Skip links

OpenSSH takes aim at ‘capture now, decrypt later’ quantum attacks

OpenSSH 9 is here, with updates aimed at dealing with cryptographically challenging quantum computers.

The popular open-source SSH implementation aims to provide secure communication in a potentially unsecure network environments. While version 9 is ostensibly focused on bug-fixing, there are some substantial changes lurking within that could catch the unwary, most notably, the switch from the legacy SCP/RCP protocol to SFTP by default.

The OpenSSH group warned the change was coming earlier this year, with a deprecation notice in February’s version 8.9 release. Experimental support for transfers using the SFTP protocol as a replacement for the SCP/RCP protocol turned up in version 8.7 in August 2021 with the warning: “It is intended for SFTP to become the default transfer mode in the near future.”

The future, it appears, has arrived (at least as far as OpenSSH is concerned) with the defaulting to SFTP, which introduces some potential incompatibilities: gone is the requirement for the “finicky and brittle quoting” used by the legacy SCP/RCP “and attempts to use it may cause transfers to fail,” according to the OpenSSH group, which added there was no intention to introduce bug-compatibility for legacy SCP/RCP when using the SFTP protocol (although the -O flag can be used to force scp to use the legacy protocol.)

Hello from the future-ture-ture

However, a bigger nod to the future has come in the form of the use of the “hybrid Streamline NTRU Prime + x25519 key exchange method by default.”

“The NTRU algorithm is believed to resist attacks enabled by future quantum computers,” explained the team, “and is paired with the X25519 ECDH key exchange (the previous default) as a backstop against any weaknesses in NTRU Prime that may be discovered in the future. The combination ensures that the hybrid exchange offers at least as good security as the status quo.”

It added: “We are making this change now (ie, ahead of cryptographically-relevant quantum computers) to prevent “capture now, decrypt later” attacks where an adversary who can record and store SSH session ciphertext would be able to decrypt it once a sufficiently advanced quantum computer is available.”


Why is IBM selling post-quantum crypto when it’s still a pre-quantum company?


Nth degree Truncated polynomial Ring Units (NTRU) is a cryptosystem and a contender for securing communication should quantum computers ever turn up in the real world.

OpenSSH clearly thinks they are on the way, as do other organizations; America’s National Science Foundation awarded a $715,000 grant to researchers to hunt out gaps in quantum computing security, although last year the US National Security Agency said it “does not know when or even if a quantum computer of sufficient size and power to exploit public key cryptography (a CRQC) will exist.”

The move by the OpenSSH team therefore may be a prudent one. After all, who knows what the future might hold? ®