Bug 2073387

Summary: Make hybrid Streamlined NTRU Prime + x25519 key exchange method the default (like in OpenSSH 9.0)
Product: Red Hat Enterprise Linux 9 Reporter: Robert Scheck <redhat-bugzilla>
Component: opensshAssignee: Dmitry Belyavskiy <dbelyavs>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: unspecified    
Version: CentOS StreamCC: apmukher, asosedki, bstinson, dbelyavs, jjelen, jwboyer, robert.scheck
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-04-08 14:51:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Robert Scheck 2022-04-08 11:38:56 UTC 
Description of problem:
https://www.openssh.com/txt/release-9.0 states:

--- 8< ---
 * ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key
   exchange method by default ("sntrup761x25519-sha512").
   The NTRU algorithm is believed to resist attacks enabled by future
   quantum computers and is paired with the X25519 ECDH key exchange
   (the previous default) as a backstop against any weaknesses in
   NTRU Prime that may be discovered in the future. The combination
   ensures that the hybrid exchange offers at least as good security
   as the status quo.

   We are making this change now (i.e. ahead of cryptographically-
   relevant quantum computers) to prevent "capture now, decrypt
   later" attacks where an adversary who can record and store SSH
   session ciphertext would be able to decrypt it once a sufficiently
   advanced quantum computer is available.
--- 8< ---

As conclusion I would like to see the same behaviour by default in RHEL 9.

Version-Release number of selected component (if applicable):
openssh-8.7p1-8

Actual results:
Other default key exchange method.

Expected results:
Make hybrid Streamlined NTRU Prime + x25519 key exchange method the default (like in OpenSSH 9.0)
Comment 1 Robert Scheck 2022-04-08 11:44:21 UTC 
Cross-filed case 03193392 at the Red Hat customer portal.
Comment 2 Dmitry Belyavskiy 2022-04-08 14:51:46 UTC 
Dear Robert,

Unfortunately, no PQC algorithms are standardized by NIST yet. For our purpose it means that we will not use PQC algorithms by default until they are standardized by NIST.
Comment 3 Robert Scheck 2022-04-08 14:58:27 UTC 
Dmitry, so that would mean that if CentOS Stream 9 would ship OpenSSH 9.0, you would have patched it to change the upstream default (to the previous default) for the same reason as well?
Comment 8 Dmitry Belyavskiy 2022-04-14 09:50:40 UTC 
Dear Robert,

Unfortunately, we aren't going to implement or enable by default any crypto algorithm unapproved by Standard Authority, because such approval is required to be sure that this algorithm is secure enough. There are many PQ crypto algorithms but until it is approved by a corresponding Standard Body, we don't want provide any of them by default.
Comment 10 Robert Scheck 2022-04-14 09:58:29 UTC 
Thank you for the clarification! :)