Toggle sidebar Toggle sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

How to generate ML-KEM ssh key pairs?

DominikHoffmann

DominikHoffmann

macrumors 6502a
Original poster
How do I use ssh-keygen to generate an ML-KEM key pair? My current version of OpenSSH does not appear to have that functionality, unless I am missing something.

Background

I today for the first time saw this, when connecting to a remote host via ssh:

Code: 
dominik@dominikmbp ~ % ssh admin@dominikpc.local
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
Enter passphrase for key '/Users/dominik/.ssh/id_rsa':

The version of OpenSSH on my system (running Tahoe 26.4.1) per

Code: 
dominik@dominikmbp ~ % ssh -V
OpenSSH_10.2p1, LibreSSL 3.3.6
is 10.2p1.

Pulling up the quoted link I found out that the recommended cipher is now based on Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM). RSA and elliptic-curve cryptography (ECC) have been known to not be quantum-computing-safe. In short, a sufficiently powerful quantum computer will be able to brute-force crack these established ciphers within a reasonable timeframe. Once such a quantum computer becomes available even previously encrypted communication, which has been stored, is subject to being cracked. OpenSSH therefore encourages the use of ML-KEM ciphers as early as possible.
 
Running ssh -Q kex will show all the available key exchange algorithms supported by your ssh.

On my Sequia install I have mlkem768x25519-sha256, (as well as sntrup761x25519-sha512) so surely you should have it as well.

To be clear, key exchange algorithms (kex), ciphers (cipher) and keys (key) are different things (the strings in parenthesis can be queried with ssh -Q). You generate keys via the ssh-keygen command. So you don't generate "ML-KEM keys", you would just put the kex algorithm in your .ssh/config.

The site you link to does say
What about signature algorithms? You said they were at risk too
Click to expand...
Yes, most currently-used signature algorithms (including RSA and ECDSA) can be broken by a quantum computer. However, there is no risk to existing traffic in this situation (i.e. there is no analogous "store now, decrypt later").The only urgency for signature algorithms is ensuring that all classical signature keys are retired in advance of cryptographically-relevant computers becoming a reality. OpenSSH will add support for post-quantum signature algorithms in the future.
Click to expand...
 
  • Like
Reactions: DominikHoffmann
That's a great question for AI. I recommend you ask a chat agent and let it walk you through the steps to set up both ends of your SSH traffic. Unfortunately, macrumors won't allow me to post the results of my AI chat.
 
DominikHoffmann said:
What command should I look for in any of the relevant config files?
Click to expand...

Generally your ~/.ssh/config will look something like this:
Code: 
Host *
    ...
    KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
    ...

Just add one (or both) of the new kex algorithms to the front of that list. It's comma separated and it prefers the first option both client and server have. Options not listed will be disabled.

On your server make sure the config in /etc/ssh.d/ has the kex algorithm listed as well.
 
  • Like
Reactions: DominikHoffmann
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back