温馨提示:本站仅提供公开网络链接索引服务,不存储、不篡改任何第三方内容,所有内容版权归原作者所有
AI智能索引来源:http://www.ssh.com/tectia-quantum-safe-faq
点击访问原文链接

FAQ about Tectia Quantum-Safe Edition | SSH

进入原网站 导航首页
FAQ about Tectia Quantum-Safe Edition | SSH About us Investors Partners Careers Solutions SOLUTIONS Zero Trust Suite Quantum-Safe Cryptography (QSC) SalaX Secure Collaboration Security Risk Assessment, Quantification & Mitigation By Topic Just-in-Time Access Secure vendor access Credentials & Secrets Management Hybrid & multi-cloud access management Interactive tour: Privileged Access in the Cloud M2M connections IT Audits & Compliance Secure file transfer By Industry Managed Service Providers (MSP) Operational Technology (OT) Federal Government Security Products SECURE ACCESS & SECRETS MANAGEMENT SECURE FILE TRANSFER & ENCRYPTION NQX™ quantum-ready encryption Tectia™ SSH Client/Server Tectia™ z/OS SalaX Secure Collaboration Secure Mail 2024 Secure Messaging 2024 SalaX Secure Collaboration Solutions SOLUTIONS PrivX Zero Trust Suite SalaX Secure Collaboration Strong ID-based access with Entra ID & Zero Trust Suite Quantum-Safe Cryptography (QSC) Security Risk Assessment, Quantification & Mitigation Device trust & access and identity verification Identity-based authentication & converged IAM and PAM TOPICS Just-in-Time Access Secure vendor access Credentials & Secrets Management Hybrid & Multi-Cloud Access Management Interactive tour: Privileged Access in the Cloud M2M Connections Management IT Audits & Compliance Secure File Transfer INDUSTRIES Managed Service Providers (MSP) Operational Technology (OT) Federal Government Security Healthcare Data Security OT Security IT/OT convergence of data & systems Zero Trust Access and ZSP Workflow approvals Secure remote access  Secure patch management  OT Compliance Discovery and threat intelligence Phishing-resistant MFA & device trust Products SalaX SECURE COLLABORATION Secure Mail Secure Messaging Secure Sign SalaX Secure Collaboration FQX File Encryptor SECURE ACCESS & SECRETS MANAGEMENT PrivX™ PAM PrivX™ OT Edition PrivX Key Manager SECURE FILE TRANSFER & ENCRYPTION Tectia™ SSH Server Tectia™ SSH Server for IBM z/OS PrivX Desktop NQX™ quantum-safe encryption Services SSH Risk Assessment™ Professional Services Support Contact us Customer cases PrivX Zero Trust PAM Enterprise Key Management UKM Tectia SFTP for servers & mainframes SSH Secure Collaboration Resources SSH Academy Content library Blog References Press releases Downloads Manuals Events & Webinars Media Legal Report a vulnerability Solutions SOLUTIONS PrivX Zero Trust Suite SalaX Secure Collaboration Strong ID-based access with Entra ID & Zero Trust Suite Quantum-Safe Cryptography (QSC) Security Risk Assessment, Quantification & Mitigation Device trust & access and identity verification Identity-based authentication & converged IAM and PAM TOPICS Just-in-Time Access Secure vendor access Credentials & Secrets Management Hybrid & Multi-Cloud Access Management Interactive tour: Privileged Access in the Cloud M2M Connections Management IT Audits & Compliance Secure File Transfer INDUSTRIES Managed Service Providers (MSP) Operational Technology (OT) Federal Government Security Healthcare Data Security OT Security IT/OT convergence of data & systems Zero Trust Access and ZSP Workflow approvals Secure remote access  Secure patch management  OT Compliance Discovery and threat intelligence Phishing-resistant MFA & device trust Products SalaX SECURE COLLABORATION Secure Mail Secure Messaging Secure Sign SalaX Secure Collaboration FQX File Encryptor SECURE ACCESS & SECRETS MANAGEMENT PrivX™ PAM PrivX™ OT Edition PrivX Key Manager SECURE FILE TRANSFER & ENCRYPTION Tectia™ SSH Server Tectia™ SSH Server for IBM z/OS PrivX Desktop NQX™ quantum-safe encryption Services SSH Risk Assessment™ Professional Services Support Contact us Customer cases PrivX Zero Trust PAM Enterprise Key Management UKM Tectia SFTP for servers & mainframes SSH Secure Collaboration Resources SSH Academy Content library Blog References Press releases Downloads Manuals Events & Webinars Media Legal Report a vulnerability About us Investors Partners Careers Tectia Quantum-Safe Edition: FAQ Frequently asked questions about Tectia Quantum-Safe Edition

Table of Contents Introduction
Licenses & subscription
Installation
Configuration
Verification
Compatibility
Future

 

Introduction What is the Quantum Threat?

Quantum computing is developing at a fast pace. With the help of Quantum Computers, it will soon be significantly easier to break current data encryption algorithms used in classical Public Key Cryptography. The threat affects all encryption protocols, including the widely popular SSH and TLS.

 

There are no capable Quantum computers yet, why do we need to worry now?

Current transmissions can be recorded and decrypted later, exposing the secrets with a delay. Most organizations have long-term secrets that need to be protected for many years. Additionally, with the development in optimization of algorithms and error-correction, even smaller advances in Quantum computing hardware might be able to significantly weaken Classical cryptographic algorithms.

 

Who else is worried about the Quantum Threat?

The US House of Representatives has passed a Quantum Computing Cybersecurity Preparedness Act that would prioritize the migration to post-quantum cryptography on an ambitious time scale. In addition, various national information security institutes have been aware of the threat for a longer time, for example, NIST (US) has declared "we must act now" already in 2016.

 

What is the difference between quantum cryptography (QC) and post-quantum cryptography (PQC)?

Quantum cryptography uses novel ways of communication that involve Quantum physics. It is designed to be tamper-proof, providing a high level of security, for example, in a dedicated fiber network. It has an extremely high cost of implementation, its production-ready use cases are limited and it is infeasible for most practical applications. Post-quantum cryptography, on the other hand, uses existing computational hardware and communications networks to address the Quantum Threat. Unlike quantum cryptography, it can provide end-to-end security in most use cases. Some PQC implementations are already used in production, for example, in the financial sector.

 

In Secure Shell architecture, what part is the most vulnerable?

The Key Exchange used for session keys is the most urgent to be addressed in Secure Shell as the session keys need to withstand future attacks.

 

What do you mean by Quantum-Safe?

Quantum Safe systems are sufficiently protected against the Quantum Threat. Currently, in the case of the SSH protocol, this means using post-quantum cryptography (PQC) algorithms as part of the key exchange.

 

What is Tectia Quantum-Safe?

A new edition of Tectia, providing Quantum Safe algorithms for Secure Shell Hybrid Key Exchange. Tectia Quantum-Safe Edition is available as subscription and future versions will eventually support also Quantum-Safe signature algorithms for public key authentication when standardization progresses.

 

What are the algorithms implemented by Tectia Quantum Safe?

We implement the following Post-Quantum algorithms for SSH Key Exchange:

Crystals-Kyber - primary NIST (US) candidate for standardization FrodoKEM - BSI (German) recommendation Streamlined NTRU Prime - retained for OpenSSH compatibility / backup algorithm Saber-Firesaber - retained for backwards compatibility/backup algorithm  

What is Secure Shell (SSH) Hybrid Key Exchange?

Instead of relying solely on classical KEX, Post Quantum Cryptography (PQC) algorithms, SABER, CRYSTALS/Kyber, FrodoKEM or Streamlined NTRU Prime are used in a Hybrid Key Exchange together with a classical ECDH algorithm. Both the PQC and ECDH algorithms contribute to the key material resulting in a session key that is at least as hard to break as the strongest composite. The hybrid approach mitigates the risk of future attacks on recorded secure shell sessions if weaknesses are discovered in either algorithm.

 

Why don't you implement Post Quantum Signatures or Post Quantum Symmetric Crypto?

Transition to PQC is an incremental process and the algorithms for different use cases mature at different stages. The existing PQC signature algorithms have not been currently assessed well enough and they might have unknown weaknesses against attacks by Classical Computers and/or Quantum Computers. Unlike with key exchange, the hybrid approach cannot be used with signature algorithms that have to withstand attacks on their own merit. Also, sufficiently long existing authentication keys can still be used securely until day one when a cryptographically relevant quantum computer becomes available so the need is not as urgent as for the key exchange. Because of this, we rely on the Classical algorithms for now, but this will change when there starts to be more widespread acceptance of these new PQC signature algorithms. Symmetric ciphers relying on AES are believed to be safe well into the post-quantum era. The standardization of new symmetric ciphers has not yet begun.

Why don't you implement Quantum Key Distribution?

Quantum Key Distribution is technically Quantum Cryptography. It requires deploying additional network hardware (dedicated blind fiber) or line-of-sight links and seldom provides end-to-end security. As Quantum Cryptography, it is infeasible for most practical purposes including any use case in the financial sector.

 

Can I protect other TCP applications, such as TLS, with Tectia Quantum-Safe?

Yes, it is possible to tunnel any TCP traffic, for example, TLS connections, with Tectia Quantum-Safe to protect the traffic.



Licenses & subscription What do I need to do to get Tectia Quantum-Safe?

You need to purchase Tectia Quantum-Safe Edition. If you have an older license of Tectia, you can upgrade that to a subscription contract of Tectia Quantum-Safe. Please contact SSH sales for pricing info and to get your quote.

 

I have purchased Tectia via a reseller, how do I get the Quantum-Safe upgrade?

Please contact your reseller for the upgrade.

 

What if I don't have Tectia?

You can enter a new subscription contract of Tectia Quantum-Safe without paying an up-front license fee. Please contact SSH sales for pricing info and to get your quote.

 

How do I try Tectia Quantum-Safe before purchasing?

You can activate a free trial of Tectia Quantum-Safe. The evaluation version has full functionality and is valid for 45 days from installation. Note that the evaluation version will upgrade your existing Tectia installation and it will stop working after the evaluation period ends unless the version 6.6 license is installed.



Installation Where do I get the binaries for Tectia Quantum-Safe?

After login into your account in the SSH Customer Download Center choose your product download - Tectia - Quantum - Server or download - Tectia - Quantum - Client.You should see the version 6.6.0 folder. If you have a valid subscription for Tectia Quantum-Safe but don't see the commercial PQC packages, please contact SSH support or your reseller support.

 

Why can't I see binaries for Tectia Quantum-Safe for my platform?

Tectia Quantum-Safe version 6.6.0 only supports Windows, Linux, and AIX. Support for HP-UX and Solaris will be added in version 6.6.2, planned for fall 2022. In the meantime, you are recommended to use Tectia version 6.5.1 on your platform.

 

There are no more packages for 32-bit Intel x86, will they be added later?

No, only 64-bit Intel x86-64 platforms are supported for version 6.6 and later.

 

How do I install Tectia Quantum-Safe?

Please follow the instructions of the Quick Start Guide (for Unix & for Windows) in the installation package.

 

I installed/upgraded to Tectia Quantum-Safe but it is running as an evaluation version instead of the commercial version, do I need to reinstall it?

No, just import/copy the license(s) from the commercial installation package to the licenses directory and restart the application.

 

Configuration How do I enable the Quantum-Safe algorithms?

The Quantum-Safe algorithms are enabled by default. If you have a new installation, you don't have to do anything unless you wish to enforce Quantum-Safe algorithms only. If you have a custom setup, you need to enable the algorithms.

 

How do I make sure that only Quantum-Safe connections are used?

You need to allow only PQC KEX algorithms. Please note that if you do this, you cannot communicate with a client or server that does not support Quantum-Safe algorithms. Please see ssh-server-config-example.xml and ssh-broker-config-example.xml for instructions on how to enforce the PQC algorithms and allow for specific exceptions.

 

Verification How do I know that my copy of Tectia is a Quantum-Safe Edition?

For the Windows Terminal and SFTP GUI Clients, this is visible in the application title. For the command-line clients, invoking sshg3 -V or ssh-broker-ctl-V shows if the PQC feature is available. For the server, please use ssh-server-ctl-V to see the information or the Tectia Server Configuration GUI on Windows.

 

How do I know if Quantum-Safe algorithms are enabled?

You can check the enabled KEX algorithms from the Tectia Client Configuration GUI, Tectia Server Configuration GUI, or if explicitly configured directly from the configuration files.

 

How do I know if a certain individual connection is Quantum-Safe?

You can find the information in the connection log or in the audit log KEX success message which key exchange algorithm was used.

 

Compatibility How to establish a Quantum-Safe connection between Tectia and OpenSSH?

You need OpenSSH version 9.0 or higher. OpenSSH supports Streamlined NTRU Prime in the Hybrid Key Exchange; if you have a custom setup please make sure that sntrup761x25519-sha512@openssh.com algorithm is enabled and on the client-side also preferred. On the Tectia side, please make sure that at least this algorithm is enabled, and on the client-side also preferred over classical KEX. Note that OpenSSH does not support SABER, CRYSTALS/Kyber, or FrodoKEM.

 

How to establish a Quantum-Safe connection between Tectia and a third-party SSH implementation?

You need an SSH implementation that supports any of the following Hybrid KEX algorithms:

ecdh-nistp521-firesaber-sha512@ssh.com ecdh-nistp521-kyber1024-sha512@ssh.com curve25519-frodokem1344-sha512@ssh.com sntrup761x25519-sha512@openssh.com  

How to establish a Quantum-Safe connection with Tectia Server for z/OS?

You need Tectia Server for z/OS version 6.6.12 or higher. Tectia Server for z/OS supports the following algorithms: SABER, CRYSTALS/Kyber, and FrodoKEM.

 

Future Why was Tectia 6.6.0 only released as Quantum-Safe?

This was done in order to have PQC algorithms available for customer production environments faster. We plan to release parallel standard and Quantum-Safe editions in the future.

 

Do you plan to continue delivering updates for non-Quantum-Safe Tectia?

Absolutely! From the next version 6.6.2 on, we will proceed with delivering two parallel editions for each Tectia version - one with Quantum-Safe algorithms, the other without. For example, we are planning an overhaul of the Windows GUI client in a future version, which will be available for all Tectia users.

Guide to Quantum-Safe Cryptography (QSC)

Learn how your organization can implement QSC and what its benefits are.

SSH is a leading defensive cybersecurity company that secures communications between humans, systems, and networks. We specialize in Zero Trust Privileged Access Controls and Quantum Safe Network Security. Our customers include a diverse range of enterprises, from multiple Fortune 500 companies to SMBs across various sectors such as Finance, Retail, Technology, Industrial, Healthcare, and Government. 25% of Fortune 100 companies rely on SSH’s solutions. Recent strategic focus has expanded SSH business to Defence, Critical Infrastructure Operators, Manufacturing OT Security and Public Safety.

Leonardo S.p.A invests 20.0 million EUR in SSH, becoming the largest shareholder of the company. SSH solutions form a Center of Excellence for Zero Trust privileged access management and quantum-safe network encryption in Leonardo - a global industrial group that creates multi-domain technological capabilities in the Aerospace, Defence and Security sector with 17.8 billion EUR revenue in 2024. SSH company’s shares (SSH1V) are listed on Nasdaq Helsinki.

 

Solutions Zero Trust Suite Zero Trust Suite & Entra ID Integration Quantum-Safe Cryptography (QSC) SalaX Secure Collaboration Security Risk Mitigation OT security MSP Security Device Trust Monitoring & Threat Intelligence Credentials & Secrets Management IT Audits & Compliance Products PrivX™ Hybrid PAM PrivX Key Manager Tectia SSH Client/Server™ Tectia™ z/OS Secure Messaging Secure Mail Secure Sign NQX™ Quantum-Safe Services SSH Risk Assessment™ Professional Services Support Resources Careers References Downloads Manuals Events & Webinars Blog Company About us Contact Investors Partners Press Stay on top of the latest in cybersecurity Be the first to know about SSH’s new solutions, product updates, new features, and other SSH news!

Thanks for submitting the form. © Copyright SSH • 2025 • Legal

智能索引记录