![\"\"](\"https:\/\/www.microsoft.com\/en-us\/research\/uploads\/prod\/2020\/03\/symmetric_asymmetric-crypto-diagramv2-1024x391.jpg\")
<\/p>\nThe Secure Shell (SSH) protocol is one of the most widely-used security protocols in use today; it protects the information exchanged between clients and servers. SSH is secure against today\u2019s classical computers, however as its security relies in part on asymmetric cryptography, SSH is unfortunately vulnerable to attacks in the future from quantum computers<\/p>\n
<\/p>\n
Both the RSA and Elliptic Curve Diffie-Hellman asymmetric algorithms which set up the SSH exchange will succumb to the Shor quantum algorithm on a sufficiently large quantum computer. While a quantum computer of that size and stability may be 5 to 15 years off, cryptographers from around the world are working to identify new, quantum-safe algorithms now.<\/p>\n
Given the importance of SSH, the early planning for the transition to post-quantum cryptography needs to start soon.\u00a0 Asymmetric cryptography in SSH needs to be migrated in two places:<\/p>\n
Until we gain full confidence in the new post-quantum cryptographic schemes, it is recommended to use them in what we call hybrid mode. To achieve this, both key exchanges and signatures are performed in parallel, generating both a classical exchange\/signature and a post-quantum one. The resulting messages\/signatures are combined, offering the security against quantum attacks, while maintaining the security of today\u2019s schemes.<\/p>\n
OpenSSH<\/a> is an open-source implementation of the Secure Shell (SSH) protocol. The Open Quantum Safe OpenSSH repository<\/a> contains a fork of OpenSSH 7.7 that adds quantum-resistant key exchange and signature algorithms using liboqs<\/a> for prototyping purposes. The post-quantum key exchange algorithms FrodoKEM<\/a> and SIKE<\/a>, and the signature algorithms Picnic<\/a> and qTESLA<\/a>, co-developed by Microsoft, have been integrated into this project.<\/p>\n liboqs and this integration into OpenSSH are designed for prototyping and evaluating quantum-resistant cryptography. The security of proposed quantum-resistant algorithms may rapidly change as research advances, and any specific PQ algorithm may ultimately prove be completely insecure against either classical or quantum computers.<\/p>\nMore information<\/h2>\n