at 'capture now, decrypt later' quantum attacks

OpenSSH 9 is here, with updates aimed at dealing with cryptographically challenging quantum computers. The popular open-source SSH implementation aims to provide secure communication in a potentially unsecure network environments. While version 9 is ostensibly focused on bug-fixing, there are some substantial changes lurking …

  1. Tommy G1

    When the NSA tells you not to worry...

    So someone with a massive interest in being able to decrypt tells us that there's no need to use really, really good encryption?


    1. Malcolm Weir

      Re: What's the problem?

      That quote from the NSA is highly misleading: a more accurate analysis is that the NSA doesn't know how long it will be before cryptologically relevant quantum computers exist, or indeed if they ever will... BUT it is working on the assumption that they will exist, and probably soon enough to warrant significant effort to be ready for when they do.

      They've been doing this for a while:

      This is, of course, where the idea to use the NTRU algorithm came from.

      It's trendy to believe that the NSA only releases/approves defective algorithms that provide them with secret backdoors, but there's no evidence to that effect: AES, as a good Belgian example, is an open algorithm with people from all over the world able to scrutinize and analyze the thing, and we're supposed to believe that _only_ the NSA Supermen are smart enough to have figured out a backdoor _and_ this information hasn't leaked (Snowden, or by unexplained compromises). The reality the situation with the DES modifications suggested by the NSA was that the changes strengthened the algorithm against an attack that the NSA knew, but the cipher world as a whole did not... the exact opposite of the conspiracy theory...

      1. Anonymous Coward
        Anonymous Coward

        @Malcolm Weir - Re: What's the problem?

        I wouldn't bet my farm on AES, US did not adopt this algorithm because it's open. Nowadays when encryption is still considered as a competitive advantage for military and law enforcement, for US to gladly adopt an algorithm created without the benediction of their most trusted agencies looks suspect to me.

        I would suggest you to look no further than the El Reg archives :

        Then go on and read the Black Hat Europe presentation referenced in the article. It's eye opening.

      2. Jon 37

        Re: What's the problem?

        > It's trendy to believe that the NSA only releases/approves defective algorithms that provide them with secret backdoors, but there's no evidence to that effect

        Nice use of the word "only". Because we know that at least one algorithm produced by the NSA for public adoption, had a very clever back door.

        The problem is that it is hard to find a back door. The easiest solution is, once an organisation has proven to be an attacker trying to introduce back doors, stop using new algorithms from them.

      3. Speltier

        Re: What's the problem?

        I figured that AES was chosen so that it was not breakable except by application of massive black budgets. Ostensibly part of the reason for AES is that AES can work on small IoT devices, but really it means that a big enough farm can break AES via brute force.

        You will note that for PKI the symmetric encryption used is still AES, it is only the key exchange that is now quantum safe. So adding dual sig helps protect against near term script kiddies and scrapers while still protecting the farming attack (well, crqc helps there due to Grover's, but I digress).

        Realistically, most wanker companies will drag their feet on PQC and get bitten, if history is any indication. Horse lead water drink conundrum.

      4. chasil

        NTRU is not a finalist.

        The NTRU situation is actually more complex than this article implies.

        NIST is conducting a competition for post-quantum key exchange and signature algorithms. NTRU Prime did not make the cut as a key exchange finalist.

        It appears that NTRU Prime is going ahead in OpenSSH, without any formal endorsement from NIST.

        In the notes listing NTRU Prime as an alternate (and rejection as a finalist), Daniel J. Bernstein filed a complaint with his experience at NIST:

        "Formal complaint regarding 8 June 2021 incident - 2021.06.15, Daniel J. Bernstein..."

        "Executive summary. A week ago Dr. Daniel Apon from NIST publicly accused me of professional misconduct. Specifically, he accused me of initiating private contact with NIST so as to provide false information to NIST regarding the timing of an upcoming announcement relevant to NIST’s ongoing decisions..."

        It is unfortunate that this disfunction has a practical impact upon OpenSSH.

    2. Anonymous Coward
      Anonymous Coward

      @Tommy G1 - Re: When the NSA tells you not to worry...

      Me too I was impressed to hear this from one of the most honest and transparent organizations in the US.

  2. bombastic bob Silver badge

    "legacy" SCP protocol and SFTP

    what I am not quite sure about is whether or not the scp command will still work as expected... (or is it JUST the protocol being used that's changing?)

    Frequently I specify absolute paths to things to scp around and usually for good reason, such as copying things to an archive on another box.

    Sure SFTP is fine too but it may not do exactly what I want. Or is it just the PROTOCOL that is changing>

    Given the use of '-O' to keep any existing behaviors I hope nothing truly breaks.

    And does this have any effect on rsync? Yeah I use THAT a lot, too.

    1. eldakka Silver badge

      Re: "legacy" SCP protocol and SFTP

      > what I am not quite sure about is whether or not the scp command will still work as expected... (or is it JUST the protocol being used that's changing?)

      I had the same thought, so followed the link in the article to the release notes, which say:

      This release switches scp(1) from using the legacy scp/rcp protocol to using the SFTP protocol by default.

      Which I read as saying that the command to be used is still 'scp', just the underlying protocol behind it has changed. However, there are some syntax/usage changes in the file/path specifications due to the underlying protocol being SFTP rather than SCP - I read it that the sshd daemon has an sftp-server built (or bundled with) into it:

      Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side.

      This creates one area of potential incompatibility: scp(1) when using the SFTP protocol no longer requires this finicky and brittle quoting, and attempts to use it may cause transfers to fail. We consider the removal of the need for double-quoting shell characters in file names to be a benefit and do not intend to introduce bug-compatibility for legacy scp/rcp in scp(1) when using the SFTP protocol.

      Another area of potential incompatibility relates to the use of remote paths relative to other user's home directories, for example - "scp host:~user/file /tmp". The SFTP protocol has no native way to expand a ~user path. However, sftp-server(8) in OpenSSH 8.7 and later support a protocol extension "" to support this.

      1. sreynolds Silver badge

        Mother fuckers

        They broke so many scripts I had using openssh to copy kernel images to embedded dropbear (without sftp support) based machines.

        Thank you.

    2. Crypto Monad Silver badge

      Re: "legacy" SCP protocol and SFTP

      > And does this have any effect on rsync? Yeah I use THAT a lot, too.

      rsync is its own binary protocol, that runs over ssh (amongst other transports). So no, it's not affected. It doesn't use scp or sftp.

  3. amanfromMars 1 Silver badge

    Re: The American Dream via Stealthy Internetional Security Threats and Surreal Treats

    The move by the OpenSSH team therefore may be a prudent one. After all, who knows what the future might hold?

    Regarding the future, the one decision which can be made and implemented, but which up until now has been catastrophically inadequate and increasingly self-defeating, is whether it is to be more of the same or something/many things quite different.

    Use your imagination and common sense to realise what will deliver immediate and fundamental radical change and changes. The correct answer is surely blindingly obvious.

    On the flip side, is it moronic to contemplate and accept insanity ..... "Doing the same thing over and over again and expecting different results." .... as a future "If at first you don't succeed, try and try again" driver?

    And Uncle Sam itself, if you can believe its usual assortment of serial warmongers, is under sustained hostile attack from the future and quantum machinery ......

    This is important since quantum computing is already a threat to national security. National data is currently being stolen and stored with the intention of decrypting it as soon as these powerful quantum computers come on-line. ........
    ........ but then they and their allies are always appearing to be assaulted by some ethereal Tom, Dick or Harry in order to enable them to justify lease lending newly perceived/freshly conceived novel victim clients increasingly expensive exploding tools and rapidly depreciating assets which they are forever indebted to try and repay with a punitive tax on the wealth of the yet to be born and innocent. It is the for profit [extra money for nothing] capitalist way, is it not ..... but it has had its day, has it not ? It is stale and failed/stagnant and unproductive?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like