NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
Archived TD0332:  Support for RSA SHA2 host keys

Publication Date
2018.06.08

Protection Profiles
PP_SSH_EP_v1.0

Other References
FCS_SSHC_EXT.1.4, FCS_SSHS_EXT.1.4

Issue Description

Rsa-sha2-512 and rsa-sha2-256 were standardized in March 2018 as RFC 8332, but are not included in the SSH EP.

Resolution

 

This TD supersedes TD0313.

FCS_SSHC_EXT.1.4 is modified as follows:

FCS_SSHC_EXT.1.4   The SSH client shall ensure that the SSH transport implementation uses [selection: ssh-rsa, rsa-sha2-256, rsa-sha2-512, ecdsa-sha2-nistp256] and [selection: ecdsa-sha2-nistp384, x509v3-ecdsa-sha2-nistp256, x509v3-ecdsa-sha2-nistp384, no other public key algorithms] as its public key algorithm(s) and rejects all other public key algorithms.

The application note is updated as follows:

Application Note: Implementations that select only ssh-rsa will not achieve the 112-bit security strength in the digital signature generation for SSH authentication as is recommended in NIST SP 800-131A. Future versions of this document may remove ssh-rsa as a selection. If x509v3-ecdsa-sha2-nistp256 or x509v3-ecdsa-sha2-nistp384 are selected, then the list of trusted certification authorities must be selected in FCS_SSHC_EXT.1.8.  RFC 8332 specifies the use of rsa-sha2-256 or rsa-sha2-512 in SSH. The SFRs for cryptographic key generation and certificate validation are inherited from the base PP.

FCS_SSHS_EXT.1.4 is modified as follows:

FCS_SSHS_EXT.1.4  The SSH server shall ensure that the SSH transport implementation uses [selection: ssh-rsa, rsa-sha2-256, rsa-sha2-512, ecdsa-sha2-nistp256] and [selection: ecdsa-sha2-nistp384, x509v3-ecdsa-sha2-nistp256, x509v3-ecdsa-sha2-nistp384, no other public key algorithms] as its public key algorithm(s) and rejects all other public key algorithms.

The application note is updated as follows:

Application Note: Implementations that select only ssh-rsa will not achieve the 112-bit security strength in the digital signature generation for SSH authentication as is recommended in NIST SP 800-131A. Future versions of this profile may remove ssh-rsa as a selection. RFC 8332 specifies the use of rsa-sha2-256 or rsa-sha2-512 in SSH.  The SFRs for cryptographic key generation and certificate validation are inherited from the base PP.

There are no changes to the Assurance Activities.

Justification

See issue description.

 
 
Site Map              Contact Us              Home