Protection offered against ‘capture now, decrypt later’ attacks

OpenSSH 9.0 supports post-quantum cryptography by default

Developers of the OpenSSH secure networking utility are ‘future proofing’ the technology by adopting post-quantum cryptography.

The latest OpenSSH 9.0 release defaults to the NTRU Prime algorithm – a scheme designed to resist brute-force attacks that might be enabled by future quantum computers – while supporting the previous default (X25519 ECDH key exchange) as a backstop. In either case, the algorithms are used to negotiate session keys that protect data in transit.

OpenSSH is a widely used open source technology used for applications including enabling the remote login of severs and secure file transfer.


Catch up on the latest encryption-related news and analysis


Conventional cryptographic schemes derive their security from the difficulty of solving mathematical problems that current computers are unable to crack.

Quantum computers are still in their infancy but offer the potential to drastically reduce the time and resources needed to break current encryption schemes.

Even though this potential threat only exists in the future, OpenSSH developers said they are making the change now (ahead of cryptographically-relevant quantum computers) “to prevent ‘capture now, decrypt later’ attacks where an adversary who can record and store SSH session ciphertext would be able to decrypt it once a sufficiently advanced quantum computer is available”.

Looking ahead

The switch – detailed in a release note from developers last Friday – guards against the possibility that intel agencies or similarly capable attackers might harvest and store encrypted data protected by OpenSSH exchanges that might be broken in the future as a result of as yet unrealized advances in quantum computing.

Quantum computers rely on the properties of quantum states – such as superposition or entanglement – rather than the simple binary states (0 or 1) of conventional computers.

When combined with quantum algorithms the technology might be expected to solve some mathematical problems, such as integer factorization, in a much shorter amount of time – posing a threat to current encryption schemes.

OpenSSH has embraced the future of post-quantum cryptography ahead of the ratification of future protocols by NIST, a forward thinking move welcomed by at least some specialists in the field.

Duncan Jones, cryptography expert and head of cybersecurity at quantum computing start-up Quantinuum, commented: “The OpenSSH team should be applauded for taking a public stand at a time when most security products are in a holding pattern waiting for the NIST post-quantum process to complete.

“Although the timing of their release is surprising, with major NIST announcements expected in the days to come, it shows they value user security above the potential inconvenience of adjusting algorithms in subsequent releases.”


RELATED Supply chain flaws in PHP package manager PEAR lay undiscovered for 15 years