SSH in a quantum world

SSH, otherwise known as Secure Shell, is a common TCP (transmission control protocol) internet protocol that can be used to securely connect a computer to an outside computer or network. The physical locations of the computers on both ends of an SSH connection doesn't matter provided that the computers are connected to the public internet and have SSH set up properly. There are many practical applications for SSH. A network administrator could continue their work while they're on vacation on another continent. One office network in one geographic location could work with an office network in another geographic location so all of an organization's satellite offices are united in their networking. A contracted IT services company could provide remote technical support to a client machine upon request without having to physically travel. Or considering how woefully insecure FTP (file transfer protocol) is, a company could decide to use SSH fot file transfer instead.

Tatu Yl?nen, now CEO and founder of SSH Communications Security, wrote about how he invented SSH in SC Magazine:

“While attending school in Helsinki, I discovered a password ‘sniffer' attack in our university network.

To shield our data, I wrote a program to protect information as it moved from point to point throughout the network. I called it the 'secure shell', or SSH for short.

Today, nearly every major network environment – including those in governments, large enterprises and financial institutions – uses a version of SSH to protect data in transit and let administrators manage systems remotely.”

Talk about turning lemons into lemonade. Yl?nen was dissatisfied by the lack of security in the rlogin, TELNET, ftp, and rsh protocols, so he devised his own solution. He released the first version of SSH as freeware in July 1995. Adoption exploded. By the end of 1995 there were about 20,000 SSH users. He founded SSH Communications Security by December 1995. By the year 2000, there were about 2 million SSH users. Now by 2017, that figure must be a lot larger.

SSH has been assigned to TCP port 22. Many operating systems have SSH software preinstalled, including most versions of Linux, macOS, Solaris, FreeBSD, OpenBSD, NetBSD, and OpenVMS. There are SSH applications for Windows, but they aren't preinstalled and must be installed manually.

So here's how SSH works

The SSH protocol is based on the client-server model. Therefore, an SSH client must initiate an SSH session with an SSH server. Most of the connection setup is conducted by the SSH client. Public key cryptography is used to verify the identity of the SSH server, and then symmetric key encryption and hashing algorithms are used to maintain data transmission in ciphertext. That way, privacy and integrity of data transmission in both directions between the client and server is assured, man-in-the-middle attacks are mitigated.

The steps involved in creating an SSH session go like this:

1. Client contacts server to initiate a connection.
2. The server responds by sending the client a public cryptography key.
3. The server negotiates parameters and opens a secure channel for the client.
4. The user, through their client, logs into the server.

There are different ciphers that can be used for SSH depending on the applications being used. Some of them include:

• CHACHA20
• AES-GCM
• Blowfish-CBC
• AES128-CTR
• AES192-CTR
• AES256-CTR
• Arcfour
• Cast128-CBC

Usually either an implementation of Diffie-Hellman or Eliptic Curve Diffie-Hellman are used to protect the key exchange.

In the world of cryptography, specific ciphers are usually cracked at some point, and new stronger ciphers are developed. So SSH implementations will drop older ciphers and support newer ciphers over time. Therefore, we could very likely still be using SSH thirty or forty years from now. And we all have Yl?nen and the password sniffer he discovered to thank.

On that note, how are we going to prepare for quantum cryptography? It’s not some distant sci-fi novel dream. Quantum computers have been in the possession of institutions and large corporations ever since D-Wave released their D-Wave 2000Q quantum computer in 2017, and IBM with their IBM Q System One in 2019. NIST and various cryptographers have been hard at work developing and approving quantum-safe ciphers that binary computers can use. Because inevitably quantum computers will fall in the hands of threat actors.

What about quantum computers?

Very sensitive data is transmitted through SSH. And quantum computers can crack ciphers that aren’t quantum safe at alarming speed.

Since about 2018, the SSH organization has released a few features into their tech ecosystem with quantum resilence in mind. They include their NQX quantum-ready encryptor, and FrodoKEM and Kyber PQC algorithms.

So it is possible now to develop applications with SSH that can withstand emerging quantum cyber threats.

It’s that sort of adaptability that maintains SSH as an important series of cryptographic protocols in the enterprise.