-
Notifications
You must be signed in to change notification settings - Fork 62
Integration Notes
= = = WORK IN PROGRESS = = =
This page describes how we integrated post-quantum cryptography (PQC) into the SSH2 protocol, and in particular, in the OpenSSH implementation. Note that further implementation notes can be found by grepping for "OQS note" in the code base.
TODO: describe PQ-only and hybrid KEX.
TODO: describe PQ-only sig.
In addition to post-quantum (PQ) signatures; we also support classical/PQ hybrids. In that case, a classical and a PQ signature are generated on the same data, and the resulting signatures are concatenated. We combine RSA or ECDSA (using the NIST curves) with the supported OQS algorithm at an equivalent security level; this means using:
- RSA3072 and NIST-P256 for L1 schemes, and
- NIST-P384 for L3 schemes (RSA isn't supported above L1 for efficiency reasons)
New key types have been defined for the hybrid cases, identified by the ssh-<classical>-<pq>
string, where <classical>
is either p256
, p384
, or rsa3072
and <pq>
is one of the supported PQ schemes.
Keys are serialized sequentially: the classical key is serialized first, followed by the PQ one. The SSH key encoding contains all the length and serialization information, so the OpenSSH serialization for each type is called sequentially.
The OpenSSH signature code is called sequentially: the classical handling is performed first (including hashing the signed data with the appropriate SHA2 functions (SHA256 for L1 schemes, SHA384 for L3 schemes)), followed by the PQ one (in which case the data is signed/verified directly). The resulting signatures are encoded as follows:
- classical_sig_len: 4 bytes encoding the size of the classical signature
- classical_sig: the classical signature of length classical_sig_len
- pq_sig_len: 4 bytes encoding the size of the post-quantum signature
- pq_sig: the post-quantum signature of length pq_sig_len
In order to support algorithms with large key/signature sizes, such as Rainbow, Picnic, or McEliece, we had to increase various limits throughout the code:
-
msg.c
: We increased the maximum value ofmsg_len
inssh_msg_recv
from256 * 1024
to65536 * 1024
. -
sshkey.h
: We increasedSSH_KEY_MAX_SIGN_DATA_SIZE
from(1 << 20)
to(1 << 25)
. -
packet.c
: We increasedPACKET_MAX_SIZE
from256 * 1024
to2048 * 1024
. -
authfile.c
: We increasedMAX_KEY_FILE_SIZE
from1024 * 1024
to67108864
-
monitor_wrap.c
: We increased the maximum value ofmsg_len
inmm_request_receive
from256 * 1024
to65536 * 1024
.