Open oittaa opened 2 years ago
Not sure that I'll get this done myself but I'd be happy to merge patches. Whether to enable it by default depends on resource usage - code size and how much delay it adds to session connection time on a small device.
NTRU-Prime, NTRU, Kyber and SABER are all great KEMs. NIST could've chosen any one of them. NIST never standardised Ed25519 and OpenSSH still uses it, which is perfectly fine.
Ed25519 is in the [FIPS 186-5] draft standard, as well as Ed25519ph: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5-draft.pdf
- Which is no longer a draft as of February 2023: https://csrc.nist.gov/publications/detail/fips/186/5/final : It is noted that Ed25519 is intended to provide approximately 128-bits of security, and Ed448 is intended to provide approximately 224-bits of security. Future Special Publications may allow other parameter sets or specify a randomized version of EdDSA.
OpenSSH ships with a post quantum key exchange algorithm enabled by default. It would be great if Dropbear also supported it. Thanks!
OpenSSH 9.0/9.0p1 (2022-04-08)
ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key exchange method by default (
sntrup761x25519-sha512@openssh.com
). The NTRU algorithm is believed to resist attacks enabled by future quantum computers and is paired with the X25519 ECDH key exchange (the previous default) as a backstop against any weaknesses in NTRU Prime that may be discovered in the future. The combination ensures that the hybrid exchange offers at least as good security as the status quo.We are making this change now (i.e. ahead of cryptographically- relevant quantum computers) to prevent "capture now, decrypt later" attacks where an adversary who can record and store SSH session ciphertext would be able to decrypt it once a sufficiently advanced quantum computer is available.