Version | Date | Comment |
---|---|---|
1.0 | 2021-05-13 | Converted SSH EP to a Functional Package and incorporated CCUF CWG input. |
1.1 | 2023-08-04 | Updated for CC:2022 conformance, incorporated applicable errata. |
Secure Shell (SSH) is a protocol for secure remote login and other secure network services over an untrusted network. SSH software can act as a client, server, or both.
This Functional Package (FP) for Secure Shell provides a collection of SSH protocol related Security Functional Requirements (SFRs) and Evaluation Activities (EAs) covering audit, authentication, cryptographic algorithms, and protocol negotiation. The intent of this package is to provide Protection Profile (PP), collaborative Protection Profile (cPP), and Protection Profile Module (PP-Module) authors with a readily consumable collection of SFRs and EAs to be integrated into their documents.
Assurance | Grounds for confidence that a TOE meets the SFRs [CC]. |
Base Protection Profile (Base-PP) | Protection Profile used as a basis to build a PP-Configuration. |
Collaborative Protection Profile (cPP) | A Protection Profile developed by international technical communities and approved by multiple schemes. |
Common Criteria (CC) | Common Criteria for Information Technology Security Evaluation (International Standard ISO/IEC 15408). |
Common Criteria Testing Laboratory | Within the context of the Common Criteria Evaluation and Validation Scheme (CCEVS), an IT security evaluation facility accredited by the National Voluntary Laboratory Accreditation Program (NVLAP) and approved by the NIAP Validation Body to conduct Common Criteria-based evaluations. |
Common Evaluation Methodology (CEM) | Common Evaluation Methodology for Information Technology Security Evaluation. |
Distributed TOE | A TOE composed of multiple components operating as a logical whole. |
Functional Package (FP) | A document that collects SFRs for a particular protocol, technology, or functionality. |
Operational Environment (OE) | Hardware and software that are outside the TOE boundary that support the TOE functionality and security policy. |
Protection Profile (PP) | An implementation-independent set of security requirements for a category of products. |
Protection Profile Configuration (PP-Configuration) | A comprehensive set of security requirements for a product type that consists of at least one Base-PP and at least one PP-Module. |
Protection Profile Module (PP-Module) | An implementation-independent statement of security needs for a TOE type complementary to one or more Base-PPs. |
Security Assurance Requirement (SAR) | A requirement to assure the security of the TOE. |
Security Functional Requirement (SFR) | A requirement for security enforcement by the TOE. |
Security Target (ST) | A set of implementation-dependent security requirements for a specific product. |
Target of Evaluation (TOE) | The product under evaluation. |
TOE Security Functionality (TSF) | The security functionality of the product under evaluation. |
TOE Summary Specification (TSS) | A description of how a TOE satisfies the SFRs in an ST. |
Connection | The SSH transport layer between a client and a server. Within a connection there can be multiple sessions. |
Rekey | Where the connection renegotiates the shared secret and each session subsequently derives a new encryption key. |
Secure Shell (SSH) | Cryptographic network protocol for initiating text-based shell sessions on remote systems. |
Session | A discrete stream of data within a connection. |
The TOE in this FP is a product that acts as an SSH client, SSH server, or both. This FP describes the extended security functionality of SSH in terms of [CC].
The contents of this FP must be appropriately incoporated into a PP, cPP, or PP-Module. When this package is so incorporated, the ST must include selection-based requirements in accordance with the selections or assignments indicated in the incorporating document.
The PP, cPP, or PP-Module that instantiates this Package must typically include the following components in order to satisfy dependencies of this Package. It is the responsibility of the PP, cPP, or PP-Module author who incorporates this FP to ensure that dependence on these components is satisfied, either by the TOE or by assumptions about its OE.
An ST must identify the applicable version of the PP, cPP, or PP-Module, and of this FP in its conformance claims.
Component | Explanation |
---|---|
FCS_CKM.1 | To support key generation for SSH, the PP or PP-Module must
include FCS_CKM.1 and specify the corresponding algorithms. |
FCS_CKM.2 | To support key establishment for SSH, the PP or PP-Module must
include FCS_CKM.2 and specify the corresponding algorithms. |
FCS_COP.1 |
To support the cryptography needed for SSH communications, the PP or PP-Module must include FCS_COP.1
(iterating as needed) to specify AES with corresponding key sizes and modes, digital signature generation and
verification function (at least one of RSA or ECDSA), a cryptographic hash function, and a keyed-hash message
authentication function. In particular, the incorporating document must support AES-CTR as defined in NIST SP 800-38A
with key sizes of 128 or 256 bits, depending on the algorithms selected.
|
FCS_RBG.1 | To support random bit generation needed for SSH key generation,
the PP or PP-Module must include FCS_RBG.1 or an extended SFR that defines comparable functionality. |
FIA_X509_EXT.1 | To support establishment of SSH communications using a public key algorithm that includes X.509,
the PP or PP-Module must include FIA_X509_EXT.1. Note however that support for X.509 is selectable
and not mandatory. |
FIA_X509_EXT.2 | To support establishment of SSH communications using a public key algorithm that includes X.509,
the PP or PP-Module must include FIA_X509_EXT.2. Note however that support for X.509 is selectable
and not mandatory. |
FPT_STM.1 | To support establishment of SSH communications using a public key algorithm that includes X.509,
the PP or PP-Module must include FPT_STM.1 or some other requirement that ensures reliable system time.
Note however that support for time-based rekey thresholds is selectable and not mandatory. |
The auditable events specified in this Package are included in a ST if the incorporating PP, cPP, or PP-Module supports audit event reporting through FAU_GEN.1, and if all other criteria in the incorporating PP or PP-Module are met.
Requirement | Auditable Events | Additional Audit Record Contents |
---|---|---|
FCS_SSH_EXT.1 | ||
[selection: Failure to establish SSH connection, None] |
| |
[selection: Establishment of SSH connection, None] | [selection: Non-TOE endpoint of connection (IP Address), No additional information] | |
[selection: Termination of SSH connection session, None] | [selection: Non-TOE endpoint of connection (IP Address), No additional information] | |
[selection: Dropping of packets outside defined size limits, None] | [selection: Packet size, No additional information] |
The ST author selects which of the additional RFCs to which conformance is being claimed. An SSH product can implement additional RFCs, but only those listed in the selection can be claimed as conformant under CC. The RFC selections for this requirement must be consistent with selections in later elements of this FP (e.g., cryptographic algorithms permitted).
For the purposes of this package (and subsequent integration into cPPs), only the claimed algorithms listed in the package must be enabled for use.
RFC 4253 indicates that certain cryptographic algorithms are "REQUIRED." This means that from the Internet Engineering Task Force's perspective, the implementation must include support, not that the algorithms must be enabled for use. For the purposes of this SFR's EA and this FP overall, it is not necessary to ensure that algorithms listed as "REQUIRED" by the RFC but not listed in later elements of this FP are actually implemented.
RFC 4344 must be selected if aes128-ctr or aes256-ctr is selected in FCS_SSH_EXT.1.4.
RFC 4356 must be selected if "keyboard-interactive" is selected in FCS_SSH_EXT.1.2.
RFC 5647 must be selected when AEAD_AES_128_GCM, AEAD_AES_256_GCM, aes128-gcm@openssh.com, or aes256-gcm@openssh.com is selected as an encryption algorithm in FCS_SSH_EXT.1.4 and when AEAD_AES_128_GCM or AEAD_AES_256_GCM is selected as MAC algorithm in FCS_SSH_EXT.1.5.
RFC 5656 must be selected when ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521 is selected as a public key algorithm in FCS_SSH_EXT.1.2, or when ecdh-sha2-nistp256, ecdh-sha2-nistp384, or ecdh-sha2-nistp521 is selected as a key exchange algorithm in FCS_SSH_EXT.1.6, or when "RFC 5656" is selected in FCS_SSH_EXT.1.7.
RFC 6187 must be selected when x509v3-ecdsa-sha2-nistp256, x509v3-ecdsa-sha2-nistp384, x509v3-ecdsa-sha2-nistp521, or x509v3-rsa2048-sha256 is selected as a public key algorithm in FCS_SSH_EXT.1.2.
RFC 6668 must be selected when hmac-sha2-256 or hmac-sha2-512 is selected as a MAC algorithm in FCS_SSH_EXT.1.5.
RFC 8268 must be selected when diffie-hellman-group14-sha256, diffie-hellman-group15-sha512, diffie-hellman-group16-sha512, diffie-hellman-group17-sha512, or diffie-hellman-group18-sha512 is selected as a key exchange algorithm in FCS_SSH_EXT.1.6.
RFC 8332 must be selected when rsa-sha2-256 or rsa-sha2-512 is selected as a public key algorithm in FCS_SSH_EXT.1.2.
RFC 8709 must be selected when ssh-ed25519 or ssh-ed448 is selected as a public key algorithm in FCS_SSH_EXT.1.2.
RFC 8731 must be selected when curve25519-sha256 or curve448-sha512 is selected as a key exchange algorithm in FCS_SSH_EXT.1.6.
If "client" is selected, then the ST must include FCS_SSHC_EXT.1.
If "server" is selected, then the ST must include FCS_SSHS_EXT.1.
Functional Class | Functional Components |
---|---|
Cryptographic Support (FCS) | FCS_SSHC_EXT SSH Client Protocol FCS_SSHS_EXT SSH Server Protocol FCS_SSH_EXT SSH Protocol |
FCS_SSH_EXT.1, SSH Protocol, requires the TSF to specify the details of its SSH protocol implementation.
No specific management functions are identified.
The following actions should be auditable if FAU_GEN Security Audit Data Generation is included in the PP, PP-Module, FP, or ST:
Hierarchical to: | No other components. |
Dependencies to: |
FCS_CKM.1 Cryptographic Key Generation FCS_CKM.2 Cryptographic Key Derivation FCS_COP.1 Cryptographic Operation FCS_RBG.1 Random Bit Generation |
FCS_SSHC_EXT.1, SSH Client Protocol, requires the TSF to specify the details of its SSH client implementation.
No specific management functions are identified.
There are no auditable events foreseen.
Hierarchical to: | No other components. |
Dependencies to: | FCS_SSH_EXT.1 SSH Protocol |
FCS_SSHS_EXT.1, SSH Server Protocol, requires the TSF to specify the details of its SSH server implementation.
No specific management functions are identified.
There are no auditable events foreseen.
Hierarchical to: | No other components. |
Dependencies to: | FCS_SSH_EXT.1 SSH Protocol |
Acronym | Meaning |
---|---|
Base-PP | Base Protection Profile |
CC | Common Criteria |
CEM | Common Evaluation Methodology |
cPP | Collaborative Protection Profile |
EA | Evaluation Activity |
ECC | Elliptic Curve Cryptography |
FP | Functional Package |
KDF | Key Derivation Function |
OE | Operational Environment |
PP | Protection Profile |
PP-Configuration | Protection Profile Configuration |
PP-Module | Protection Profile Module |
SAR | Security Assurance Requirement |
SFR | Security Functional Requirement |
SSH | Secure Shell |
ST | Security Target |
TOE | Target of Evaluation |
TSF | TOE Security Functionality |
TSFI | TSF Interface |
TSS | TOE Summary Specification |