OpenSSH, probably the most widely-used remote access software on earth, has just put out version 10.1.
This influential and carefully-curated software is installed by default in most Linux distros, BSD distros, macOS, and Windows 2025 server, so it’s worth knowing what’s been fixed, added and removed when new versions arrive.
As well as numerous bug fixes, this release has one intriguing new feature, namely that any connection where cryptographic keys are agreed upon using what’s known as a non post-quantum-safe algorithm will produce a warning by default.
And quantum computers are back in the headlines again, thanks to this week’s award of the Nobel Prize in Physics to three scientists who did groundbreaking work into quantum-flavored electrical circuits back in the 1980s.
These non-traditional computers form a very special class of computing device that, in theory at least, can perform certain types of mathematical calculation significantly faster than today’s non-quantum computers.
Quantum computers aren’t, and never will be, replacements for the general-purpose computing hardware that we rely on in our phones and laptops for attending online meetings and watching cat videos.
But there are a few arithmetic algorithms that this very different type of computer may be able to speed up enormously – close to exponentially, in fact.
And some of the algorithms that quantum computers might eventually turn out to be good at handling can be used to help crack certain sorts of cryptography, notably the RSA, elliptic curve, and finite-field cryptosystems that are widely used for securing online logins and transactions these days.
Loosely speaking, this means that a problem that currently takes X units of processing effort to compute, for example cracking an encryption algorithm that is supposed to keep data secret for years or decades, might suddenly be solvable in a timeframe on the order of log2X units, which could result in that secret data being cracked in just hours or days instead.
Logarithms are just exponents (also known as powers, which are repeated multiplications) “the other way round,” so if 2P = A, then log2A = P.
As an example, log2(1000) is 10, while log2(1,000,000) comes out at just 20, giving a hint of just how dramatic an exponential speedup can be. (A logarithmic decrease in time taken is equivalent to an exponential increase in speed.)
So far, quantum computers haven’t really managed anything useful, because they require complete isolation from other influences in the universe, no matter how minor, such as mechanical vibrations and electromagnetic interference.
Achieving suitable levels of isolation has so far proved so difficult that only very basic quantum computers can run reliably without errors, so they still can’t solve anything but toy problems.
So-called “headline breakthroughs” in quantum-based encryption cracking, for example, often turn out to be problems that were deliberately chosen to be trivial to solve – calculations that even an HP programmable calculator from the 1970s could have taken on, or that can already be solved in tiny fractions of a second on a modern consumer laptop.
Still, a good rule to live by in cybersecurity is, “Never say never.”
(Who would have thought, back in the 1980s, that proprietary radio communications devices that were then heavily regulated, and sold for tens or hundreds of thousands of dollars per unit, could be simulated with so-called software-defined radio tools based on basic digital TV tuner circuitry that today retails for about $30.)
Although some experts suggest that quantum computers of any useful scale will never be practicable (or even possible), because the interference problems that plague them will never be conquered, there are other experts who think that we might get there in the next few decades, if not the next few years.
And even if building quantum computers that work properly takes 50 years, important data that was encrypted today and stored away “just in case” might suddenly be decryptable, perhaps to the detriment of mankind.
Much of the data collected today won’t be much use in 50 years’ time, but some of it will still be well-worth decrypting, whether by criminal adversaries or state-sponsored attackers.
The governments of many Western democracies implicitly recognize that personal data is worth shielding because census household data, which residents must provide by law, generally isn’t released for much longer that 50 years, such as 100 years in the UK, 99 years in Australia, 92 years in Canada, and 72 years in the USA. And remember that census responses are quite limited, because they don’t include details such as personal messages, purchasing records, website viewing history, private opinions, business discussions, confidential negotiations, and much more.
By default, OpenSSH already uses what’s called a hybrid cryptosystem to set up unique data encryption keys for each connection.
An old-school, pre-quantum elliptic curve algorithm known as X25519 is used, as well as one of two newer algorithms that aren’t susceptible to being cracked quickly by quantum computers, no matter how powerful they might become.
These combo-crypto algorithms are known as mlkem768x25519-sha256 (which is tried first) and sntrup761x25519-sha512 (tried if the server doesn’t support the first choice), where the encryption algorithm components in the names can be decoded as follows:
The idea here is to sidestep criticism that, by switching to new algorithms before we strictly need to, we introduce the risk that one of these new post-quantum algorithms might turn out not to be safe or secure at all.
Indeed, cryptographic flaws sometimes don’t get found for years, despite ongoing analysis by top cryptographers and mathematicians.
For example, a supposedly post-quantum-safe algorithm called SIKE, after several years of public scrutiny by global experts, came very close to being accepted as a secure standard․.․
․.․but was dropped in a hurry when cryptographers showed in 2022 that is was mathematically flawed, and even a regular laptop could crack it in about an hour.
The idea of these hybrid cryptosystems is that it’s unlikely that both algorithms will be cracked for the foreseeable future.
If the new post-quantum algorithm holds up, and quantum computers do eventually prove up to the job of cracking X25519 quickly, data encrypted by both algorithms in sequence still won’t be easily decryptable.
Likewise, if the new post-quantum algorithm turns out to be flawed in the next few years, as happened to SIKE, the data will nevertheless still be encrypted by X25519, an algorithm that’s been studied for longer and should continue to hold up until quantum computers arrive, if ever they do.
Even though the advances in the processing power of quantum computers often seem to be a matter of clickbait headlines and over-the-top marketing, some countries are already asking for software and service vendors to shift to post-quantum-safe algorithms soon.
Australia, for instance, has set 2030 as the date by which syadmins should have switched; in the US, the switch-by date is currently set at 2035.
The regulators in those countries see this shift as an early precaution against the future unauthorized decryption of the giant data lakes we seem determined to collect these days.
If you connect using the latest release of the OpenSSH client program ssh (which has been post-quantum-safe by default for several years) to a server that doesn’t yet support newer algorithms or that forces you to accept a non-post-quantum key exchange algorithm, you will see this:
Chances are that the server hasn’t been patched or updated for a long time, or was manually set into a configuration that could do with being changed.
Annoyingly, perhaps, the warning doesn’t appear if you use OpenSSH’s KexAlgorithms option to override the default choice of key exchange methods, even if one of the methods you chose was post-quantum safe but ultimately wasn’t selected.
If you want to check that the server you’re connecting to not only supports post-quantum key exchange, but also will choose to do so, you can try connecting via ssh with no special options on the command line or in your ssh_config file.
You don’t actually need to log in, because the “weak crypto” warnings will appear before you are asked to present any passwords or authentication tokens.
If you really want to force the use of non-post-quantum crypto without seeing the warnings, use the WarnWeakCrypto=no option on the command line or in ssh_config.
Why not ask how SolCyber can help you do cybersecurity in the most human-friendly way? Don’t get stuck behind an ever-expanding convoy of security tools that leave you at the whim of policies and procedures that are dictated by the tools, even though they don’t suit your IT team, your colleagues, or your customers!
Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!
By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.
