[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

harvest now, decrypt later post-quantum attacks

Post-quantum SSH utilizes hybrid key exchange algorithms to protect Secure Shell connections against future decryption by quantum computers, specifically mitigating "store now, decrypt later" attacks where encrypted traffic is harvested today for future decryption. Key Implementation Details: * OpenSSH Standards: OpenSSH 10.0 (released April 2025) made mlkem768x25519-sha256 the default post-quantum key exchange algorithm, succeeding the earlier sntrup761x25519-sha512 default introduced in version 9.0. * Hybrid Approach: These algorithms combine classical elliptic curve cryptography (X25519) with post-quantum schemes (ML-KEM or SNTRUP), ensuring security is never weaker than the classical component alone. * Industry Adoption: Major platforms like GitHub and AWS Transfer Family have deployed these hybrid algorithms to secure Git and SFTP traffic, with GitHub enabling sntrup761x25519-sha512 in September 2025. * Security Warnings: Starting with OpenSSH 10.1, clients display a warning if a connection does not use a post-quantum key exchange, indicating the session may be vulnerable to future quantum decryption. * Configuration: Administrators can enforce these algorithms by setting KexAlgorithms in /etc/ssh/sshd_config or silencing warnings for legacy servers using the WarnWeakCrypto no-pq-kex option in ssh_config. sntrup761x25519-sha512 is considered resistant to known quantum attacks based on current cryptographic understanding. - Quantum-Resistant Core: The sntrup761 component is a lattice-based post-quantum algorithm (specifically Streamlined NTRU Prime) designed to be secure against attacks from quantum computers, including those using Shor's algorithm. - Hybrid Design: The full sntrup761x25519-sha512 algorithm is a hybrid, combining the post-quantum sntrup761 with the classical x25519 elliptic curve algorithm. This means the security of the key exchange is at least as strong as the stronger of the two components. Even if a vulnerability were discovered in sntrup761 in the future, the connection would still be protected by the classical x25519. - NIST Evaluation: While sntrup761 was not selected as a primary standard by NIST (which chose CRYSTALS-Kyber/ML-KEM), it was recognized as a strong candidate and is considered secure. It is believed to be resistant to both classical and quantum adversaries based on the hardness of structured lattice problems. Therefore, while no algorithm can be guaranteed to be immune to all future attacks (quantum or classical), sntrup761x25519-sha512 is currently believed to be secure and is deployed in systems like OpenSSH and GitHub specifically to protect against the threat of future quantum computers. Traditional OpenSSL configurations are vulnerable to future quantum attacks, but OpenSSL 3.5.0 (released April 2025) directly addresses this by incorporating NIST-standardized post-quantum cryptography (PQC). - The Vulnerability: Standard OpenSSL implementations rely on classical asymmetric algorithms like RSA and ECC (e.g., ECDH, ECDSA) for key exchange and authentication. These are vulnerable to being broken by a sufficiently powerful quantum computer using Shor's algorithm, enabling "harvest now, decrypt later" attacks. - The Solution - OpenSSL 3.5.0+: Starting with version 3.5.0, OpenSSL includes built-in support for PQC algorithms: - ML-KEM (Module-Lattice-Based Key Encapsulation Mechanism, formerly CRYSTALS-Kyber) for quantum-resistant key exchange. - ML-DSA (Module-Lattice-Based Digital Signature Algorithm, formerly CRYSTALS-Dilithium) and SLH-DSA (Stateless Hash-Based Digital Signature Algorithm, formerly SPHINCS+) for quantum-resistant digital signatures. - Hybrid Approach: OpenSSL 3.5.0 defaults to hybrid key exchange (e.g., X25519+ML-KEM-768), which combines classical and post-quantum algorithms. This ensures security remains intact even if one of the algorithms is compromised in the future. Therefore, while older versions of OpenSSL are vulnerable, the latest versions are designed to be quantum-resistant by integrating standardized PQC algorithms. Shor's algorithm can break the asymmetric encryption (like RSA) used to protect the symmetric key in an OpenSSL-encrypted file, but it cannot break the symmetric encryption (like AES) of the file's data itself. - The Vulnerability: OpenSSL's enc command typically uses a password to derive a symmetric key (e.g., for AES-256). However, the security of this process can be undermined if the symmetric key was exchanged using a vulnerable asymmetric algorithm. A quantum computer running Shor's algorithm could decrypt an RSA-encrypted symmetric key, effectively revealing the key needed to decrypt the file. - The Data is (Mostly) Safe: Shor's algorithm does not attack symmetric ciphers like AES. The main quantum threat to AES comes from Grover's algorithm, which provides a quadratic speedup for brute-force searches. This is why AES-256 is considered quantum-safe, as Grover's algorithm would reduce its effective security to 128 bits, which is still computationally infeasible to break. Therefore, a file encrypted with openssl enc using a strong password and AES-256 is currently considered secure against quantum attacks, as the threat from Shor's algorithm is not direct. The number of PBKDF2 iterations does not matter with respect to a Shor's algorithm attack. - Shor's Algorithm is Irrelevant: Shor's algorithm is designed to break asymmetric cryptography (like RSA or ECC) by solving problems like integer factorization and discrete logarithms. PBKDF2 is a symmetric key derivation function based on repeated hashing, which is not vulnerable to Shor's algorithm. - The Real Quantum Threat is Grover's Algorithm: The quantum threat to PBKDF2 comes from Grover's algorithm, which can speed up brute-force searches for a password by providing a quadratic speedup. - Iterations Do Mitigate Grover's Algorithm: While irrelevant to Shor's, the number of iterations is crucial against Grover's algorithm. More iterations make each password guess slower and more computationally expensive, directly increasing the time and resources a quantum attacker would need to succeed. No key derivation algorithm is inherently "secure" against quantum attacks in the way post-quantum asymmetric algorithms are, but their security can be maintained by mitigating the threat from Grover's algorithm, which provides a quadratic speedup for brute-force searches. - The Threat is Grover's, Not Shor's: Quantum computers use Grover's algorithm to speed up the search for a password or key, effectively halving the security level (e.g., a 128-bit key offers 64 bits of security against a quantum attacker). - Mitigation via Work Factors: The primary defense is to increase the algorithm's computational cost (iterations, memory, parallelism). This makes each guess by a quantum attacker significantly slower and more expensive. - Recommended Algorithms: - Argon2 (especially argon2id): The winner of the Password Hashing Competition, it is memory-hard and configurable, making it the current gold standard. Increasing its memory (m_factor) and time (t_cost) parameters is key to quantum resistance. - Scrypt: Also memory-hard, it remains a strong choice when configured with high memory (N) and CPU (r) costs. - PBKDF2: While older and not memory-hard, it can still be quantum-resistant if configured with an extremely high number of iterations (e.g., millions or billions), though this can be impractical. In essence, algorithms like Argon2 and Scrypt, when properly configured with high work factors, are considered the most secure against quantum brute-force attacks. Proof of Stake (PoS) is a blockchain consensus mechanism and is not an algorithm used for cryptographic key derivation. The search results confirm that key derivation relies on specific cryptographic functions like PBKDF2, HKDF, Argon2, or specialized schemes like DUKPT (Derived Unique Key Per Transaction) used in payment systems. PoS and key derivation are entirely separate concepts serving different purposes in their respective domains. Based on the provided information, PBKDF2 uses the least amount of power and computational resources. - PBKDF2 is explicitly described as the "fastest of the four" and having "low memory usage," making it the least computationally intensive and therefore the most power-efficient, though this is a security drawback. - scrypt and Argon2 are both memory-hard functions designed to consume significant amounts of memory (RAM) to resist attacks from GPUs and ASICs. This high memory usage directly translates to higher power consumption compared to PBKDF2. PBKDF2 is a lower-power alternative to scrypt and Argon2. - Power Efficiency: PBKDF2 is explicitly described as the "fastest of the four" and having "low memory usage," making it significantly less computationally intensive and therefore more power-efficient than the memory-hard functions scrypt and Argon2. - Trade-off: This lower power consumption comes at the cost of security, as PBKDF2 is more vulnerable to attacks using GPUs and ASICs. It is best suited for resource-constrained environments where the higher security of memory-hard functions is not critical. OpenSSL 3.2 introduced support for the Argon2 key derivation function. This version, released in November 2023, added the EVP_KDF-ARGON2 implementation as defined in RFC 9106, allowing users to leverage Argon2d, Argon2i, and Argon2id within the OpenSSL library. Current implementations of HTTPS (TLS) in browsers are vulnerable to future quantum attacks, but major browsers are actively deploying defenses. - The Vulnerability: The classical asymmetric algorithms used in TLS (like RSA and ECDSA for authentication, and ECDH for key exchange) are vulnerable to being broken by a large-scale quantum computer using Shor's algorithm. This enables "harvest now, decrypt later" attacks. - The Defense - Hybrid Key Exchange: Modern versions of browsers like Google Chrome, Microsoft Edge, Mozilla Firefox, and Apple's ecosystem have already implemented hybrid post-quantum key exchange (e.g., X25519+ML-KEM-768, formerly Kyber). This combines classical and quantum-resistant algorithms to protect the session key. - The Next Frontier - Authentication: While key exchange is being secured, the digital signatures used for server authentication in certificates are still largely classical. New solutions like Merkle Tree Certificates (MTCs) are being developed and tested to make the entire TLS handshake quantum-resistant. Therefore, while the core vulnerability exists, the transition to quantum-resistant TLS is already underway in major browsers. The following major browsers have implemented post-quantum safeguards: - Google Chrome: Has supported hybrid post-quantum key exchange (initially with Kyber, now with ML-KEM) since version 124, with it becoming the default in version 131. - Microsoft Edge: As a Chromium-based browser, Edge follows Chrome's timeline and has implemented hybrid post-quantum key exchange (X25519+ML-KEM-768) as the default in version 131 and newer. - Mozilla Firefox: Supports post-quantum cryptography, with the hybrid X25519+ML-KEM-768 becoming the default in version 132 for desktop and version 135 for QUIC/HTTP3 connections. - Apple Safari: Has integrated PQC algorithms and supports hybrid post-quantum key exchange, though public details on its default implementation timeline are less specific than for other browsers. The Brave browser has implemented post-quantum safeguards. - As a Chromium-based browser, Brave follows the same timeline as Google Chrome for cryptographic features. - It has pre-standards support for post-quantum key exchange from version 1.57. - Standards-compliant hybrid key exchange (X25519+ML-KEM-768) became the default in Brave version 1.73 (based on Chromium 131). Tor Browser has the capability to use post-quantum safeguards, but it is not enabled by default. - Since being built against OpenSSL 3.5.0+ (from version 13.5.22, released September 2025), Tor Browser supports the hybrid x25519/ML-KEM-768 post-quantum key exchange for its TLS connections. - Support for the hybrid X25519Kyber768 key exchange is available via the security.tls.enable_kyber configuration option in about:config, but this feature is disabled by default and requires manual activation by the user. - The implementation depends on the user's guard relay also supporting the post-quantum handshake. As of now, Tor Browser does not have a public timeline for enabling post-quantum cryptography (PQC) by default. - While Tor Browser has supported the hybrid x25519/ML-KEM-768 key exchange since version 13.5.22 (September 2025), it remains disabled by default and requires manual activation via the security.tls.enable_kyber setting in about:config. - A feature request to enable this by default exists, but the Tor Project has indicated that a network-wide dependency, specifically the implementation of "fragmented cells," needs to be deployed across the relay network before a default switch can be made. - Progress appears to be ongoing but is dependent on infrastructure changes, and no official date for default enablement has been announced. The main downside of not enabling security.tls.enable_kyber in Tor Browser is reduced future security. - Vulnerability to "Harvest Now, Decrypt Later" Attacks: Without the post-quantum hybrid key exchange (X25519+ML-KEM-768), the TLS connection between the user and the guard relay relies solely on classical cryptography (X25519). This makes the encrypted session keys vulnerable to being broken by a future, large-scale quantum computer using Shor's algorithm. - Lack of Proactive Defense: While quantum computers capable of this attack do not exist today, adversaries could be recording Tor traffic now with the intent to decrypt it later. Enabling the post-quantum key exchange provides proactive protection against this threat. - No Immediate Functional Downside: Disabling the feature does not break functionality or degrade performance; the connection will still work using the standard, but quantum-vulnerable, X25519 key exchange. The main downsides of enabling security.tls.enable_kyber in Tor Browser are potential connectivity issues and increased resource usage. - Network Compatibility Problems: The hybrid key exchange significantly increases the size of the initial "Client Hello" message in the TLS handshake. This can cause IP fragmentation, which may be mishandled by outdated or misconfigured network infrastructure like firewalls, VPNs (e.g., F-Secure/Freedome), or deep packet inspection (DPI) tools, leading to connection timeouts or failures. - Increased Resource Consumption: Post-quantum algorithms like Kyber require more computational power and memory. This results in a higher CPU load during the handshake and a slight increase in connection establishment time (estimated at ~1.25x to 1.28x a classical handshake) and packet loss, particularly on high-latency networks. - Implementation Risks: While the algorithms are standardized, the hybrid implementation itself can have bugs. For example, a timing attack called "KyberSlash" affected some implementations, highlighting the risk of vulnerabilities in the code, even if the underlying math is sound. A viable quantum computer capable of breaking current public-key encryption (RSA, ECC) is estimated to arrive between the late 2020s and mid-2030s. - Recent Acceleration: Breakthroughs in quantum algorithms and error correction have drastically reduced the estimated number of qubits needed, compressing the timeline. Estimates now range from 2028-2035, with some experts suggesting a significant probability by the mid-2030s. - ECC First: Elliptic Curve Cryptography (ECC) may be broken before RSA as it requires fewer logical qubits. - "Harvest Now, Decrypt Later": The primary threat is that adversaries are already collecting encrypted data today to decrypt it once a powerful quantum computer exists, making preparation urgent. Neither ED25519 nor RSA is better for protecting against the "harvest now, decrypt later" issue, as both are vulnerable to quantum attacks. - Shared Vulnerability: Both ED25519 (an elliptic curve algorithm) and RSA rely on mathematical problems that can be solved by a sufficiently powerful quantum computer using Shor's algorithm. This means an adversary who records an SSH session today could potentially decrypt it in the future once quantum computing technology advances. - The Real Defense is in Key Exchange: The protection against "harvest now, decrypt later" attacks in modern OpenSSH comes from the key exchange algorithm (e.g., mlkem768x25519-sha256), not the authentication key type (ED25519 or RSA). This hybrid key exchange secures the session data on the wire. - Authentication vs. Session Security: While a future quantum computer could derive your private key from your public key, it cannot retroactively replay the authentication challenge. The primary threat to the recorded session is the session key, which is protected by the post-quantum key exchange, not the authentication key. The network traffic most susceptible to "harvest now, decrypt later" attacks is long-lived, high-sensitivity data transmitted over TLS sessions, VPN tunnels, and satellite communications. This includes: * Healthcare data: Medical records, genetic information, and biometric templates, which remain sensitive for a patient's lifetime. * Government and Defense data: Classified information, diplomatic communications, and technical schematics with decades-long sensitivity periods. * Financial and Personal data: Long-term contracts, transaction records, and personally identifiable information (PII) with extended regulatory retention requirements. * Intellectual Property: Trade secrets and R&D data that provide long-term competitive advantage. The susceptibility is determined not by the type of traffic, but by how long the data's confidentiality must be maintained, as this data is a prime target for adversaries who can afford to wait for quantum decryption capabilities. Many technology, cybersecurity, and semiconductor companies beyond defense contractors are actively working on post-quantum protections. - Cloud & Tech Giants: AWS, Google (via Google Cloud), Microsoft (Azure), NVIDIA, and Cisco are integrating PQC into their platforms, services, and hardware, often as founding members of initiatives like the Post-Quantum Cryptography Alliance. - Cybersecurity Firms: Palo Alto Networks, DigiCert, Thales, Fortanix, Sectigo, and SandboxAQ are developing PQC-ready certificates, security platforms, and encryption solutions. - Semiconductor & Hardware: NXP Semiconductors, Lattice Semiconductor, Microchip Technology, and STMicroelectronics are embedding PQC algorithms into secure microcontrollers, FPGAs, and IoT chips. - Specialized PQC Vendors: Companies like PQShield, ISARA Corporation, Keyfactor, and Arqit focus specifically on PQC libraries, migration tools, and quantum-safe orchestration platforms. AI algorithms can leverage the power of quantum computers, creating a synergistic field known as Quantum Machine Learning (QML). - Accelerated Processing: Quantum computers can perform specific calculations exponentially faster than classical computers, which can dramatically speed up AI tasks like training complex models or searching vast datasets. - Solving Intractable Problems: Quantum algorithms can tackle optimization and simulation problems (e.g., molecular interactions in drug discovery) that are too complex for classical AI alone. - Enhanced Pattern Recognition: Quantum properties like superposition and entanglement allow QML models to identify hidden patterns in complex, chaotic systems (like fluid dynamics or financial markets) with greater accuracy and stability than classical models. - Hybrid Systems: Current implementations often use a hybrid approach, where a quantum computer processes data at a key stage (e.g., identifying stable statistical patterns) and a classical AI system is trained on the quantum-processed results, combining the strengths of both technologies. Yes, the physical and economic limits of Moore's Law are being hit now, well before fault-tolerant, large-scale quantum computers are fully developed. - Moore's Law is Slowing: The doubling of transistor density is now taking 2.5 to 4 years, down from the original two-year cycle. As transistors approach atomic scales (e.g., 2-3nm nodes), fundamental physical barriers like quantum tunneling and heat dissipation make further miniaturization extremely difficult and costly. - Quantum Computing is Still Emerging: While qubit counts are increasing, the field is focused on achieving fault tolerance and high qubit fidelity. Scalable, error-corrected quantum computers capable of breaking cryptography are estimated to be 10-15 years away. Therefore, the slowdown of classical computing is a present reality, acting as a key driver for investment in quantum computing, which remains a future technology. There are several workarounds to the limits of Moore's Law beyond quantum computing. - Specialized Hardware: The use of GPUs, TPUs, and ASICs (Application-Specific Integrated Circuits) for specific tasks like AI and machine learning provides significant performance and efficiency gains over general-purpose CPUs. - Advanced Packaging: 3D chip stacking (or 3D integration) increases density and performance by vertically stacking multiple layers of transistors and circuitry, reducing the need for further horizontal miniaturization. - New Materials: Research into graphene, carbon nanotubes, and 2D semiconductors aims to replace or augment silicon with materials that offer superior electrical properties and can be scaled further. - Software Optimization: Improving algorithms and leveraging parallel processing to extract maximum performance from existing hardware is a critical strategy in the post-Moore's Law era. - Alternative Architectures: Neuromorphic computing, which mimics the structure of the human brain, and photonic computing, which uses light instead of electricity, are being explored for specific, complex computational problems. The most likely technological direction for overcoming the limits of Moore's Law is architectural specialization, such as the use of GPUs, TPUs, and other domain-specific accelerators. This approach focuses on using transistors more efficiently by designing specialized hardware (e.g., AI accelerators in smartphones and data centers) for specific tasks, rather than relying solely on shrinking transistors. This strategy is already proven and widely implemented, making it the dominant near-term solution. Companies are actively working on architectural specialization and related technologies: - Specialized Hardware: NVIDIA (GPUs, CUDA), Google (TPUs), AMD, Intel, Cerebras, Groq, and AWS (Trainium/Inferentia) are leaders in developing domain-specific AI accelerators. - 3D Chip Stacking: TSMC (CoWoS), Samsung, Intel, SK Hynix, and Micron are pioneers in advanced packaging and 3D integration for higher performance and density. - Neuromorphic Computing: Intel (Loihi), IBM, Qualcomm, and BrainChip are developing brain-inspired chips for efficient edge AI. - Photonic Computing: Startups like PsiQuantum, Xanadu, and Lightmatter are exploring light-based computing for ultra-fast, low-power processing.


Why do you want this page removed?