Tectia Quantum-Safe Edition: FAQ
Frequently asked questions about Tectia Quantum-Safe Edition
Table of Contents
Introduction
Licenses & subscription
Installation
Configuration
Verification
Compatibility
Future
Introduction
What is the Quantum Threat?
Quantum computing is developing at a fast pace. With the help of Quantum Computers, it will soon be significantly easier to break current data encryption algorithms used in classical Public Key Cryptography. The threat affects all encryption protocols, including the widely popular SSH and TLS.
There are no capable Quantum computers yet, why do we need to worry now?
Current transmissions can be recorded and decrypted later, exposing the secrets with a delay. Most organizations have long-term secrets that need to be protected for many years. Additionally, with the development in optimization of algorithms and error-correction, even smaller advances in Quantum computing hardware might be able to significantly weaken Classical cryptographic algorithms.
Who else is worried about the Quantum Threat?
The US House of Representatives has passed a Quantum Computing Cybersecurity Preparedness Act that would prioritize the migration to post-quantum cryptography on an ambitious time scale. In addition, various national information security institutes have been aware of the threat for a longer time, for example, NIST (US) has declared "we must act now" already in 2016.
What is the difference between quantum cryptography (QC) and post-quantum cryptography (PQC)?
Quantum cryptography uses novel ways of communication that involve Quantum physics. It is designed to be tamper-proof, providing a high level of security, for example, in a dedicated fiber network. It has an extremely high cost of implementation, its production-ready use cases are limited and it is infeasible for most practical applications. Post-quantum cryptography, on the other hand, uses existing computational hardware and communications networks to address the Quantum Threat. Unlike quantum cryptography, it can provide end-to-end security in most use cases. Some PQC implementations are already used in production, for example, in the financial sector.
In Secure Shell architecture, what part is the most vulnerable?
The Key Exchange used for session keys is the most urgent to be addressed in Secure Shell as the session keys need to withstand future attacks.
What do you mean by Quantum-Safe?
Quantum Safe systems are sufficiently protected against the Quantum Threat. Currently, in the case of the SSH protocol, this means using post-quantum cryptography (PQC) algorithms as part of the key exchange.
What is Tectia Quantum-Safe?
A new edition of Tectia, providing Quantum Safe algorithms for Secure Shell Hybrid Key Exchange. Tectia Quantum-Safe Edition is available as subscription and future versions will eventually support also Quantum-Safe signature algorithms for public key authentication when standardization progresses.
What are the algorithms implemented by Tectia Quantum Safe?
We implement the following Post-Quantum algorithms for SSH Key Exchange:
- Crystals-Kyber - primary NIST (US) candidate for standardization
- FrodoKEM - BSI (German) recommendation
- Streamlined NTRU Prime - retained for OpenSSH compatibility / backup algorithm
- Saber-Firesaber - retained for backwards compatibility/backup algorithm
What is Secure Shell (SSH) Hybrid Key Exchange?
Instead of relying solely on classical KEX, Post Quantum Cryptography (PQC) algorithms, SABER, CRYSTALS/Kyber, FrodoKEM or Streamlined NTRU Prime are used in a Hybrid Key Exchange together with a classical ECDH algorithm. Both the PQC and ECDH algorithms contribute to the key material resulting in a session key that is at least as hard to break as the strongest composite. The hybrid approach mitigates the risk of future attacks on recorded secure shell sessions if weaknesses are discovered in either algorithm.
Why don't you implement Post Quantum Signatures or Post Quantum Symmetric Crypto?
Transition to PQC is an incremental process and the algorithms for different use cases mature at different stages. The existing PQC signature algorithms have not been currently assessed well enough and they might have unknown weaknesses against attacks by Classical Computers and/or Quantum Computers. Unlike with key exchange, the hybrid approach cannot be used with signature algorithms that have to withstand attacks on their own merit. Also, sufficiently long existing authentication keys can still be used securely until day one when a cryptographically relevant quantum computer becomes available so the need is not as urgent as for the key exchange. Because of this, we rely on the Classical algorithms for now, but this will change when there starts to be more widespread acceptance of these new PQC signature algorithms. Symmetric ciphers relying on AES are believed to be safe well into the post-quantum era. The standardization of new symmetric ciphers has not yet begun.
Why don't you implement Quantum Key Distribution?
Quantum Key Distribution is technically Quantum Cryptography. It requires deploying additional network hardware (dedicated blind fiber) or line-of-sight links and seldom provides end-to-end security. As Quantum Cryptography, it is infeasible for most practical purposes including any use case in the financial sector.
Can I protect other TCP applications, such as TLS, with Tectia Quantum-Safe?
Yes, it is possible to tunnel any TCP traffic, for example, TLS connections, with Tectia Quantum-Safe to protect the traffic.
Licenses & subscription
What do I need to do to get Tectia Quantum-Safe?
You need to purchase Tectia Quantum-Safe Edition. If you have an older license of Tectia, you can upgrade that to a subscription contract of Tectia Quantum-Safe. Please contact SSH sales for pricing info and to get your quote.
I have purchased Tectia via a reseller, how do I get the Quantum-Safe upgrade?
Please contact your reseller for the upgrade.
What if I don't have Tectia?
You can enter a new subscription contract of Tectia Quantum-Safe without paying an up-front license fee. Please contact SSH sales for pricing info and to get your quote.
How do I try Tectia Quantum-Safe before purchasing?
You can activate a free trial of Tectia Quantum-Safe. The evaluation version has full functionality and is valid for 45 days from installation. Note that the evaluation version will upgrade your existing Tectia installation and it will stop working after the evaluation period ends unless the version 6.6 license is installed.
Installation
Where do I get the binaries for Tectia Quantum-Safe?
After login into your account in the SSH Customer Download Center choose your product download - Tectia - Quantum - Server or download - Tectia - Quantum - Client. You should see the version 6.6.0 folder. If you have a valid subscription for Tectia Quantum-Safe but don't see the commercial PQC packages, please contact SSH support or your reseller support.
Why can't I see binaries for Tectia Quantum-Safe for my platform?
Tectia Quantum-Safe version 6.6.0 only supports Windows, Linux, and AIX. Support for HP-UX and Solaris will be added in version 6.6.2, planned for fall 2022. In the meantime, you are recommended to use Tectia version 6.5.1 on your platform.
There are no more packages for 32-bit Intel x86, will they be added later?
No, only 64-bit Intel x86-64 platforms are supported for version 6.6 and later.
How do I install Tectia Quantum-Safe?
Please follow the instructions of the Quick Start Guide (for Unix & for Windows) in the installation package.
I installed/upgraded to Tectia Quantum-Safe but it is running as an evaluation version instead of the commercial version, do I need to reinstall it?
No, just import/copy the license(s) from the commercial installation package to the licenses directory and restart the application.
Configuration
How do I enable the Quantum-Safe algorithms?
The Quantum-Safe algorithms are enabled by default. If you have a new installation, you don't have to do anything unless you wish to enforce Quantum-Safe algorithms only. If you have a custom setup, you need to enable the algorithms.
How do I make sure that only Quantum-Safe connections are used?
You need to allow only PQC KEX algorithms. Please note that if you do this, you cannot communicate with a client or server that does not support Quantum-Safe algorithms. Please see ssh-server-config-example.xml and ssh-broker-config-example.xml for instructions on how to enforce the PQC algorithms and allow for specific exceptions.
Verification
How do I know that my copy of Tectia is a Quantum-Safe Edition?
For the Windows Terminal and SFTP GUI Clients, this is visible in the application title. For the command-line clients, invoking sshg3 -V or ssh-broker-ctl-V shows if the PQC feature is available. For the server, please use ssh-server-ctl-V to see the information or the Tectia Server Configuration GUI on Windows.
How do I know if Quantum-Safe algorithms are enabled?
You can check the enabled KEX algorithms from the Tectia Client Configuration GUI, Tectia Server Configuration GUI, or if explicitly configured directly from the configuration files.
How do I know if a certain individual connection is Quantum-Safe?
You can find the information in the connection log or in the audit log KEX success message which key exchange algorithm was used.
Compatibility
How to establish a Quantum-Safe connection between Tectia and OpenSSH?
You need OpenSSH version 9.0 or higher. OpenSSH supports Streamlined NTRU Prime in the Hybrid Key Exchange; if you have a custom setup please make sure that sntrup761x25519-sha512@openssh.com algorithm is enabled and on the client-side also preferred. On the Tectia side, please make sure that at least this algorithm is enabled, and on the client-side also preferred over classical KEX. Note that OpenSSH does not support SABER, CRYSTALS/Kyber, or FrodoKEM.
How to establish a Quantum-Safe connection between Tectia and a third-party SSH implementation?
You need an SSH implementation that supports any of the following Hybrid KEX algorithms:
- ecdh-nistp521-firesaber-sha512@ssh.com
- ecdh-nistp521-kyber1024-sha512@ssh.com
- curve25519-frodokem1344-sha512@ssh.com
- sntrup761x25519-sha512@openssh.com
How to establish a Quantum-Safe connection with Tectia Server for z/OS?
You need Tectia Server for z/OS version 6.6.12 or higher. Tectia Server for z/OS supports the following algorithms: SABER, CRYSTALS/Kyber, and FrodoKEM.
Future
Why was Tectia 6.6.0 only released as Quantum-Safe?
This was done in order to have PQC algorithms available for customer production environments faster. We plan to release parallel standard and Quantum-Safe editions in the future.
Do you plan to continue delivering updates for non-Quantum-Safe Tectia?
Absolutely! From the next version 6.6.2 on, we will proceed with delivering two parallel editions for each Tectia version - one with Quantum-Safe algorithms, the other without. For example, we are planning an overhaul of the Windows GUI client in a future version, which will be available for all Tectia users.