December 28, 2022

Know Your Vulnerabilities: Key Exchange in Danger

The quantum threat is around the corner. You already know that Post-Quantum Cryptography (PQC) is a cost-effective and practical solution. However, modern data communication cryptosystems used in network protocols like SSH and TLS are complicated and typically consist of multiple encryption algorithms working together. Which parts are the most vulnerable and which ones need to be fixed first? Let's find out.

Public-key cryptosystems date back to the introduction of RSA in 1977. They offer clear advantages compared to their earlier counterparts: unlike symmetric key encryption where both the sender and the receiver share the same key, public-key systems are immune to the key being intercepted during transmission. Additionally, beyond just encrypting data in transit, public-key cryptosystems are used also to authenticate the other party so that you can be sure of their identity.

Because of these advantages, public-key cryptosystems in network protocols like SSH and TLS have dominated the field of data communications since their inception, and there has been no serious challenge to their security... until now. 

Key Exchange aka Key Agreement

A typical session with a public-key cryptosystem starts with a key exchange, a critical phase where a server authenticates itself and both parties agree on a secret session key which is then used to encrypt the actual session payload.

Because of its heavy computational requirements, a key exchange algorithm is not used to encrypt the actual payload data, but a symmetric-key algorithm like AES is used instead.

All cryptographic algorithms are based on a mathematically hard problem. And for RSA, this is the prime factoring: as we know, multiplication is relatively easy even for large prime numbers, while breaking down the result into its component factors is so hard that even classical supercomputers struggle with it. However, quantum computers excel in prime factoring and finding solutions to the discrete logarithm problem, which also means that they are able to break RSA and classical Diffie-Hellman.

Traditional symmetric ciphers, like AES, are significantly harder to crack with a quantum computer, and AES-128 and above are considered safe for decades to come. However, it doesn't help that the payload encryption holds if its secret session key, which is protected by a classical key agreement algorithm, can be compromised.

Quantum Security & Safety 

To reach quantum security and safety, your efforts should be focused on fixing the key exchange first, because the threat is retroactive.

Then you can concentrate on addressing the authentication keys that will be vulnerable in the future.

This is exactly what the PQC standardization project of the U.S. Department of Commerce's National Institute of Standards and Technology (NIST) was created for. NIST has already selected their preferred PQC key encapsulation algorithm, Crystals-Kyber, suitable to be used in the key exchange.

We at SSH have fortified this with the hybrid approach of combining a PQC and a classical ECDH algorithm. All products in our quantum-safe portfolio offer a modernized quantum-safe hybrid key exchange to protect the session key of a well-known and stable symmetric payload encryption algorithm, such as AES.

By subscribing to any quantum-safe product in our portfolio, you also get the full benefit of Crypto Agility - since we carefully keep our software up-to-date with the latest recommendations, you will always have the most relevant quantum-safe algorithms at your disposal with no additional cost.

Learn more about SSH Tectia Client/Server Quantum-Safe Edition and SSH NQX quantum-safe encryptor. 



Jussi Rautio

Jussi's mission at SSH is to develop the product vision for the company's flagship product, Tectia. He has been in the IT business for more than 20 years, researching, developing, and managing products.

Other posts you might be interested in