OpenSSH takes aim at 'capture now, decrypt later' quantum attacks OpenSSH 9 is here, with updates aimed at dealing with cryptographically challenging quantum computers. The popular open-source SSH implementation aims to provide secure communication in a potentially unsecure network environments. While version 9 is ostensibly focused on bug-fixing, there are some substantial changes lurking …
That quote from the NSA is highly misleading: a more accurate analysis is that the NSA doesn't know how long it will be before cryptologically relevant quantum computers exist, or indeed if they ever will... BUT it is working on the assumption that they will exist, and probably soon enough to warrant significant effort to be ready for when they do.
They've been doing this for a while: https://csrc.nist.gov/news/2016/public-key-post-quantum-cryptographic-algorithms
This is, of course, where the idea to use the NTRU algorithm came from.
It's trendy to believe that the NSA only releases/approves defective algorithms that provide them with secret backdoors, but there's no evidence to that effect: AES, as a good Belgian example, is an open algorithm with people from all over the world able to scrutinize and analyze the thing, and we're supposed to believe that _only_ the NSA Supermen are smart enough to have figured out a backdoor _and_ this information hasn't leaked (Snowden, or by unexplained compromises). The reality the situation with the DES modifications suggested by the NSA was that the changes strengthened the algorithm against an attack that the NSA knew, but the cipher world as a whole did not... the exact opposite of the conspiracy theory...
I wouldn't bet my farm on AES, US did not adopt this algorithm because it's open. Nowadays when encryption is still considered as a competitive advantage for military and law enforcement, for US to gladly adopt an algorithm created without the benediction of their most trusted agencies looks suspect to me.
I would suggest you to look no further than the El Reg archives : https://www.theregister.com/2017/12/15/crypto_mathematical_backdoors/
Then go on and read the Black Hat Europe presentation referenced in the article. It's eye opening.
> It's trendy to believe that the NSA only releases/approves defective algorithms that provide them with secret backdoors, but there's no evidence to that effect
Nice use of the word "only". Because we know that at least one algorithm produced by the NSA for public adoption, had a very clever back door.
https://en.m.wikipedia.org/wiki/Dual_EC_DRBG
The problem is that it is hard to find a back door. The easiest solution is, once an organisation has proven to be an attacker trying to introduce back doors, stop using new algorithms from them.
I figured that AES was chosen so that it was not breakable except by application of massive black budgets. Ostensibly part of the reason for AES is that AES can work on small IoT devices, but really it means that a big enough farm can break AES via brute force.
You will note that for PKI the symmetric encryption used is still AES, it is only the key exchange that is now quantum safe. So adding dual sig helps protect against near term script kiddies and scrapers while still protecting the farming attack (well, crqc helps there due to Grover's, but I digress).
Realistically, most wanker companies will drag their feet on PQC and get bitten, if history is any indication. Horse lead water drink conundrum.
The NTRU situation is actually more complex than this article implies.
NIST is conducting a competition for post-quantum key exchange and signature algorithms. NTRU Prime did not make the cut as a key exchange finalist.
It appears that NTRU Prime is going ahead in OpenSSH, without any formal endorsement from NIST.
https://csrc.nist.gov/Projects/post-quantum-cryptography/round-3-submissions
In the notes listing NTRU Prime as an alternate (and rejection as a finalist), Daniel J. Bernstein filed a complaint with his experience at NIST:
https://03283664099418252878.googlegroups.com/attach/6f5422d4f193d/complaint-re-apon.pdf
"Formal complaint regarding 8 June 2021 incident - 2021.06.15, Daniel J. Bernstein..."
"Executive summary. A week ago Dr. Daniel Apon from NIST publicly accused me of professional misconduct. Specifically, he accused me of initiating private contact with NIST so as to provide false information to NIST regarding the timing of an upcoming announcement relevant to NIST’s ongoing decisions..."
It is unfortunate that this disfunction has a practical impact upon OpenSSH.
what I am not quite sure about is whether or not the scp command will still work as expected... (or is it JUST the protocol being used that's changing?)
Frequently I specify absolute paths to things to scp around and usually for good reason, such as copying things to an archive on another box.
Sure SFTP is fine too but it may not do exactly what I want. Or is it just the PROTOCOL that is changing>
Given the use of '-O' to keep any existing behaviors I hope nothing truly breaks.
And does this have any effect on rsync? Yeah I use THAT a lot, too.
> what I am not quite sure about is whether or not the scp command will still work as expected... (or is it JUST the protocol being used that's changing?)
I had the same thought, so followed the link in the article to the release notes, which say:
This release switches scp(1) from using the legacy scp/rcp protocol to using the SFTP protocol by default.
Which I read as saying that the command to be used is still 'scp', just the underlying protocol behind it has changed. However, there are some syntax/usage changes in the file/path specifications due to the underlying protocol being SFTP rather than SCP - I read it that the sshd daemon has an sftp-server built (or bundled with) into it:
Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side.This creates one area of potential incompatibility: scp(1) when using the SFTP protocol no longer requires this finicky and brittle quoting, and attempts to use it may cause transfers to fail. We consider the removal of the need for double-quoting shell characters in file names to be a benefit and do not intend to introduce bug-compatibility for legacy scp/rcp in scp(1) when using the SFTP protocol.
Another area of potential incompatibility relates to the use of remote paths relative to other user's home directories, for example - "scp host:~user/file /tmp". The SFTP protocol has no native way to expand a ~user path. However, sftp-server(8) in OpenSSH 8.7 and later support a protocol extension "expand-path@openssh.com" to support this.
The move by the OpenSSH team therefore may be a prudent one. After all, who knows what the future might hold?
Regarding the future, the one decision which can be made and implemented, but which up until now has been catastrophically inadequate and increasingly self-defeating, is whether it is to be more of the same or something/many things quite different.
Use your imagination and common sense to realise what will deliver immediate and fundamental radical change and changes. The correct answer is surely blindingly obvious.
On the flip side, is it moronic to contemplate and accept insanity ..... "Doing the same thing over and over again and expecting different results." .... as a future "If at first you don't succeed, try and try again" driver?
And Uncle Sam itself, if you can believe its usual assortment of serial warmongers, is under sustained hostile attack from the future and quantum machinery ......
This is important since quantum computing is already a threat to national security. National data is currently being stolen and stored with the intention of decrypting it as soon as these powerful quantum computers come on-line. ........ https://www.nationaldefensemagazine.org/articles/2022/4/13/unentangling-the-quantum-security-executive-order........ but then they and their allies are always appearing to be assaulted by some ethereal Tom, Dick or Harry in order to enable them to justify lease lending newly perceived/freshly conceived novel victim clients increasingly expensive exploding tools and rapidly depreciating assets which they are forever indebted to try and repay with a punitive tax on the wealth of the yet to be born and innocent. It is the for profit [extra money for nothing] capitalist way, is it not ..... but it has had its day, has it not ? It is stale and failed/stagnant and unproductive?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
