Re: [Curdle] Quantum Resistant SSH connections

Hubert Kario <> Thu, 01 October 2020 16:25 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6E54F3A10EC for <>; Thu, 1 Oct 2020 09:25:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.297
X-Spam-Status: No, score=-3.297 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.2, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id IUTh3xaWtYho for <>; Thu, 1 Oct 2020 09:25:55 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 286CF3A10E6 for <>; Thu, 1 Oct 2020 09:25:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=mimecast20190719; t=1601569554; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=k6u8K2k9r7X1tVOZ76o0AJPIyoc8SXRt5Wtw5ddI2Hs=; b=G1Q7D1tq0N5fu6hBCQGkIaNvUUA1WzmQU0MScq+Pa6ngchm+U3wXwmtM6lWA9itU4x4IzO jpDqHNt1bPl+2Ry6H6q1zs0CYi0nv28AWZsWlmnasaUF1wyCVaSToW3qjoPnzNgv0crs26 LTaUGPawg3fjxBMB/XLKqnqLSrubgj4=
Received: from ( []) (Using TLS) by with ESMTP id us-mta-183-6htIphMlO1-b4C78PMEqFA-1; Thu, 01 Oct 2020 12:25:46 -0400
X-MC-Unique: 6htIphMlO1-b4C78PMEqFA-1
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C9071802B51; Thu, 1 Oct 2020 16:25:45 +0000 (UTC)
Received: from localhost (unknown []) by (Postfix) with ESMTPS id 0EC2F19C78; Thu, 1 Oct 2020 16:25:44 +0000 (UTC)
From: Hubert Kario <>
To: "Mark D. Baushke" <>
Cc: <>
Date: Thu, 01 Oct 2020 18:25:42 +0200
MIME-Version: 1.0
Message-ID: <>
In-Reply-To: <>
References: <> <>
Organization: Red Hat
User-Agent: Trojita/0.7-git; Qt/5.13.2; xcb; Linux; Fedora release 31 (Thirty One)
X-Scanned-By: MIMEDefang 2.84 on
Authentication-Results:; auth=pass smtp.auth=CUSA124A263
X-Mimecast-Spam-Score: 0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [Curdle] Quantum Resistant SSH connections
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of potential new security area wg." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 01 Oct 2020 16:25:58 -0000

On Thursday, 1 October 2020 18:06:57 CEST, Mark D. Baushke wrote:
> Hi Hubert,
> Hubert Kario <> writes:
>> Hi everybody,
>> As it's fairly easy, and common, to configure Kerberos infrastructure
>> to be resistant against quantum computers, I'd like to submit a new
>> key exchange for SSH that leverages that quantum resistance to make
>> quantum resistant SSH connections. ...
> Thank you for the pointers.
> Related to Quantum-Resistant and Quantum-Safe algorithms, you may find
> these pointers useful as well:
> There is a github project under an MIT licesnse:
> which provides for various Quantum-Safe cryptographic algorithms.
> There is also a paper published last year:
>     Prototyping post-quantum and hybrid key exchange and authentication in
>     TLS and SSH
>     by Eric Crockett and Christian Paquin and Douglas Stebila
>     URL:
> which may be of interest as a hybrid mechanism may be more acceptable as
> a transition to PQ than a direct move for some implementers.
> 	Be safe, stay healthy,
> 	-- Mark

Yes, I'm aware of those projects and this research.

The reason why I went with stright-up kerberos is becasue:
1. There is no single quantum safe algorithm widely agreed as the best
2. It may be good few years before we will get one
3. It may require few more years still before those algorithms become 
   to national or international standard bodies (FIPS, PCI-DSS, Common
   Criteria, etc.)
4. Backporting completely new cryptographic algorithms to existing 
   is usually hard, if not impossible. Not to mention it may take years 
   we have something that's secure against side-channel attacks in 

This I-D proposes a mechanism that doesn't use any new cryptography and
requires minimal changes to a SSH implementation (and uses just two new 
from GSSAPI). Which should make it very easy to add in new deployments and
isn't very hard to backport to old deployments.

In other words, I don't consider it a replacement for proper quantum-safe
kex, but a stepping stone that will tide us over until quantum-safe 
are widely deployed.
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic