NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
TD0259:  NIT Technical Decision for Support for X509 ssh rsa authentication IAW RFC 6187

Publication Date
2017.11.13

Protection Profiles
CPP_FW_v2.0, CPP_FW_V2.0E, CPP_ND_V2.0, CPP_ND_V2.0E

Other References
FCS_SSHC_EXT.1.5/FCS_SSHS_EXT.1.5

Issue Description

The NIT issued a technical decision for support for X509 ssh rsa authentication IAW RFC 6187.

Resolution

Updated 03/09/2018 to add FWcPP 2.0.

In addition to adding x509v3-ssh-rsa and x509v3-rsa2048-sha256 to FCS_SSHC_EXT.1.5 and FCS_SSHS_EXT.1.5 the NIT proposes to merge the two selections. FCS_SSHC_EXT.1.5 and FCS_SSHS_EXT.1.5 shall therefore be modified as follows:

"FCS_SSHC_EXT.1.5/FCS_SSHS_EXT.1.5 The TSF shall ensure that the SSH public-key based authentication implementation uses [selection: ssh-rsa, ecdsa-sha2-nistp256, x509v3-ssh-rsa, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, x509v3-ecdsa-sha2-nistp256, x509v3-ecdsa-sha2-nistp384, x509v3-ecdsa-sha2-nistp521, x509v3-rsa2048-sha256] as its public key algorithm(s) and rejects all other public key algorithms."

The application note for FCS_SSHC_EXT.1.5 shall be modified as follows:

"If x509v3-ssh-rsa, x509v3-ecdsa-sha2-nistp256, x509v3-ecdsa-sha2-nistp384, x509v3-ecdsa-sha2-nistp521 or x509v3-rsa2048-sha256 are selected, then the list of trusted certification authorities must be selected in FCS_SSHC_EXT.1.9 and the FIA_X509_EXT SFRs in Appendix B are applicable.

It is recommended to configure the TOE to reject presented RSA keys with a key length below 2048 bit."

The application note for FCS_SSHS_EXT.1.5 shall be modified as follows:

"If x509v3-ssh-rsa, x509v3-ecdsa-sha2-nistp256, x509v3-ecdsa-sha2-nistp384, x509v3-ecdsa-sha2-nistp521 or x509v3-rsa2048-sha256 are selected, then the FIA_X509_EXT SFRs in Appendix B are applicable.

It is recommended to configure the TOE to reject presented RSA keys with a key length below 2048 bit."

The application note for FCS_SSHC_EXT.1.9 shall be modified as follows:

"The list of trusted certification authorities can only be selected if x509v3-ssh-rsa, x509v3-ecdsa-sha2-nistp256, x509v3-ecdsa-sha2-nistp384, x509v3-ecdsa-sha2-nistp521 or x509v3-rsa2048-sha256 are selected in FCS_SSHC_EXT.1.5."

For further information, please see the NIT interpretation at https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/NITDecisionRfI201719rev3.pdf

Justification

See issue description.

 
 
Site Map              Contact Us              Home