This update turns the SSH Extended Package into a Functional Package. This branch incorporates the CCUF version of the SSH FP into the NIAP version. Significant changes: - Removed FCS_COP and required that the PP or PP-Module that includes the package support the required algorithms. This effectively eliminated the need for TD0240. - Incorporated TD0331 - Incorporated TD0332 - Incorporated TD0420 - Incorporated TD0446 - Added audit events covering those specified in NDcPP and a couple of the ESM PPs. These are presented as optional, and can be incorporated by selection in a PP or PP-module that includes this package. (TLS should do this too). Functional Package for Secure Shell (SSH) 2.0 National Information Assurance Partnership 2024-12-12 SSH; secure shell 1.0 2021-05-13 Converted SSH EP to a Functional Package and incorporated CCUF CWG input. 2.0 2024-12-12 Updated for CC:2022 conformance, incorporated applicable errata. TDs Applied Secure Shell (SSH) is a protocol for secure remote login and other secure network services over an untrusted network. SSH software can act as a client, server, or both. This Functional Package (FP) for Secure Shell provides a collection of SSH protocol related Security Functional Requirements (SFRs) and Evaluation Activities (EAs) covering audit, authentication, cryptographic algorithms, and protocol negotiation. The intent of this package is to provide Protection Profile (PP), collaborative Protection Profile (cPP), and Protection Profile Module (PP-Module) authors with a readily consumable collection of SFRs and EAs to be integrated into their documents. The functional components defined for this package were chosen to ensure that a conformant TOE implements SSH in a secure manner by requiring that the TSF implement protocol-specific details that are not captured in the FTP_PRO SFR family. Extended Package, TSF Interface The SSH transport layer between a client and a server. Within a connection there can be multiple sessions. Where the connection renegotiates the shared secret and each session subsequently derives a new encryption key. A discrete stream of data within a connection. Cryptographic network protocol for initiating text-based shell sessions on remote systems. The TOE in this FP is a product that acts as an SSH client, SSH server, or both. This FP describes the extended security functionality of SSH in terms of . The contents of this FP must be appropriately incorporated into a PP, cPP, or PP-Module. When this package is incorporated as such, the ST must include selection-based requirements in accordance with the selections or assignments indicated in the incorporating document. The PP, cPP, or PP-Module that instantiates this Package must typically include the following components in order to satisfy dependencies of this Package. It is the responsibility of the PP, cPP, or PP-Module author who incorporates this FP to ensure that dependence on these components is satisfied, either by the TOE or by assumptions about its OE. An ST must identify the applicable version of the PP, cPP, or PP-Module, and of this FP in its conformance claims. : Dependent Components Required for Package Functionality FCS_CKM.1 To support key generation for SSH, the PP or PP-Module must include FCS_CKM.1 and specify the corresponding algorithms. FCS_CKM.2 To support key establishment for SSH, the PP or PP-Module must include FCS_CKM.2 and specify the corresponding algorithms. FCS_COP.1 To support the cryptography needed for SSH communications, the PP or PP-Module must include FCS_COP.1 (iterating as needed) to specify AES with corresponding key sizes and modes, digital signature generation and verification function (at least one of RSA or ECDSA), a cryptographic hash function, and a keyed-hash message authentication function. In particular, the incorporating document must support AES-GCM as defined in NIST SP 800-38D with key sizes of 256 bits. FCS_RBG.1 To support random bit generation needed for SSH key generation, the PP or PP-Module must include FCS_RBG.1 or an extended SFR that defines comparable functionality. FIA_X509_EXT.1 To support establishment of SSH communications using a public key algorithm that includes X.509, the PP or PP-Module must include FIA_X509_EXT.1. Note however that support for X.509 is selectable and not mandatory. FIA_X509_EXT.2 To support establishment of SSH communications using a public key algorithm that includes X.509, the PP or PP-Module must include FIA_X509_EXT.2. Note however that support for X.509 is selectable and not mandatory. FPT_STM.1 To support establishment of SSH communications using a public key algorithm that includes X.509, the PP or PP-Module must include FPT_STM.1 or some other requirement that ensures reliable system time. Note however that support for time-based rekey thresholds is selectable and not mandatory. An ST must claim exact conformance to this FP. The evaluation methods used for evaluating the TOE are a combination of the workunits defined in as well as the EAs for ensuring that individual SFRs have a sufficient level of supporting evidence in the ST and guidance documentation, and have been sufficiently tested by the laboratory as part of completing ATE_IND.1. This FP is conformant to Part 2 (extended) of Common Criteria CC:2022, Revision 1. FPs do not contain any SARs, so no CC Part 3 claim is made. The This FP does not claim conformance to any PP. PP-Configurations do not require enumeration of FPs; this FP can be claimed in any PP-Configuration that includes a PP or PP-Module that permits the FP to be claimed as part of it. This FP does not claim conformance to any other FPs. The auditable events specified in this Package are included in an ST if the incorporating PP, cPP, or PP-Module supports audit event reporting through FAU_GEN.1, and if all other criteria in the incorporating PP or PP-Module are met. : Auditable Events for Mandatory SFRs This family defines requirements for implementation of the SSH protocol that goes beyond the level of detail specified for trusted communications in CC Part 2. requires the TSF to specify the details of its SSH protocol implementation. No specific management functions are identified. The following actions should be auditable if FAU_GEN Security Audit Data Generation is included in the PP, PP-Module, FP, or ST: Failure to establish SSH connection Establishment of SSH connection Termination of SSH connection Dropping of packets outside defined size limits FCS_CKM.1 Cryptographic Key Generation FCS_CKM.2 Cryptographic Key Derivation FCS_COP.1 Cryptographic Operation FCS_RBG.1 Random Bit Generation The following mapping is provided as a guide to ST authors to ensure the appropriate RFC selections are made based on applicable selections in subsequent SFRs. RFC 4256: Select for keyboard-interactive authentication RFC 4344: Select for AES-256-CTR RFC 5647: Select for AEAD_AES_256_GCM or aes256-gcm@openssh.com RFC 5656: Select for elliptic curve cryptography (ECC) RFC 6187: Select for X.509 certificate use RFC 6668: Select for HMAC-SHA-2 algorithms RFC 8268: Select for FFC DH groups with SHA-2 RFC 8308: Select if RFC 8332 is selected RFC 8332: Select if SHA-2 is available with ssh-rsa The ST author selects the additional RFCs to which conformance is being claimed. An SSH product can implement additional RFCs, but only those listed in the selection can be claimed as conformant under CC. The RFC selections for this requirement must be consistent with selections in later elements of this FP (e.g., cryptographic algorithms permitted). For the purposes of this package (and subsequent integration into cPPs), only the claimed algorithms listed in the package must be enabled for use. RFC 4251 defines support for the general implementation of the SSH protocol. RFC 4252 defines support for the required SSH authentication method. RFC 4253 indicates that certain cryptographic algorithms are "REQUIRED." This means that from the Internet Engineering Task Force's perspective, the implementation must include support, not that the algorithms must be enabled for use. For the purposes of this SFR's EA and this FP overall, it is not necessary to ensure that algorithms listed as "REQUIRED" by the RFC but not listed in later elements of this FP are actually implemented. RFC 4254 defines support for the general implementation of the SSH connection protocol. RFC 4256 must be selected if "keyboard-interactive" is selected in FCS_SSH_EXT.1.2. RFC 4344 must be selected if aes256-ctr is selected in FCS_SSH_EXT.1.4. RFC 5647 must be selected when AEAD_AES_256_GCM or aes256-gcm@openssh.com is selected as an encryption algorithm in FCS_SSH_EXT.1.4 and when AEAD_AES_256_GCM is selected as a MAC algorithm in FCS_SSH_EXT.1.5. RFC 5656 must be selected when ecdsa-sha2-nistp384 or ecdsa-sha2-nistp521 is selected as a public key algorithm in FCS_SSH_EXT.1.2, or when ecdh-sha2-nistp384 or ecdh-sha2-nistp521 is selected as a key exchange algorithm in FCS_SSH_EXT.1.6, or when "RFC 5656" is selected in FCS_SSH_EXT.1.7. RFC 6187 must be selected when x509v3-ecdsa-sha2-nistp384 or x509v3-ecdsa-sha2-nistp521 is selected as a public key algorithm in FCS_SSH_EXT.1.2. RFC 6668 must be selected when hmac-sha2-512 is selected as a MAC algorithm in FCS_SSH_EXT.1.5. RFC 8268 must be selected when diffie-hellman-group15-sha512, diffie-hellman-group16-sha512, diffie-hellman-group17-sha512, or diffie-hellman-group18-sha512 is selected as a key exchange algorithm in FCS_SSH_EXT.1.6. RFC 8308 defines support for secure negotiation of protocol extensions, and must be claimed when RFC 8332 is claimed. RFC 8332 must be selected when rsa-sha2-512 is selected as a public key algorithm in FCS_SSH_EXT.1.2. If "client" is selected, then the ST must include FCS_SSHC_EXT.1. If "server" is selected, then the ST must include FCS_SSHS_EXT.1. The evaluator shall ensure that the selections indicated in the ST are consistent with selections in this element and subsequent element. Otherwise, this SFR is evaluated by activities for other SFRs. There are no guidance EAs for this element. This SFR is evaluated by activities for other SFRs. There are no test EAs for this element. This SFR is evaluated by activities for other SFRs. Within SSH there are two types of authentication: user authentication and peer authentication. This SFR deals with the options supported for user authentication. Peer authentication is covered in FCS_SSHC_EXT.1.1 (for clients) and FCS_SSHS_EXT.1.1 (for servers). The evaluator shall check to ensure that: the authentication methods listed in the TSS are identical to those claimed in this element; if password-based authentication methods have been claimed in the ST, then the TSS also describes these The evaluator shall check the guidance documentation to ensure the configuration options, if any, for authentication mechanisms provided by the TOE are described. [conditional] If the TOE is acting as an SSH server: The evaluator shall use a suitable SSH client to connect to the TOE, enable debug messages in the SSH client, and examine the debug messages to determine that only the configured authentication methods for the TOE were offered by the server. [conditional] If the SSH server supports X.509-based client authentication options: The evaluator shall initiate an SSH session from a client where the username is associated with the X.509 certificate. The evaluator shall verify the session is successfully established. Next, the evaluator shall use the same X.509 certificate as above, but include a username not associated with the certificate. The evaluator shall verify that the session does not establish. Finally, the evaluator shall use the correct username (from step a above), but use a different X.509 certificate which is not associated with the username. The evaluator shall verify that the session does not establish. If the TOE supports keyboard-interactive password authentication, the evaluator shall verify that the TOE issues an authentication challenge to the SSH client for each supported method when the client specifies the use of a keyboard-interactive method. For each supported authentication method, the evaluator shall verify that an SSH client can be used to establish a session with the TOE while using the supported method. For each supported authentication method, the evaluator shall use an SSH client provided with bad authentication data (e.g., incorrectly generated certificate or incorrect password) and verify that the connection is rejected. [conditional] If the TOE is acting as an SSH client, the evaluator shall initiate an SSH session using each supported authentication method and verify that the session is successfully established. Specifically, if password authentication is supported, then the evaluator shall use interactive, noninteractive, or both, depending on the claims made in FCS_SSH_EXT.1.2. If public key authentication is supported, then the evaluator shall use each supported algorithm claimed in FCS_SSH_EXT.1.2. [conditional] If the TOE is acting as an SSH client, the evaluator shall verify that the connection fails upon configuration mismatch as follows: The evaluator shall configure the client with an authentication method not supported by the server. The evaluator shall verify that the connection fails. If the client supports only one authentication method, the evaluator can test this failure of connection by configuring the server with an authentication method not supported by the client. In order to facilitate this test, it is acceptable for the evaluator to configure an authentication method that is outside of the selections in the SFR. RFC 4253, Section 6.1 provides for the acceptance of “large packets” with the caveat that the packets should be of “reasonable length” or dropped. The ST author should fill in the assignment with the maximum packet size accepted, thus defining "reasonable length for the TOE.. The upper bound on the packet size is driven by the size identified in FCS_SSH_EXT.1.8. The evaluator shall check that the TSS describes how “large packets” are detected and handled. There are no guidance EAs for this element. The evaluator shall demonstrate that the TOE accepts the maximum allowed packet size. This test is performed to verify that the TOE drops packets that are larger than the size specified in the element. The evaluator shall establish a successful SSH connection with the peer. Next, the evaluator shall craft a packet that is slightly larger than the maximum size specified in this element and send it through the established SSH connection to the TOE. The packet should not be greater than the maximum packet size plus 16 bytes. If the packet is larger, the evaluator shall justify the need to send a larger packet. The evaluator shall verify that the packet was dropped by the TOE. The method of verification will vary by the TOE. Examples include reviewing the TOE audit log for a dropped packet audit or observing that the TOE terminates the connection. As described in RFC 5647, AEAD_AES_256_GCM needs the corresponding MAC algorithm to be selected in FCS_SSH_EXT.1.5. The evaluator shall check the description of the implementation of SSH in the TSS to ensure the encryption algorithms supported are specified. The evaluator shall check the TSS to ensure that the encryption algorithms specified are identical to those listed for this element. The evaluator shall check the guidance documentation to ensure that it contains instructions to the administrator on how to ensure that only the allowed mechanisms are used in SSH connections with the TOE. The evaluator shall perform the following tests. If the TOE can be both a client and a server, these tests must be performed for both roles. The evaluator shall ensure that only claimed algorithms and cryptographic primitives are used to establish an SSH connection. To verify this, the evaluator shall establish an SSH connection with a remote endpoint. The evaluator shall capture the traffic exchanged between the TOE and the remote endpoint during protocol negotiation (e.g., using a packet capture tool or information provided by the endpoint, respectively). The evaluator shall verify from the captured traffic that the TOE offers only the algorithms defined in the ST for the TOE for SSH connections. The evaluator shall perform one successful negotiation of an SSH connection and verify that the negotiated algorithms were included in the advertised set. If the evaluator detects that not all algorithms defined in the ST for SSH are advertised by the TOE or the TOE advertises additional algorithms not defined in the ST for SSH, the test shall be regarded as failed. The data collected from the connection above shall be used for verification of the advertised hashing and shared secret establishment algorithms in FCS_SSH_EXT.1.5 and FCS_SSH_EXT.1.6 respectively. For the connection established in Test 1, the evaluator shall terminate the connection and observe that the TOE terminates the connection. The evaluator shall configure the remote endpoint to only allow a mechanism that is not included in the ST selection. The evaluator shall attempt to connect to the TOE and observe that the attempt fails. As described in RFC 5647, AEAD_AES_256_GCM needs the corresponding encryption algorithm to be selected. In AES-GCM mode, integrity is not provided using a MAC, it is implicit in the AES-GCM mode itself. There is no need for a corresponding FCS_COP element. The FCS_COP element for AES would already cover this. If the negotiated encryption algorithm is aes256-gcm@openssh.com algorithms, then the MAC field is ignored during negotiation and AES-GCM is implicitly selected for the MAC. The selection “implicit” is not an SSH identifier and will not be seen on the wire; however, the negotiated MAC might be decoded as “implicit.” The evaluator shall check the description of the implementation of SSH in the TSS to ensure the hashing algorithms supported are specified. The evaluator shall check the TSS to ensure that the hashing algorithms specified are identical to those listed for this element. The evaluator shall check the guidance documentation to ensure that it contains instructions to the administrator on how to ensure that only the allowed mechanisms are used in SSH connections with the TOE. The evaluator shall use the test data collected in FCS_SSH_EXT.1.4, Test 1 to verify that appropriate mechanisms are advertised. The evaluator shall configure an SSH peer to allow only a hashing algorithm that is not included in the ST selection. The evaluator shall attempt to establish an SSH connection and observe that the connection is rejected. The values "strict-kex-c-v00@openssh.com" and "strict-kex-s-v00@openssh.com" may also be present in the key exchange offering. These values are used to protect against SSH prefix data truncation (i.e. Terrapin attack). These values are used to ensure that key exchange proceeds in an appropriate order; they are not exchange methods in and of themselves. The evaluator shall check the description of the implementation of SSH in the TSS to ensure the shared secret establishment algorithms supported are specified. The evaluator shall check the TSS to ensure that the shared secret establishment algorithms specified are identical to those listed for this element. The evaluator shall check the guidance documentation to ensure that it contains instructions to the administrator on how to ensure that only the allowed mechanisms are used in SSH connections with the TOE. The evaluator shall use the test data collected in FCS_SSH_EXT.1.4, Test 1 to verify that appropriate mechanisms are advertised. Note that it is permissible for the TOE to advertise the "strict-kex-c-v00@openssh.com" or "strict-kex-s-v00@openssh.com" value alongside the other key exchange mechanisms. These values are associated with client and server, respectively. The evaluator shall configure an SSH peer to allow only a key exchange method that is not included in the ST selection. The evaluator shall attempt to establish an SSH connection and observe that the connection is rejected. The evaluator shall configure the SSH peer to omit the strict-kex value from the kex_algorithms field. The evaluator shall verify that the TOE is able to successfully establish a connection with the SSH peer. The evaluator shall configure the SSH peer to include the strict-kex value in the kex_algorithms field. The evaluator shall verify that the TOE is able to successfully establish a connection with the SSH peer. RFC 4253 must be selected when the key establishment scheme (selected in FCS_SSH_EXT.1.6) uses finite field cryptography (FFC) and RFC 5656 when it uses ECC. RFC 4253, Section 7.2 defines two KDFs for FFC-based key establishment schemes. Therefore, RFC 4253 should be selected if any of the RFC 4253 or RFC 8268 key establishment schemes are selected. The evaluator shall check the description of the implementation of SSH in the TSS to ensure the supported KDFs are specified. The evaluator shall check the TSS to ensure that the KDFs specified are identical to those listed for this element. There are no guidance EAs for this element. There are no test EAs for this element. This SFR defines three thresholds that need to be implemented. These thresholds were arrived at to ensure that the cryptographic key space for the symmetric session keys is not exhausted (more detail can be found in RFC 4344 and RFC 4253). A rekey or connection termination needs to be performed whenever a threshold is reached for a given connection. The rekey applies to all session keys (encryption, integrity protection) for incoming and outgoing traffic. It is acceptable for a TOE to implement lower thresholds than the maximum values defined in the SFR. If a threshold is configurable, the guidance documentation needs to specify how to configure that threshold. It is possible that hardware limitations may prevent reaching the data transfer threshold in less than one hour. In cases where the data transfer threshold could not be reached due to hardware limitations, it is acceptable to omit testing of this (SSH rekeying based on data transfer threshold). See EAs for details. The evaluator shall check the TSS to ensure that if the TOE enforces connection rekey or termination limits lower than the maximum values, that these lower limits are identified. In cases where hardware limitation will prevent reaching the data transfer threshold in less than one hour, the evaluator shall check the TSS to ensure it contains: An argument describing this hardware-based limitation and Identification of the hardware components that form the basis of such argument. For example, if a specific Ethernet Controller or Wi-Fi radio chip is the root cause of such limitation, these subsystems shall be identified. The evaluator shall check the guidance documentation to ensure that if the connection rekey or termination limits are configurable, it contains instructions to the administrator on how to configure the relevant connection rekey or termination limits for the TOE. The evaluator shall ensure that the test harness is configured so that its connection rekey or termination limits are greater than the limits supported by the TOE. It is expected that the test harness should not be initiating the connection rekey or termination. The evaluator shall establish an SSH connection, wait until the identified connection rekey limit is met, and observe that a connection rekey or termination is initiated. This may require traffic to periodically be sent or a keep-alive setting for the connection to be applied to ensure that the connection is not closed due to an idle timeout. The evaluator shall establish an SSH connection, transmit data from the TOE until the identified connection rekey or termination limit is met, and observe that a connection rekey or termination is initiated. The evaluator shall establish an SSH connection, send data to the TOE until the identified connection rekey limit or termination is met, and observe that a connection rekey or termination is initiated. Failure to establish SSH connection Reason for failure and non-TOE endpoint of attempted connection (IP Address) Establishment of SSH connection Non-TOE endpoint of connection (IP Address) Termination of SSH connection session Non-TOE endpoint of connection (IP Address) Dropping of packets outside defined size limits Packet size This family defines requirements for implementation of the SSH protocol when the TSF is acting as a client. requires the TSF to specify the details of its SSH client implementation. No specific management functions are identified. There are no auditable events foreseen. FCS_SSH_EXT.1 SSH Protocol The local database may be implemented using any equivalent local storage mechanism. Validation of X.509 certificates is expected to conform to the Functional Package for X.509. There are no TSS EAs for this component. The evaluator shall check the guidance documentation to ensure that it contains instructions to the administrator on how to ensure that only the allowed mechanisms are used in SSH connections with the TOE. The evaluator shall perform the following tests: [conditional] If using a local database by associating each host name with its corresponding public key, the evaluator shall configure the TOE with only a single host name and corresponding public key in the local database. The evaluator shall verify that the TOE can successfully connect to the host identified by the host name. [conditional] If using a local database by associating each host name with its corresponding public key, the evaluator shall configure the TOE with only a single host name and non-corresponding public key in the local database. The evaluator shall verify that the TOE fails to connect to the configured host due to a public key mismatch. [conditional] If using a local database by associating each host name with its corresponding public key, the evaluator shall try to connect to a host not configured in the local database. The evaluator shall verify that the TOE either fails to connect to a host identified by the host name or there is a prompt provided to store the public key in the local database. [conditional] If using a list of trusted certification authorities, the evaluator shall configure the TOE with only a single trusted certification authority corresponding to the host's certificate. The evaluator shall verify that the TOE can successfully connect to the host identified by the host name. [conditional] If using a list of trusted certification authorities, the evaluator shall configure the TOE with only a single trusted certification authority that does not correspond to the host's certificate. The evaluator shall verify that the TOE fails to connect to the host identified by the host name. [conditional] If using a list of trusted certification authorities, the evaluator shall configure the test server with a certificate that does not belong to it, but is otherwise valid (i.e., it has an invalid reference identifier). This certificate shall be signed by a certificate authority that is one of the trusted certificate authorities configured on the TOE. The evaluator shall verify that the TOE fails to connect to the test server. This family defines requirements for implementation of the SSH protocol when the TSF is acting as a server. requires the TSF to specify the details of its SSH server implementation. No specific management functions are identified. There are no auditable events foreseen. FCS_SSH_EXT.1 SSH Protocol These requirements relate to the server authenticating to the client. The client authenticating to the server is covered in FCS_SSHC_EXT.1.1. Validation of X.509 certificates is expected to conform to the Functional Package for X.509. There are no TSS EAs for this component. The evaluator shall check the guidance documentation to ensure that it contains instructions to the administrator on how to ensure that only the allowed mechanisms are used in SSH connections with the TOE. The evaluator shall perform the following tests: The evaluator shall use a suitable SSH client to connect to the TOE and examine the list of server host key algorithms in the SSH_MSG_KEXINIT packet sent from the server to the client to determine that only the configured server authentication methods for the TOE were offered by the server. The evaluator shall test for a successful configuration setting of each server authentication method as follows. The evaluator shall initiate an SSH session using the authentication method configured and verify that the session is successfully established. Repeat this process for each independently configurable server authentication method supported by the server. The evaluator shall configure the peer to only allow an authentication mechanism that is not included in the ST selection. The evaluator shall attempt to connect to the TOE and observe that the TOE sends a disconnect message. CEM Common Methodology for Information Technology Security - Evaluation Methodology, CCMB-2022-11-006, CEM:2022, Revision 1, November 2022. openssh-portable/ PROTOCOL OpenSSH's deviations and extensions (1.6 transport: AES-GCM) RFC 4251 The Secure Shell (SSH) Protocol Architecture RFC 4252 The Secure Shell (SSH) Authentication Protocol RFC 4253 The Secure Shell (SSH) Transport Layer Protocol RFC 4254 The Secure Shell (SSH) Connection Protocol RFC 4256 Generic Message Exchange Authentication for the Secure Shell Protocol (SSH) RFC 4344 The Secure Shell (SSH) Transport Layer Encryption Modes RFC 5647 AES Galois Counter Mode for the Secure Shell Transport Layer Protocol RFC 5656 Elliptic Curve Algorithm Integration in the Secure Shell Transport Layer RFC 6187 X.509v3 Certificates for Secure Shell Authentication RFC 6668 SHA-2 Data Integrity Verification for the Secure Shell (SSH) Transport Layer Protocol RFC 8268 More Modular Exponentiation (MODP) Diffie-Hellman (DH) Key Exchange (KEX) Groups for Secure Shell (SSH) RFC 8308 Extension Negotiation in the Secure Shell (SSH) Protocol RFC 8332 Use of RSA Keys with SHA-256 and SHA-512 in the Secure Shell (SSH) Protocol