
Cryptography of SSH (2006) - kidbomb
https://www.mnin.org/write/2006_sshcrypto.html
======
shittyadmin
Keep in mind that many of the preferred key exchange algorithms and ciphers
have changed vastly since 2006. OpenSSH has been improving in the cryptography
department by leaps and bounds.

OpenSSH 5.2 switched to preferring AES-CTR.

OpenSSH 5.7 added ECDH as a kex and ECDSA as for signing.

OpenSSH 6.2 added encrypt-then-mac and prefers it by default.

OpenSSH 6.5 added Curve25519 as a kex and chacha20-poly1305 as a cipher. As
well as Ed25519 for signing.

OpenSSH 8 will add quantum resistant algorithms for key exchange.

~~~
nullc
> OpenSSH 8 will add quantum resistant algorithms for key exchange.

Any additional information? This is really good to hear. PQ key exchange in
SSH makes a lot of sense: Except when its used as some backend communications
for automation SSH key establishment is hardly performance critical, and can
easily afford extra round trips for negotiation.

Any idea if there are plans for PQ key authentication? A SPHINCS signature or
similar would be very nice-- and the security story for hash based signatures
is excellent.

~~~
shittyadmin
They're using a mixture of Streamlined NTRU Prime 4591^761 and X25519.

[https://ntruprime.cr.yp.to/](https://ntruprime.cr.yp.to/)

Note that this is still considered "experimental" and probably won't be
enabled by default.

I'd advise checking out some of the recent DJB and Tanja Lange talks for
further detail on how research on these algorithms is progressing:

[https://www.youtube.com/watch?v=ZCmnQR3_qWg](https://www.youtube.com/watch?v=ZCmnQR3_qWg)

There's also the older but still relevant PQCHacks:

[https://media.ccc.de/v/32c3-7210-pqchacks](https://media.ccc.de/v/32c3-7210-pqchacks)

Haven't seen any talk of post quantum signatures in changelogs yet at least,
but research is happening rapidly in this field and OpenSSH has really upped
their game in recent years.

------
CaliforniaKarl
This always triggers a bit of a rant from me; I apologize in advance!

I wish OpenSSH supported GSSAPI Key Exchange.

OpenSSH has for some time supported using GSSAPI for authentication. What I am
referring to is using GSSAPI in place of the normal trust-on-first-use host
key verification.

GSSAPI Key Exchange was standardized in RFC 4482
([https://datatracker.ietf.org/doc/rfc4462);](https://datatracker.ietf.org/doc/rfc4462\);)
an updated version (using SHA-2, newer DH groups, and an option for ECDH) is
in last call ([https://datatracker.ietf.org/doc/draft-ietf-curdle-gss-
keyex...](https://datatracker.ietf.org/doc/draft-ietf-curdle-gss-keyex-
sha2/)).

GSSAPI Key Exchange is great in environments where systems and are members of
a Kerberos realm. They all already trust the realm’s KDCs, and it would be
nice to be able to extend that to SSH.

It may also be possible to use this in an Active Directory environment, as AD
uses Kerberos under the hood for some of its user and machine authentication
functions.

PuTTY recently got support for GSSAPI Key Exchange, in 0.71
([https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/...](https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/gss-
key-exchange.html), it already has support for GSSAPI authentication).

The OpenSSH developers have confirmed that they will not implement this in
OpenSSH
([http://bugzilla.mindrot.org/show_bug.cgi?id=1242](http://bugzilla.mindrot.org/show_bug.cgi?id=1242)).

