Secure Shell (SSH) Key Exchange Method Using Hybrid Streamlined NTRU Prime sntrup761 and X25519 with SHA-512: sntrup761x25519-sha512
draft-ietf-sshm-ntruprime-ssh-06
Technical Summary
This document describes a widely deployed hybrid key exchange method
in the Secure Shell (SSH) protocol that is based on Streamlined NTRU
Prime sntrup761 and X25519 with SHA-512.It specifies a mechanism to
protect against potential "record-now-decrypt-later" attacks from the
future invention of a cryptographically relevant quantum computer (CRQC).
Working Group Summary
The SSHM working group is recently re-opened after a long hiatus with the
agreement to bring the protocol RFCs up to a current state. It has been a difficult
start, but there have been some good interactions.
For this draft there was both controversy and an appeal to the responsible AD:
This specific mechanism is based on an algorithm (NTRU Prime) that has not
been selected as a "winner" in the NIST post-quantum competition. It should
be noted that NTRU Prime has a fairly long history in the cryptographic community
and is widely deployed for at least 5 years in SSH products. The SSHM WG has
other drafts in the pipeline to handle NIST "winners" but how to signal IETF or
WG preferences in this space is inherently tricky. The controversy was about the
intended RFC status (Informational) and the state of the algorithm in the registry
(SHOULD). In the end 'rough concensus' was reached.
Document Quality
It is widely implemented, selected as the default KEX in OpenSSH, for about 5 years.
Many of the SSH implementations have this already implemented.
There was an invalid IPR disclosure made, which has been removed. The artifacts
are still there, but it is not a valid IPR disclosure.
There are no Yang modules, Media Type registrations, or other expert reviews required.
Personnel
The Document Shepherd for this document is Job Snijders. The Responsible
Area Director is Deb Cooley.