Move to stronger (PQ) signing for APK repos

systemcrash · April 6, 2026, 7:33pm

Theoretical cost estimations to break ECC have decreased sufficiently, such that, at a minimum, signing APK repos with ECDSA P-256 is soon insufficient i.e. within the next two years (otherwise MITM/PITM or supply-chain attacks become 'practical'). ECDSA shall now be regarded as a legacy algo, but bumping keys to P-521 is an acceptable short-term change.

Edit: signed package lists are a decent protection against this, but present signing keys are within reach of brute forcing.

ML-DSA (Dilithium) and FN-DSA (Falcon) are suitable signing choices. ML-DSA shows orders of magnitude faster signing and verification speeds than ECDSA P-521.

newsense · April 6, 2026, 10:21pm

On the same note and arguably as important would be having the ssh key exchange done with either mlkem or sntrup by default.

I know OpenSSH already supports PQ, unsure about dropbear or whether there are any plans for OpenWRT to switch.

ssh: Available ciphers: chacha20-poly1305@openssh.com,aes256-ctr,aes128-ctr

systemcrash · April 7, 2026, 5:41pm

Yes. Anything which traverses a monitorable network is vulnerable to store now decrypt later. So passwords should be rotated more frequently. And ssh should not be used alone, but inside of a tunnel, e.g. WireGuard.

Cloudflare also got the memo:

egc · April 7, 2026, 5:54pm

Dropbear has both mlken and sntrup, not sure if it is already enabled

efahl · April 7, 2026, 6:57pm

Looks like both are enabled by default:

github.com/openwrt/openwrt

package/network/services/dropbear/Config.in

main


      
          		bool "Curve25519"
          		default y
          		help
          			This enables the following key exchange algorithm:
          			 * curve25519-sha256
          
          			Curve25519 is faster than non-elliptic-curve methods.
          
          			Default: enabled.
          
          	config DROPBEAR_MLKEM768
          		bool "mlkem768 [POST-QUANTUM]"
          		help
          			This enables the following key exchange algorithm:
          			 * mlkem768x25519-sha256
          
          			Post-quantum KEM can avoid harvest-now-decrypt-later style attacks.
          
          			Default: enabled, except devices with very small flash.
          
          	config DROPBEAR_SNTRUP761

newsense · April 7, 2026, 7:58pm

@efahl Mlkem768 is missing from 25.12.2


root@OPNsense:~ # ssh -oKexAlgorithms=mlkem768x25519-sha256 openwrt
Unable to negotiate with 192.168.11.111 port 22: no matching key exchange method found. Their offer: sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,kexguess2@matt.ucc.asn.au,kex-strict-s-v00@openssh.com

efahl · April 7, 2026, 11:31pm

Right, the comments are misleading and the default is actually not set. Here's I see that when I generate a default config (make defconfig), it shows just the SNTRUP code is enabled (this is on a !SMALL_FLASH device).

$ grep -E 'SNTRUP|MLKEM' .config
# CONFIG_DROPBEAR_MLKEM768 is not set
CONFIG_DROPBEAR_SNTRUP761=y

Someone should check the code size bump and if it's reasonable, PR a change to add it...