SSH Communications Security with Suvi Lampila and Miikka Sainio

Suvi Lampila and Miikka Sainio from SSH Communications Security, a European cyber defense company, are interviewed by Yuval Boger. SSH, known for inventing the SSH protocol, focuses on secure communication and access management. They discusses SSH’s efforts in integrating post-quantum cryptography into their products, highlighting the launch of their quantum-safe solutions, elaborate on the challenges of updating operational technology for quantum safety and the importance of pragmatic solutions. They emphasize the need for market education on PQ, the urgency of preparing for quantum threats, their concerns about the future impact of quantum computing on security, and much more

Full transcript

Yuval: Hello, Suvi. Hello, Miikka. Thank you very much for joining me today.

Suvi Lampila: Thank you for inviting us.

Miikka: Yeah, thanks for having us.

Yuval: Wonderful. So, Miikka, who are you and what do you do?

Miikka: So, I’m Miikka Sainio, I’m the CTO of SSH Communications Security.

We are a European cyber defense company and we are based in Helsinki, Finland. We do have customers all over the world and offices in New York and Singapore. Our founder, Tatu Ylönen, invented the SSH protocol in 1995, actually, almost 30 years ago and then built the company around it. And now, nowadays, as people may know, SSH protocol is one of the fundamental building blocks of the modern internet. So, we build secure communication, access management, and key management products for human-to-human, human-to-machine, and machine-to-machine communications. And with me, I have Suvi Lampila.

Suvi: Hi. Yeah, so my name is Suvi Lampila. I’m a fellow at SSH and I’ve been with the company for over 20 years. And for the past few years, I’ve been working on post-quantum cryptography-related things within our products to make sure that our solutions are quantum safe for the future.

Yuval: A company that’s 30 years old is a little bit unusual on this podcast. And obviously, 30 years ago you were not involved in quantum. When did the need for quantum safe security come up and when did you start working on it?

Suvi: It was kind of a research project at first, and I can’t remember exactly when, but I do remember in 2019 when things started to heat up so that there was more pressure from our customer base to start working on the solution. So it was kind of something to tinker on, but then we kind of started to take it seriously at that point and already in 2021, we had our NQX, which is an IPsec based network encryptor solution available on the market in the Northern Europe. And then a few years ago, our Tectia solution that is a secure shell based solution had its first of PQC algorithms and then our other product lines followed suit the same year. So we’re kind of in front of trying to put this into actual production in our customer base.

Miikka: Yeah, also, back in the day, we were one of the founding members of PQC Finland, which was kind of a cooperation between companies for post-quantum cryptography. 

Suvi: And now we’re part of the consortium that is led by the National Institute of Standards and Technology in PQC migration. So there’s a bit over 20 organizations globally trying to figure out how we’re going to do this migration to PQC in practice. So that’s where we are right now. 

Yuval: What is the state of education of the market? I’m guessing that ten years ago, customers were not really aware of the store now decrypt later concern. But when you speak with customers today, are they generally worried about that? Or is there still a lot of market education that needs to be had?

Suvi: I think you’ve hit the nail on the head there that it’s a major thing to educate this stuff because there’s quite a lot of misunderstandings of like, how do we transition and what needs to be done at what stage. So, the retroactive attacks on the key agreement algorithms of the current Diffie-Hellman and Elliptic-curve Diffie-Hellman that has to be protected first. So we need the Crystals-kyber key encapsulation mechanism in place already now. And we did ourselves a bit of a disservice by naming this post-quantum cryptography that implies that something happens after the quantum era when there are things that need to happen well before the cryptographically relevant quantum computer comes along. So there’s the education side of it that needs to be tackled. And oddly enough, this sort of recording attack did kind of enter the minds of some of our customers already long time ago because we have things in place within the protocols that are not so much quantum-safe, but they’re kind of quantum resilient. So for instance, we do re-keys frequently so that every gigabyte or every hour in Tectia we do the exchange of the session keys again. And that sort of thing is there and it helps in somewhat with the recording attack. But at the end of the day, we need to replace all those old algorithms with quantum-safe alternatives, and getting that thing going is a thing that should be happening already now. We cannot really wait for the final standards and everything to be in place to get a move on. So it has to be an incremental process, and communicating that is also a bit of an uphill battle. 

Miikka: Yeah, it’s an education we have to impose on the customers because people don’t really understand that it’s. They have to consider all the secrets that they have today are they also secrets 10 years from now so and it’s. That also in a sense that coming from a small country so what the players are going to have the quantum computers first they are going to be large nation states and large companies which poses a really asymmetric kind of power. Set up in the world in a sense that the smaller countries or smaller companies will probably kind of lose their secrets first so people need to prepare.

Yuval: Let’s assume I’m a multinational bank, and I contacted you a couple of years ago. I was aware of the concern I wanted to upgrade the security of my network. How does the process look like, and how long would it take until I’m relatively comfortable that I’m protected against future quantum attacks?

Miikka: That’s an excellent question and a very difficult one to answer. But it depends completely. Yeah, we like more recently we have had the chance to work with a lot of companies in operational technology or OT and in OT the software stacks or the devices themselves have really long lifetimes and they don’t update the devices that often because of various reasons.

But also because perhaps the updates aren’t even available so in those cases. To be quantum safe the only way or perhaps to be safe in general.

The only way is to encapsulate or tunnel those connections using quantum safe algorithms. So we really have to be quite pragmatic with our customers how to make them safe. It’s nice to see that Google and Cloudflare and other large internet players are also jumping into the bandwagon and implementing TLS stacks which are quantum safe But of course that only helps with certain use cases.

To be quantum safe the only way or perhaps to be safe in general the only way is to encapsulate those connections using quantum algorithms so we really have to be quite pragmatic with our customers how to how to make them safe. And something that I might like to point out since your audience mostly deals with the quantum side of things like we’re talking about post quantum cryptography which is really just mathematics to tackle the quantum threat that the quantum computers when they get to the high fidelity gates and large enough. Systems are threatening our current encryption so this is like the in our view like the best and the fastest the most economic way to get to the quantum safe state in in time to be able to protect.

These these connections and then when it comes to the authentication site like the signature algorithms is really is the only option on that side as well so we have big proponent of this apart from like compared to some other solutions that are out there that.

At some time in the future might provide some relief right now this is what we’re recommending and it’s not just us mostly. Governmental organizations that’s their recommendation as well that they want this thing. Sort it out in economical viable way so it’s it’s nice to see that Google and cloud flare and other like large internet players are also jumping into the bandwagon and implementing the others. Stacks which are quantum safe but of course that only helps with certain use cases. Very rarely do you get to start from a clean slate and in large organizations so you still have things that.

Need to be able to be used safely right now. Whatever the environment whether it’s in the cloud environment or on premise environments.

Yuval: Speaking of time, some data is more time-sensitive or has a longer shelf life than others. An attacker might not care what I ordered in a restaurant a week ago but may be interested in my life insurance policy or my health records. When you go to customers, what do you tell them about the timeline of when do you expect that quantum computers will be sufficiently strong to break encryption? In the time frame, what shelf life for data should they be worried about?

Suvi: Usually talk about years so but then it really I think we should already now move on from that conversation like when we have sufficient enough. High fidelity gates and so forth to the question that the data already exists now that you want to protect so you have to start asking yourself is it going to be mere embarrassment or existential crisis if the confidentiality of that data is lost.

So like you mentioned health care records like there’s a lot of stuff that doesn’t there’s no expiration date for that it should be ideally kept confidential indefinitely then there are like legislation side that compliance requirements that make sure that you have to keep certain data. Say for over 20 years or whatever it is so or it could be that the legislation is only that you have to worry about something like theoretically expires in five years but in practice that’s not quite the case for instance the primary account numbers that are used in credit cards.

They have to be kept secret they there’s a mechanism of replacing that but it’s very costly and you don’t really want to leave that because usually you want to just renew it to the same primary account number so it really depends on on the customer of their. On what kind of compliance requirements they have when do they have to get a move on on this and it’s very difficult like it’s almost impossible question to answer like what is the timeline in certain scenarios were already too late like if you need something to be protected from that retroactive attack you should have had this yesteryear.

Yeah it’s difficult to predict the future and there’s also the aspect that if. An actor has sufficient power for quantum computer when article to tell the world about so when when do the window people actually know that there’s a such a threat which is acting so that’s that’s one thing and then the inflection point might be quite fast for example.

Miikka: I couldn’t imagine four or five years ago that the large language models are used in kind of such a context and such a way that they are used today and what they are capable of. So, when things happen, they happen really quickly. So I suspect that the same will also apply to quantum computers once it happens.

Suvi: And I think also one misconception is that we’re waiting for the perfect implementation of the quantum computer when the threat to current encryption is going to be in my mind, the combination of the classical computing power with the supercomputers and the quantum computers coming together to wreak havoc. So, like there could be error correction done on the quantum computing side, but then as well like optimization done on the classical computing side that might change things in a way. And then who knows there might be somebody who comes up with the equally great brilliant idea like Peter Shor did back in the day that kind of started the whole feasibility of breaking the asymmetric encryption with the quantum computer and it could be a kid who has been playing around with Qiskit these few years that comes up with something that speeds up things or just narrows down the search in a way that it becomes more feasible. So we’re kind of raising both against the quantum computers and advances that can be made with the classical supercomputers and the combination. Like in Finland we have now the third fastest supercomputer in the world situated in Finland and that has been connected with the baby quantum computer from IQM that the researchers can use for free, apply for time to use the combination. So this field is kind of moving fast where there’s so much money put on the quantum computing side right now that I wish that some of it would also be put on this defending side of things in an equal measure. Right now the uniqueness is that it has been around and available for production already for a few years. So that’s one aspect of it, but we’re able to do it. We’re able to put it into battle-tested solutions that have stood the test of time up until now and we have kind of like a holistic view in many ways when it comes to this, but I don’t really see that we can tackle all even though we are like well-established company. Any company that comes to you and says that they are able to solve this completely is really not telling the truth. This will require a lot of industry wide effort to get, for instance, the authentication keys sorted out and all that. So I see it as a like a big push from the whole industry to get to the quantum-safe world.

Miikka: Having said that, we really do have a really strong stack in supporting customers from moving from weak algorithms to quantum-safe algorithms through SSH key management and then SSH client-server solutions and our access management solutions which are all quantum-safe. So we have kind of quite a complete solution for customers starting from the discovery and ending to actual securing connections between different entities in the organization. And yeah.

Suvi: In a way, it’s not our first rodeo also. We’ve been through these sort of similar things before with that SHA-1 to SHA-2 migration and so forth. So hopefully that is something that will help us also this time around that we were able to do timely things in a manner where it makes sense. And then I think like many of our largest customers benefit from the lessons learned that we get from the other customers. So there’s also that the established customer base helps one another. 

Yuval: When you look around the world, do you see some countries that are taking this more seriously than others? [silence]

Suvi: Well, I think many countries at least the ones that I’ve visited and had some conversations and we look at the NIST efforts of the standardization being very much like international effort. And there’s many places have taken the stance that they’ll wait and see what the US does, what NIST recommends and then take it from there. That’s, for instance, how UK has positioned itself, that they will follow NIST recommendations and so forth. Finland hasn’t really had a specific policy on this, but during that PQC Finland process, we did have a policy brief on it, and our recommendations are pretty much in line with what the NIST is saying apart from that, we do recommend the hybrid approach, which combines the classical key exchange algorithms with the PQC algorithms for a time being. But then there are others like the German BSI and the French ANSSI that recommend likely different algorithms compared to the NIST. So there is a legislation push going in different parts of the world. But I would say that most likely these things, we don’t necessarily get to see what is done on the national level. We do get to see the glimpse into the commercial space of things. So most are waiting for the NIST to finalize the standardization project and following that. We do recognize that we need certain interoperability as well. So there is that good reasoning for it. 

Having said that, it doesn’t mean that you can just lay low and wait for somebody else to figure these things out for you. So there needs to be certain things that organizations need to look at already at this stage because the well, the retroactive threat for one. So we cannot just wait until everything is ready to get moving on with that. What keeps me up at night?

Yuval: From a business perspective, what are you worried about? What keeps you up at night? 

Suvi: Well, there has been so many times now, even this past year, when there has been news about RSA 2048 being broken. And well, so far, that hasn’t been the case, but I’m kind of hoping that we get to that position that when that call comes in, I’m going to be able to confidently say that, you know, we have moved on to post-quantum cryptography long ago. It doesn’t concern us because of that. It’s not used anymore. So my kind of concern is that something will cause an avalanche of things that it will happen in an uncontrolled way. And I’m caught between a rock and a hard place with our customers in that sense. But at least we’re working hard on trying to avoid that scenario. So having said that, I have one thing that I kind of think, in my own mind, is that the chances are that we won’t learn about the cryptographically relevant quantum computer. It’s going to be a bit like Enigma back in the day that whoever comes up with that, they’re not going to reveal it to the world. They’re going to let their own ship sink before they reveal. So maybe there’s a museum like there’s now in Bletchley Park in UK 50 years from now. And then we learn when these things actually were already operational. But yeah, that’s the thing. It probably might be that that museum isn’t open before my time is up on this planet. But hopefully we’ve taken that into consideration already before then.

Yuval: And as we get to the end of our conversation today, I wanted to ask you a hypothetical and perhaps Mika, you could go first and then Suvi. If you could have dinner with one of the quantum or security greats, dead or alive, who would that person be?

Miikka: This is kind of a difficult one, but I think that for quantum mechanics it would be David Deutsch. Because it would be interesting to talk about the many worlds in the interpretation. And I don’t know enough to have a view or belief in one direction or another, but it would be nice to learn or hear about his views. 

Suvi: Yeah, for me, I’m kind of leaning toward a dinner party that I would really much like to invite Peter Shor to that, ask him to bring somebody he thinks would be great to have. And then this brilliant cryptographer, Maria Eichlseder, who I had a pleasure to meet last year at one of these events in Forum Alpach, where we were speaking that I would love her to be involved as well, because I have quite a bit of understanding right now of the post quantum cryptography when it comes to the asymmetric side of things. But she’s working already on the symmetric, the future, the lightweight encryption algorithms that would replace the eventually symmetric stuff. So it would be lovely to get to see her again and ask her to bring other people into the party to discuss.

Yuval: Wonderful. Suvi, Mika, thank you so much for joining me today.

Miikka: Thank you.

Suvi: Thank you for having us.