Archived
TD0332: Support for RSA SHA2 host keys
Publication Date
2018.06.08
Protection Profiles
PP_SSH_EP_v1.0
Other References
FCS_SSHC_EXT.1.4, FCS_SSHS_EXT.1.4
Issue Description
Rsa-sha2-512 and rsa-sha2-256 were standardized in March 2018 as RFC 8332, but are not included in the SSH EP. Resolution
This TD supersedes TD0313. FCS_SSHC_EXT.1.4 is modified as follows: FCS_SSHC_EXT.1.4 The SSH client shall ensure that the SSH transport implementation uses [selection: ssh-rsa, rsa-sha2-256, rsa-sha2-512, ecdsa-sha2-nistp256] and [selection: ecdsa-sha2-nistp384, x509v3-ecdsa-sha2-nistp256, x509v3-ecdsa-sha2-nistp384, no other public key algorithms] as its public key algorithm(s) and rejects all other public key algorithms. The application note is updated as follows: Application Note: Implementations that select only ssh-rsa will not achieve the 112-bit security strength in the digital signature generation for SSH authentication as is recommended in NIST SP 800-131A. Future versions of this document may remove ssh-rsa as a selection. If x509v3-ecdsa-sha2-nistp256 or x509v3-ecdsa-sha2-nistp384 are selected, then the list of trusted certification authorities must be selected in FCS_SSHC_EXT.1.8. RFC 8332 specifies the use of rsa-sha2-256 or rsa-sha2-512 in SSH. The SFRs for cryptographic key generation and certificate validation are inherited from the base PP. FCS_SSHS_EXT.1.4 is modified as follows: FCS_SSHS_EXT.1.4 The SSH server shall ensure that the SSH transport implementation uses [selection: ssh-rsa, rsa-sha2-256, rsa-sha2-512, ecdsa-sha2-nistp256] and [selection: ecdsa-sha2-nistp384, x509v3-ecdsa-sha2-nistp256, x509v3-ecdsa-sha2-nistp384, no other public key algorithms] as its public key algorithm(s) and rejects all other public key algorithms. The application note is updated as follows: Application Note: Implementations that select only ssh-rsa will not achieve the 112-bit security strength in the digital signature generation for SSH authentication as is recommended in NIST SP 800-131A. Future versions of this profile may remove ssh-rsa as a selection. RFC 8332 specifies the use of rsa-sha2-256 or rsa-sha2-512 in SSH. The SFRs for cryptographic key generation and certificate validation are inherited from the base PP. There are no changes to the Assurance Activities. Justification
See issue description. |