Skip to content
Fork of OpenSSH that includes prototype quantum-resistant key exchange based on liboqs.
Branch: OQS-master
Clone or download
Pull request Compare This branch is 42 commits ahead, 499 commits behind openssh:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
contrib
openbsd-compat
regress
.depend
.gitignore
.skipped-commit-ids
CREDITS
INSTALL
LICENCE
Makefile.in
OVERVIEW
PROTOCOL
PROTOCOL.agent
PROTOCOL.certkeys
PROTOCOL.chacha20poly1305
PROTOCOL.key
PROTOCOL.krl
PROTOCOL.mux
README
README.dns
README.md
README.platform
README.privsep
README.tun
RELEASE.md
TODO
aclocal.m4
addrmatch.c
atomicio.c
atomicio.h
audit-bsm.c
audit-linux.c
audit.c
audit.h
auth-bsdauth.c
auth-krb5.c
auth-options.c
auth-options.h
auth-pam.c
auth-pam.h
auth-passwd.c
auth-rhosts.c
auth-shadow.c
auth-sia.c
auth-sia.h
auth-skey.c
auth.c
auth.h
auth2-chall.c
auth2-gss.c
auth2-hostbased.c
auth2-kbdint.c
auth2-none.c
auth2-passwd.c
auth2-pubkey.c
auth2.c
authfd.c
authfd.h
authfile.c
authfile.h
bitmap.c
bitmap.h
bufaux.c
bufbn.c
bufec.c
buffer.c
buffer.h
buildpkg.sh.in
canohost.c
canohost.h
chacha.c
chacha.h
channels.c
channels.h
cipher-aes.c
cipher-aesctr.c
cipher-aesctr.h
cipher-chachapoly.c
cipher-chachapoly.h
cipher-ctr.c
cipher.c
cipher.h
cleanup.c
clientloop.c
clientloop.h
compat.c
compat.h
config.guess
config.sub
configure.ac
crc32.c
crc32.h
crypto_api.h
defines.h
dh.c
dh.h
digest-libc.c
digest-openssl.c
digest.h
dispatch.c
dispatch.h
dns.c
dns.h
ed25519.c
entropy.c
entropy.h
fatal.c
fe25519.c
fe25519.h
fixalgorithms
fixpaths
ge25519.c
ge25519.h
ge25519_base.data
groupaccess.c
groupaccess.h
gss-genr.c
gss-serv-krb5.c
gss-serv.c
hash.c
hmac.c
hmac.h
hostfile.c
hostfile.h
ietf_pre_draft_sike_bike_hybrid_kex.txt
includes.h
install-sh
kex.c
kex.h
kexc25519.c
kexc25519c.c
kexc25519s.c
kexdh.c
kexdhc.c
kexdhs.c
kexecdh.c
kexecdhc.c
kexecdhs.c
kexgex.c
kexgexc.c
kexgexs.c
kexhy.h
kexhyecdh.c
kexhyecdhoqs.c
kexhyecdhoqsc.c
kexhyecdhoqss.c
kexoqs.c
kexoqs.h
kexpq.h
kexpqoqs.c
kexpqoqsc.c
kexpqoqss.c
key.c
key.h
krl.c
krl.h
log.c
log.h
loginrec.c
loginrec.h
logintest.c
mac.c
mac.h
match.c
match.h
md5crypt.c
md5crypt.h
mdoc2man.awk
misc.c
misc.h
mkinstalldirs
moduli
moduli.5
moduli.c
monitor.c
monitor.h
monitor_fdpass.c
monitor_fdpass.h
monitor_wrap.c
monitor_wrap.h
msg.c
msg.h
mux.c
myproposal.h
nchan.c
nchan.ms
nchan2.ms
opacket.c
opacket.h
openssh.xml.in
opensshd.init.in
packet.c
packet.h
pathnames.h
pkcs11.h
platform-misc.c
platform-pledge.c
platform-tracing.c
platform.c
platform.h
poly1305.c
poly1305.h
progressmeter.c
progressmeter.h
readconf.c
readconf.h
readpass.c
rijndael.c
rijndael.h
sandbox-capsicum.c
sandbox-darwin.c
sandbox-null.c
sandbox-pledge.c
sandbox-rlimit.c
sandbox-seccomp-filter.c
sandbox-solaris.c
sandbox-systrace.c
sc25519.c
sc25519.h
scp.1
scp.c
servconf.c
servconf.h
serverloop.c
serverloop.h
session.c
session.h
sftp-client.c
sftp-client.h
sftp-common.c
sftp-common.h
sftp-glob.c
sftp-server-main.c
sftp-server.8
sftp-server.c
sftp.1
sftp.c
sftp.h
smult_curve25519_ref.c
ssh-add.1
ssh-add.c
ssh-agent.1
ssh-agent.c
ssh-dss.c
ssh-ecdsa.c
ssh-ed25519.c
ssh-gss.h
ssh-keygen.1
ssh-keygen.c
ssh-keyscan.1
ssh-keyscan.c
ssh-keysign.8
ssh-keysign.c
ssh-pkcs11-client.c
ssh-pkcs11-helper.8
ssh-pkcs11-helper.c
ssh-pkcs11.c
ssh-pkcs11.h
ssh-rsa.c
ssh-sandbox.h
ssh-xmss.c
ssh.1
ssh.c
ssh.h
ssh2.h
ssh_api.c
ssh_api.h
ssh_config
ssh_config.5
sshbuf-getput-basic.c
sshbuf-getput-crypto.c
sshbuf-misc.c
sshbuf.c
sshbuf.h
sshconnect.c
sshconnect.h
sshconnect2.c
sshd.8
sshd.c
sshd_config
sshd_config.5
ssherr.c
ssherr.h
sshkey-xmss.c
sshkey-xmss.h
sshkey.c
sshkey.h
sshlogin.c
sshlogin.h
sshpty.c
sshpty.h
sshtty.c
survey.sh.in
ttymodes.c
ttymodes.h
uidswap.c
uidswap.h
umac.c
umac.h
umac128.c
utf8.c
utf8.h
uuencode.c
uuencode.h
verify.c
version.h
xmalloc.c
xmalloc.h
xmss_commons.c
xmss_commons.h
xmss_fast.c
xmss_fast.h
xmss_hash.c
xmss_hash.h
xmss_hash_address.c
xmss_hash_address.h
xmss_wots.c
xmss_wots.h

README.md

open-quantum-safe/openssh-portable

OpenSSH is an open-source implementation of the Secure Shell protocol https://openssh.org/. (View the original README file for OpenSSH.)

This repository contains a fork of OpenSSH that adds quantum-resistant key exchange algorithms using liboqs for prototyping purposes.

Overview

The Open Quantum Safe (OQS) project has the goal of developing and prototyping quantum-resistant cryptography.

liboqs is an open source C library for quantum-resistant cryptographic algorithms. See more about liboqs at https://github.com/open-quantum-safe/liboqs/, including a list of supported algorithms. OpenSSL can use either the master or the nist branch of liboqs; the former is recommended for normal uses of OpenSSH as included mechanisms follow a stricter set of requirements, the latter contains more algorithms and is better suited for experimentation.

open-quantum-safe/openssh-portable contains a fork of OpenSSH that adds quantum-safe key exchange algorithms using liboqs for prototyping purposes, specifically adding key exchange methods that use hybrid (post-quantum + traditional elliptic curve) or post-quantum-only algorithms. The integration should not be considered "production quality". The OQS-master branch of open-quantum-safe/openssh-portable is currently based on OpenSSH version 7.7 (Git tag V_7_7_P1).

More information on OQS can be found on our website: https://openquantumsafe.org/.

Contents

This branch (OQS-master) integrates post-quantum key exchange from liboqs in SSH 2 in OpenSSH v7.7 portable 1.

Key exchange mechanisms

The following key exchange / key encapsulation methods from liboqs are supported (assuming they have been enabled in liboqs):

  • bike1-L1, bike1-L3, bike1-L5
  • frodo-640-aes, frodo-976-aes
  • newhope-512, newhope-1024
  • sike-503, sike-751
  • oqsdefault

Limitations and security

liboqs is designed for prototyping and evaluating quantum-resistant cryptography. Security of proposed quantum-resistant algorithms may rapidly change as research advances, and may ultimately be completely insecure against either classical or quantum computers.

We believe that the NIST Post-Quantum Cryptography standardization project is currently the best avenue to identifying potentially quantum-resistant algorithms. liboqs does not intend to "pick winners", and we strongly recommend that applications and protocols rely on the outcomes of the NIST standardization project when deploying post-quantum cryptography.

We acknowledge that some parties may want to begin deploying post-quantum cryptography prior to the conclusion of the NIST standardization project. We strongly recommend that any attempts to do make use of so-called hybrid cryptography, in which post-quantum public-key algorithms are used alongside traditional public key algorithms (like RSA or elliptic curves) so that the solution is at least no less secure than existing traditional cryptography.

liboqs is provided "as is", without warranty of any kind. See LICENSE.txt for the full disclaimer.

The integration of liboqs into our fork of OpenSSH is currently at an experimental stage. This fork of OpenSSH has not received the same level of auditing and analysis that OpenSSH has received. At this stage, we do not recommend relying on it in any production environment or to protect any sensitive data.

The OQS fork of OpenSSH is not endorsed by with the OpenSSH project.

This fork is developed for the purposes of prototyping and evaluating the use of post-quantum cryptography in SSH, and is not intended for use in production environments to protect the transmission of sensitive information.

At the time of writing, there are no vulnerabilities or weaknesses known in any of the post-quantum key exchange algorithms used in this fork. However, it is advisable to wait on deploying post-quantum algorithms until further guidance is provided by the standards community, especially from the NIST Post-Quantum Cryptography project.

This fork does not yet contain support for post-quantum authentication.

Lifecycle for open-quantum-safe/openssh-portable OQS-master branch

Release cycle: We aim to make releases of our fork of OpenSSH stable on a bi-monthly basis, either when there has been a new release of OpenSSH or when we have made changes to our fork.

See the README.md files of liboqs master branch and liboqs nist-branch for information about the algorithm lifecycle within the corresponding libraries.

SSH compatibility: The message format used in this fork is not standardized, and is subject to unilateral change at any time without regards to backwards compatibility with previous versions of this fork.

Building on Linux and macOS

Builds have been tested manually on macOS 10.14 (clang 10.0.0), Ubuntu 14.04 (gcc-5), Ubuntu 16.04 (gcc-5), and Ubuntu 18.04.1 (gcc-7).

Step 0: Install dependencies

For Ubuntu, you need to install the following packages:

sudo apt install autoconf automake gcc libtool libssl-dev make unzip xsltproc

For Ubuntu 18.04, you need to downgrade the version of OpenSSL. (Ubuntu 18.04 bundles OpenSSL 1.1.0 by default, but OpenSSH only supports building against OpenSSL 1.0.2 at present.)

sudo apt install openssl1.0 libssl1.0-dev

Warning: this removes the existing libssl 1.1 development package.

On Linux, you also may need to do the following:

  • You may need to create the privilege separation directory:

      sudo mkdir -p -m 0755 /var/empty
    
  • You may need to create the privilege separation user:

      sudo groupadd sshd
      sudo useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd
    

For macOS, you need to install the following packages using brew (or a package manager of your choice):

brew install autoconf automake libtool openssl wget

Step 1: Build and install liboqs

You can use the either the master or the nist branch of liboqs with the OQS-master branch of OpenSSH. Each branch support a different set of KEX/KEM mechanisms (see above).

You will need to specify a path to install liboqs in during configure time; we recommend that you install in a special-purpose directory, rather than the global /usr or /usr/local directories.

For the master branch of liboqs:

git clone -b master --single-branch https://github.com/open-quantum-safe/liboqs.git
cd liboqs
autoreconf -i
./configure --prefix=<path-to-openssl-dir>/oqs --with-pic=yes --enable-shared=no --enable-openssl --with-openssl-dir=<path-to-system-openssl-dir>
make -j
make install
rm -f <path-to-install-liboqs>/lib/liboqs.so*

On Ubuntu, <path-to-system-openssl-dir> is probably /usr. On macOS with brew, <path-to-system-openssl-dir> is probably /usr/local/opt/openssl.

For the nist branch of liboqs:

git clone -b nist-branch --single-branch https://github.com/open-quantum-safe/liboqs.git
cd liboqs
make -j
make install-noshared PREFIX=<path-to-install-liboqs>

Step 2: Build fork of OpenSSH

Next, you can build and install our fork of OpenSSH:

export LIBOQS_INSTALL=<path-to-liboqs>
export OPENSSH_INSTALL=<path-to-install-openssh>
git clone https://github.com/open-quantum-safe/openssh-portable.git
cd openssh-portable
autoreconf

For Ubuntu 16.04 and macOS, try the following:

./configure --enable-pq-kex --enable-hybrid-kex      \
            --with-ssl-dir=<path-to-openssl>/include \
            --with-ldflags=-L<path-to-openssl>/lib   \
            --prefix=$OPENSSH_INSTALL                \
            --sysconfdir=$OPENSSH_INSTALL            \
            --with-liboqs-dir=$LIBOQS_INSTALL
make -j
make install

On Ubuntu 18.04, some modifications are required due to the default openssl version:

./configure --enable-pq-kex --enable-hybrid-kex \
            --with-ldflags=-L/usr/lib/ssl1.0    \
            --prefix=$OPENSSH_INSTALL           \
            --sysconfdir=$OPENSSH_INSTALL       \
            --with-liboqs-dir=$LIBOQS_INSTALL
make -j
make install

Notes about building OpenSSH:

  • --enable-pq-kex enables PQ-only key exchange methods.
  • --enable-hybrid-kex enables hybrid key exchange methods.

Running

Client/server demo

In one terminal, run a server:

sudo <path-to-openssh>/sbin/sshd -p 2222 -d

The server automatically supports all available hybrid and PQ-only key exchange methods. sudo is required on Linux so that sshd can read the shadow password file.

In another terminal, run a client:

<path-to-openssh>/bin/ssh -l <username> -o 'KexAlgorithms=LIBOQSALGORITHM' -p 2222 localhost

where LIBOQSALGORITHM is either:

  • X-sha384@openquantumsafe.org (for post-quantum-only key exchange)
  • ecdh-nistp384-X-sha384@openquantumsafe.org (for hybrid post-quantum and elliptic curve key exchange)

where X is one of the algorithms listed in the Contents section above.

Automated tests

To test the build, run:

make tests

oqsdefault KEM

liboqs can be configured at compile-time to use any of its algorithms as its "default" algorithm. If OpenSSH is told to use oqsdefault, then it will use whichever KEM algorithm was set as the default in liboqs at compile time.

The purpose of this option is as follows. liboqs master branch and liboqs nist-branch contain different subsets of algorithms. We will make most algorithms from liboqs master branch available as a named key exchange method in OpenSSH. However, there are significantly more algorithms supported in liboqs nist-branch than liboqs master branch, and we will not be explicitly making each nist-branch algorithm available as a named key exchange method in OpenSSH. It is still possible to prototype KEMs from liboqs master branch or liboqs nist-branch that were not made available as named key exchange methods in OpenSSH using the oqsdefault key exchange method in OpenSSH by changing the default mapping in liboqs and then recompiling.

  1. Recompile liboqs with your preferred default algorithm:
    • For liboqs master branch:
      • cd liboqs
      • Edit src/kem/kem.h and change #define OQS_KEM_DEFAULT to map to your preferred algorithm
      • make clean
      • make -j
      • make install
    • For liboqs nist-branch:
      • cd liboqs
      • make clean
      • make -j KEM_DEFAULT=newhope_1024_cca_kem (or whichever algorithm you prefer)
      • make install-noshared PREFIX=<path-to-install-liboqs>
  2. Recompile OpenSSH against the newly build liboqs:
    • cd openssh-portable
    • make clean
    • make -j
    • make install
  3. Run ssh with ecdh-nistp384-oqsdefault-sha384@openquantumsafe.org or oqsdefault-sha384@openquantumsafe.org for the KexAlgorithms option.

License

This fork is released under the same license(s) as Portable OpenSSH. More information about licensing can be found in the LICENSE file.

(Pre-draft) IETF Draft

This repository contains an experimental (pre-draft) IETF draft for hybrid key exchange methods ECDH-SIKE and ECDH-BIKE. This documents has not been submitted to IETF. See https://github.com/open-quantum-safe/openssh-portable/blob/OQS-master/ietf_pre_draft_sike_bike_hybrid_kex.txt.

Team

The Open Quantum Safe project is led by Douglas Stebila and Michele Mosca at the University of Waterloo.

Contributors

Contributors to this fork of OpenSSH include:

  • Eric Crockett (Amazon Web Services)
  • Ben Davies (University of Waterloo)
  • Torben Hansen (Amazon Web Services and Royal Holloway, University of London)
  • Christian Paquin (Microsoft Research)
  • Douglas Stebila (University of Waterloo)

Contributors to an earlier OQS fork of OpenSSH included:

  • Mira Belenkiy (Microsoft Research)
  • Karl Knopf (McMaster University)

Support

Financial support for the development of Open Quantum Safe has been provided by Amazon Web Services and the Tutte Institute for Mathematics and Computing.

We'd like to make a special acknowledgement to the companies who have dedicated programmer time to contribute source code to OQS, including Amazon Web Services, evolutionQ, and Microsoft Research.

Research projects which developed specific components of OQS have been supported by various research grants, including funding from the Natural Sciences and Engineering Research Council of Canada (NSERC); see the source papers for funding acknowledgments.

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.