If you were like me and not sure what “post-quantum SSH security” means, you should read this. TL;DR it’s an algorithm believed to be unbreakable by quantum computers.
GitHub introduces hybrid post-quantum SSH security to better protect Git data in transit
Submitted 12 hours ago by sun@slrpnk.net to technology@lemmy.world
Comments
wetbeardhairs@lemmy.dbzer0.com 11 hours ago
AFAIK quantum computing’s only demonstrations of being able to break encryption using Shore’s algorithm was in a toy problem where they already knew the answer and it was like 5 bits long.
boatswain@infosec.pub 2 hours ago
NIST says 2035 should be the target date for organizations to get to something quantum resistant. The talk I saw at DefCon this year laid out a very convincing argument that due to advancements in the implementation of Shorr’s, as well as one other algorithm, that’s not an aggressive enough target and we should really be shooting for 2030. Apparently IBM has never missed a target date, and they’re looking at having enough logical Qubits by 2032 or so.
truthfultemporarily@feddit.org 9 hours ago
The threat model is that all communication is recorded and will be decrypted once the technology becomes available. The question then becomes for how long you want your data to be secure. If its for example 40 years, you need to chose an algorithm today that is still secure in 40 years.
FauxLiving@lemmy.world 4 hours ago
Would you like to know more?: en.wikipedia.org/wiki/Harvest_now,_decrypt_later
9tr6gyp3@lemmy.world 11 hours ago
I believe quantum computers are only going to really threaten asymmetric encryption, like the one used in SSH keys. Things like RSA, DSA, and ECDSA, as well as Diffie-Hellman key exchanges are potentially weak to future quantum computers brute forcing those integers.
Symmetrical encryption should hold up much better against quantum. An algorithm like AES or ChaCha20 should be fine with a bit key length of 256 or higher.
Or just move to the post-quantum algorithms to be safe.
wetbeardhairs@lemmy.dbzer0.com 10 hours ago
Meh. I think quantum computers are technological hocuspocus that is used as justification for companies like D-Wave to generate billions of dollars for a few financial executives. The science is real. The engineering is real. The technology is a toy and its uses are extraordinarily limited and out-competed by normal computers.
Can it optimally solve the travelling salesman problem? Sure. With many thousands of bits. Can a classical computer with a fancy algorithm get close enough for practical use cases? Yes. With today’s technology and enough power to run an old lightbulb.
FaceDeer@fedia.io 8 hours ago
If you haven't already switched to more secure algorithms you'll be impressed and also penniless when it can break 192-bit encryption with proper entropy.
probable_possum@leminal.space 5 hours ago
Yes, but then it is stored unencrypted on github. Ready to be used as training data. Which isn’t bad per se. Just pointing out, that the weakest link in your chain of security mrasures is the… weakest link.
If you wanted to secure your code, you could store it on-site, behind a firewall, in its own network segment, with encrypted offsite backups. Elliptic curves would help too in this scenario.