6 comments

[ 2.6 ms ] story [ 18.4 ms ] thread
Keep in mind that many of the preferred key exchange algorithms and ciphers have changed vastly since 2006. OpenSSH has been improving in the cryptography department by leaps and bounds.

OpenSSH 5.2 switched to preferring AES-CTR.

OpenSSH 5.7 added ECDH as a kex and ECDSA as for signing.

OpenSSH 6.2 added encrypt-then-mac and prefers it by default.

OpenSSH 6.5 added Curve25519 as a kex and chacha20-poly1305 as a cipher. As well as Ed25519 for signing.

OpenSSH 8 will add quantum resistant algorithms for key exchange.

> OpenSSH 8 will add quantum resistant algorithms for key exchange.

Any additional information? This is really good to hear. PQ key exchange in SSH makes a lot of sense: Except when its used as some backend communications for automation SSH key establishment is hardly performance critical, and can easily afford extra round trips for negotiation.

Any idea if there are plans for PQ key authentication? A SPHINCS signature or similar would be very nice-- and the security story for hash based signatures is excellent.

They're using a mixture of Streamlined NTRU Prime 4591^761 and X25519.

https://ntruprime.cr.yp.to/

Note that this is still considered "experimental" and probably won't be enabled by default.

I'd advise checking out some of the recent DJB and Tanja Lange talks for further detail on how research on these algorithms is progressing:

https://www.youtube.com/watch?v=ZCmnQR3_qWg

There's also the older but still relevant PQCHacks:

https://media.ccc.de/v/32c3-7210-pqchacks

Haven't seen any talk of post quantum signatures in changelogs yet at least, but research is happening rapidly in this field and OpenSSH has really upped their game in recent years.

This always triggers a bit of a rant from me; I apologize in advance!

I wish OpenSSH supported GSSAPI Key Exchange.

OpenSSH has for some time supported using GSSAPI for authentication. What I am referring to is using GSSAPI in place of the normal trust-on-first-use host key verification.

GSSAPI Key Exchange was standardized in RFC 4482 (https://datatracker.ietf.org/doc/rfc4462); an updated version (using SHA-2, newer DH groups, and an option for ECDH) is in last call (https://datatracker.ietf.org/doc/draft-ietf-curdle-gss-keyex...).

GSSAPI Key Exchange is great in environments where systems and are members of a Kerberos realm. They all already trust the realm’s KDCs, and it would be nice to be able to extend that to SSH.

It may also be possible to use this in an Active Directory environment, as AD uses Kerberos under the hood for some of its user and machine authentication functions.

PuTTY recently got support for GSSAPI Key Exchange, in 0.71 (https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/..., it already has support for GSSAPI authentication).

The OpenSSH developers have confirmed that they will not implement this in OpenSSH (http://bugzilla.mindrot.org/show_bug.cgi?id=1242).