← Back to context

Comment by FiloSottile

4 hours ago

This article is more aimed at those specifying and implementing WebAuthN and SSH, than at those using them.

They/we need to migrate those protocols to PQ now, so that you all can start migrating to PQ keys in time, including the long tail of users that will not rotate their keys and hardware the moment the new algorithms are supported.

For example, it might be too late to get anything into Debian for it to be in oldstable when the CRQCs come!

4 comments

FiloSottile

Reply
palata  2 hours ago

> This article is more aimed at those specifying and implementing WebAuthN and SSH, than at those using them.

Sure, I'm just trying to understand the consequences of that. Felt great to finally have secure elements on smartphones and laptops (or Yubikeys), protecting against the OS being compromised (i.e. "you access my OS, but at least you can't steal my keys").

I was wondering if PQ meant that when it becomes reality, we just get back to a world where if our OS is compromised, then our keys get compromised, too. Or if there is a middle ground in the threat model, e.g. "it's okay to keep using your Yubikey, because an attacker would need to have physical access to your key, specialised hardware AND access to a quantum computer in order to break it". Versus "you can stop bothering about security keys because with "store now, decrypt later", everything you do today with your security keys will anyway get broken with quantum computers eventually".

  • FiloSottile  1 hour ago

    If you are doing authentication with those hardware keys, you will probably be fine, if we do our job fast enough. Apple's Secure Enclave already supports some PQ signatures (although annoyingly not ML-DSA-44 apparently?) and I trust Yubico is working on it.

    If you are doing encryption, then you do have reason to worry, and there aren't great options right now. For example if you are using age you should switch to hybrid software ML-KEM-768 + hardware P-256 keys as soon as they are available (https://github.com/str4d/age-plugin-yubikey/pull/215). This might be a scenario in which hybrids provide some protection, so that an attacker will need to compromise both your OS and have a CRQC. In the meantime, depending on your threat model and the longevity of your secrets (and how easily they can rotated in 1-2 years), it might make sense to switch to software PQ keys.

    • palata  41 minutes ago

      Thanks a lot, that helps!

      > This might be a scenario in which hybrids provide some protection, so that an attacker will need to compromise both your OS and have a CRQC.

      Did you mean "your OS and have a CRQC" here, or "your Yubikey and have a CRQC"?

      1 reply →