Rebex .NET libraries 8.0: Quantum-safe security with ML-KEM and ML-DSA, improved TLS and SSH, FIPS 140-3 mode

  |   Lukas Pokorny

First 8.0 release!

The 8.0.9673 release of Rebex components marks the official launch of the 8.0 series. The 7.0 series remain supported until June 2027, allowing enough time to upgrade your production workloads.

Quantum-safe security: ML-KEM and ML-DSA

The threat of "harvest now, decrypt later" makes early adoption of post-quantum cryptography (PQC) essential. Rebex 8.0 adds support for NIST-standardized PQC algorithms, ML-KEM and ML-DSA to TLS and SSH.

The SSH library now supports hybrid key exchange ciphers, combining standard algorithms with quantum-resistant keys: mlkem768nistp256-sha256, mlkem1024nistp384-sha384, and mlkem768x25519-sha256. The TLS library features X25519MLKEM768, SecP256r1MLKEM768, and SecP384r1MLKEM1024.

SSH and TLS also have experimental support for ML-DSA to secure digital signatures against future quantum attacks. S/MIME got ML-DSA support as well.

PQC algorithms are supported out-of-box on up-to-date PQC-enabled Windows with .NET Framework 3.5/4.x or .NET 5 to 10. On other platforms, a PQC plugin is needed.

New SSH/SFTP server core

Thread consumption can stall high-throughput servers. Version 8.0 of Rebex File Server library addresses this bottleneck with an architectural overhaul, and introduces a new fully asynchronous SSH and SFTP core. This reduces overall thread allocation and maximizes scalability under parallel loads. The asynchronous transition extends to authentication and other events as well.

The new SFTP core also supports the copy-data extension that facilitates server-side file copying.

FTP server support

Need FTP protocol support for communication with legacy systems? There is no need to run detached server software any more because Rebex File Server adds server-side FTP and FTPS to its capabilities. It can secure FTP traffic with TLS 1.3 or 1.2, but can still be configured for legacy plain FTP as well to maintain integration with aging internal systems and legacy devices.

Updated S/MIME security

Rebex S/MIME API got support for additional signature algorithms: post-quantum ML-DSA, ECDSA, and Ed25519. It also got support for AEAD symmetric encryption ciphers: AES/GCM and ChaCha20/Poly1305.

More TLS features

Brainpool curves are now supported in TLS 1.3 as well. Client-side OCSP stapling support is another improvement, which improves the performance and privacy of certificate revocation checking by allowing the server to send a signed OCSP response during the TLS handshake, eliminating the need for the client to contact the certificate authority directly.

FIPS 140-3 mode and cryptography updates

Instead of FIPS 140-2, the UseFipsAlgorithmsOnly setting now enables FIPS 140-3 mode, which limits usage of cryptographic algorithms, and forces usage of cryptographic modules to those provided by .NET or the operating system. We also migrated from the legacy CryptoAPI to the new Windows CNG API. Additionally, HKDF key derivation in XtsStream and FileEncryption classes has been updated to support SHA-2 family of hashes.

New HTTP client core

Rebex HTTPS, Graph, EWS and WebSocket libraries feature a new HTTP client core that has been upgraded to fully asynchronous mode, making it less thread-hungry and more scalable.

Terminal control improvements

The new version of SSH Shell library and TerminalControl supports East Asian full-width characters alongside Unicode surrogate pairs. Prompt detection has been improved, and multi-line text matching is supported.

Major Graph API updates

Rebex Graph got new methods for working with attachments, and for updating a message. Many existing methods have been enhanced: messages can be deleted permanently, and subfolders can be created. The library features a new throttling support, making it easier not to overload the cloud.

API updates, changes and deprecations

In most scenarios, upgrading to version 8.0 is simple and straightforward. However, the new version of Rebex libraries does introduce some breaking changes, either due to abandoning long-deprecating APIs, for security reasons, or to fix compatibility with third-party tools. Before upgrading from 7.0, check out Version 8.0 Upgrade Guide for details.

And more...

For more information about the new release and all its enhancements, see the release history.