Today, we\u2019re announcing some changes that will improve the security of accessing Git data over SSH.<\/p>\n
We\u2019re adding a new post-quantum secure SSH key exchange algorithm, known alternately as sntrup761x25519-sha512 and sntrup761x25519-sha512@openssh.com, to our SSH endpoints for accessing Git data.<\/p>\n
This only affects SSH access and doesn\u2019t impact HTTPS access at all.<\/p>\n
It also does not affect GitHub Enterprise Cloud with data residency in the United States region.<\/p>\n
These changes will keep your data secure both now and far into the future by ensuring they are protected against future decryption attacks carried out on quantum computers.<\/p>\n
When you make an SSH connection, a key exchange algorithm<\/a> is used for both sides to agree on a secret. The secret is then used to generate encryption and integrity keys. While today\u2019s key exchange algorithms are secure, new ones are being introduced that are secure against cryptanalytic attacks<\/a> carried out by quantum computers.<\/p>\n We don\u2019t know if it will ever be possible to produce a quantum computer powerful enough to break traditional key exchange algorithms. Nevertheless, an attacker could save encrypted sessions now and, if a suitable quantum computer is built in the future, decrypt them later. This is known as a \u201cstore now, decrypt later<\/a>\u201d attack.<\/p>\n To protect your traffic to GitHub when using SSH, we\u2019re rolling out a hybrid post-quantum key exchange algorithm: sntrup761x25519-sha512 (also known by the older name sntrup761x25519-sha512@openssh.com). This provides security against quantum computers by combining a new post-quantum-secure algorithm, Streamlined NTRU Prime<\/a>, with the classical Elliptic Curve Diffie-Hellman<\/a> algorithm using the X25519 curve<\/a>. Even though these post-quantum algorithms are newer and thus have received less testing, combining them with the classical algorithm ensures that security won\u2019t be weaker than what the classical algorithm provides.<\/p>\n These changes are rolling out to github.com<\/a> and non-US resident GitHub Enterprise Cloud regions. Only FIPS-approved cryptography may be used within the US region, and this post-quantum algorithm isn\u2019t approved by FIPS.<\/p>\n We\u2019ll enable the new algorithm on September 17, 2025 for GitHub.com and GitHub Enterprise Cloud with data residency (with the exception of the US region).<\/p>\n This will also be included in GitHub Enterprise Server 3.19.<\/p>\n This change only affects connections with a Git client over SSH. If your Git remotes start with https:\/\/, you won\u2019t be impacted by this change.<\/p>\n For most uses, the new key exchange algorithm won\u2019t result in any noticeable change. If your SSH client supports sntrup761x25519-sha512@openssh.com or sntrup761x25519-sha512 (for example, OpenSSH 9.0 or newer), it will automatically choose the new algorithm by default if your client prefers it. No configuration change should be necessary unless you modified your client\u2019s defaults.<\/p>\n If you use an older SSH client, your client should fall back to an older key exchange algorithm. That means you won\u2019t experience the security benefits of using a post-quantum algorithm until you upgrade, but your SSH experience should continue to work as normal, since the SSH protocol automatically picks an algorithm that both sides support.<\/p>\n If you want to test whether your version of OpenSSH supports this algorithm, you can run the following command: ssh -Q kex. That lists all of the key exchange algorithms supported, so if you see sntrup761x25519-sha512 or sntrup761x25519-sha512@openssh.com, then it\u2019s supported.<\/p>\n To check which key exchange algorithm OpenSSH uses when you connect to GitHub.com, run the following command on Linux, macOS, Git Bash, or other Unix-like environments:<\/p>\n $ ssh -v git@github.com exit 2>&1 | grep ‘kex: algorithm:’<\/p>\n For other implementations of SSH, please see the documentation for that implementation.<\/p>\n We\u2019ll keep an eye on the latest developments in security. As the SSH libraries we use begin to support additional post-quantum algorithms, including ones that comply with FIPS, we\u2019ll update you on our offerings.<\/p>\n The post Post-quantum security for SSH access on GitHub<\/a> appeared first on The GitHub Blog<\/a>.<\/p>","protected":false},"excerpt":{"rendered":" Today, we\u2019re announcing some changes that will improve the security of accessing Git data over SSH. What\u2019s changing? We\u2019re adding […]<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[8],"tags":[],"class_list":["post-2480","post","type-post","status-publish","format-standard","hentry","category-github-engineering"],"_links":{"self":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/2480","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/comments?post=2480"}],"version-history":[{"count":0,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/2480\/revisions"}],"wp:attachment":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media?parent=2480"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/categories?post=2480"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/tags?post=2480"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}When are these changes effective?<\/h2>\n
How do I prepare?<\/h2>\n
What\u2019s next?<\/h2>\n