#22 Harvest now, decrypt later (Part I: quantum attacks)
Hi there! My name is Diego Parrilla. I’m a developer that became an entrepreneur and my latest company is Threatjammer. Subscribe now to my weekly digest about tech, threat Intel, privacy, and security!
Last March, the OpenSSH maintainers announced that the new 9.0 version would adopt the hybrid Streamlined NTRU Prime + x25519 key exchange method by default.
The NTRU algorithm is believed to resist attacks enabled by future quantum computers and is paired with the X25519 ECDH key exchange (the previous default) as a backstop against any weaknesses in NTRU Prime that may be discovered in the future. The combination ensures that the hybrid exchange offers at least as good security as the status quo.
We are making this change now (i.e. ahead of cryptographically-relevant quantum computers) to prevent "capture now, decrypt later" attacks where an adversary who can record and store SSH session ciphertext would be able to decrypt it once a sufficiently advanced quantum computer is available.
OpenSSH is one of the most relevant software tools in the world. You will probably use it if you have to connect remotely to a *NIX-based operating system. Not by surprise, they choose to start using a quantum-resistant algorithm even before quantum computers become available. And there is an excellent reason to do it: they want to avoid a “harvest now, decrypt layer” (or capture now, decrypt later) attack on content encrypted with public keys of the current asymmetrical cryptographic algorithms.
There are two main types of cryptographic algorithms: symmetric and asymmetric. Symmetric algorithms use a secret key encrypting on the sender’s side and decrypting on the receiver’s side. Asymmetric (public key) algorithms are used for authentication and establishing a secret encryption key. They use different but mathematically linked (public and private) keys. The public key is sent openly, and anyone can encrypt data using it, but only the matching private key owner can decrypt the data.
Symmetric algorithms can still have strong protection against a quantum attack by increasing the symmetric key size. But asymmetric algorithms are different: a quantum computer attack could break to date public-key cryptography using Shor’s algorithm. Most of the algorithms in public-key cryptography rely on the hardness of factoring integers or the difficulty of calculating discrete logarithms. A quantum attack could intercept a public key and easily derive the matching private key. To mitigate this threat, we have to replace the current public key algorithms with quantum-safe equivalents.
But these new algorithms are still being evaluated. In 2016 the NIST (US National Institute of Standards and Technology) announced a program to select the new quantum-resistant public-key encryption algorithms. The finalists and alternatives for Round 3 are in the table above.
Once the Round 3 selections are announced, NIST will publish a report explaining their decisions. After that, there will still be additional work to draft the standards and call for public comments, and the selections probably won’t be officially formalized until 2024. Sadly, the Rainbow Signature has been challenged, and it seems it’s possible to crack it with a standard laptop. One of the finalists is the NTRU Prime algorithm of the OpenSSH 9.0 release.
It is clear that the sooner we use quantum-resistant algorithms, the better we will protect our privacy and our infrastructure. And this is now where it connects with the title of the article: “Harvest now, decrypt later.” We cannot do anything to protect our previous communications encrypted with an asymmetrical approach. Even if we delete our data, we cannot be sure that the information in transit was not eavesdropped on and stored, waiting for the time the technology can decipher our communications.
Maybe you are now wondering: who would want to spy on me? And you are right, spying is a costly operation, and it’s only worth it for large corporations and nation-states to tackle particular Persons of Interest. We have seen it recently with the Pegasus espionage affair: hacking a mobile phone can be more than $500.000 each, so the spying capabilities are a cost function of the economical power of the spy entity.
But if your encrypted mobile conversations, voice or text, could be stored for years with all the conversations of the rest of the population? What if a nation-state could store every bit transferred through the backbone of the nationwide internet exchange points and undersea cables? What if the metadata of your conversations could determine the people you texted or called, creating a massive graph of connections of the population?
To continue… Harvest now, decrypt later (Part II: PRISM)
The music snippet
I don’t think anybody would care about being spied on if Blondie ask you to call her.