SSH and FIPS 140-2 compliant ciphers

[Samuel Vange]

We are trying to verify that the ciphers chosen for SSH are actually FIPS 140-2 compliant. Specifically, we're concerned about STIG checks RHEL-07-040110 and RHEL-07-040620:

RHEL-07-040110: A FIPS 140-2 approved cryptographic algorithm must be used for SSH communications.

Symmetric key algorithms approved by FIPS 140-2 according to Annex A:

- AES

- DES

- 3DES

- Skipjack

Symmetric key algorithms specified in sshd_config by default in a RHEL 7 SIMP 5.2.0-0 installation:

- aes25...@openssh.com

- aes12...@openssh.com

- aes256-cbc

- aes192-cbc

- aes128-cbc

Concerns: Although AES is FIPS 140-2 approved and used in all all of the sshd_config ciphers, I don't know how to verify that gcm and cbc mode are approved by FIPS 140-2. Furthermore, how can I know (prove) that the openssh.com implementation is NIST certified? Also, what implementation are aes256-cbc, aes192-cbc, and aes128-cbc; and how can I verify that those implementations are compliant? I've found http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html which lists tested and approved implementations, but I can't connect the specific ciphers used and the list on the website.

RHEL-07-040620: The SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.

MAC algorithms approved by FIPS 140-2 according to Annex A:

- 3DES

- AES

- HMAC

MAC algorithms specified in sshd_config by default in a RHEL 7 SIMP 5.2.0-0 installation::

- hmac-sha-2-256

- hmac-sha1

Concerns: Same questions as above. Altough HMAC is approved by FIPS 140-2, how do I know that these specific modes of operation (hmac-sha-2-256 and hmac-sha1) and these specific implementations are approved?

Thank you,

Samuel Vange

[Shawn Wells]

You can find the RHEL FIPS info here:
https://www.redhat.com/en/technologies/industries/government/standards

You'll see the FIPS 140-2 section on the left-hand side, which will pull
up the links to RHEL7 FIPS docs.

Note that FIPS is platform specific, e.g. RHEL and not
CentOS+derivatives. Unless you've replaced the native OpenSSH
client/server with the .org version, the openssh.com certifications are
not applicable/relevant.

[Trevor Vaughan]

Hi Samuel,

One thing to note is that, unless you are running with 'fips=1' at the kernel level, you're not meeting the FIPS certification requirements.

That said, if you set the appropriate 'fips' related parameter in the module to 'true', it should strip out anything that is not allowed by FIPS.

One of the ways that we test this is by enabling 'fips=1' in the kernel and seeing what ciphers still work and/or are available on the system. If you find something on the system in FIPS mode that should not be there, we should file an upstream bug with Red Hat.

Thanks,

Trevor

--
You received this message because you are subscribed to the Google Groups "SIMP Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simp-users+unsubscribe@googlegroups.com.
To post to this group, send email to simp-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/simp-users/40ef4fe2-a0b7-4701-95fa-a879d4a4e45b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Trevor Vaughan
Vice President, Onyx Point, Inc

(410) 541-6699 x788

-- This account not approved for unencrypted proprietary information --

[Trevor Vaughan]

Hi Samuel,

We had a lot of internal discussion on this and I did indeed validate that the *actual* implementation with OpenSSH on EL7 (up through today's updates) supports the following:

ssh -Q cipher
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
rijnda...@lysator.liu.se
aes128-ctr
aes192-ctr
aes256-ctr
aes12...@openssh.com
aes25...@openssh.com

We're only going to support the GCM and CTR ciphers (if we keep the GCM) and it is true that this does not match the documentation. However, the GCM ciphers are so much faster that it would be great to be able to use them.

Thanks,

Trevor

[Samuel Vange]

Thanks for looking into this Trevor. Ideally, I'd like to produce an artifact (e.g. a FIPS certificate with the specific ciphers listed) to prove that the ciphers listed in the config satisfy FIPS 140-2 requirements. Can you point me to something like that?

[Trevor Vaughan]

I think this is the official page https://www.redhat.com/en/about/press-releases/red-hat-completes-fips-1402-certifications but I'm going to punt to Shawn for hopefully a more precise/helpful answer.

Thanks,

Trevor

To view this discussion on the web visit https://groups.google.com/d/msgid/simp-users/56482fda-2786-40cc-b5a8-158fdd1cae95%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Shawn Wells]

On 2/8/17 2:11 PM, Trevor Vaughan wrote:
> I think this is the official page
> https://www.redhat.com/en/about/press-releases/red-hat-completes-fips-1402-certifications
> but I'm going to punt to Shawn for hopefully a more precise/helpful
> answer.

The 'source of truth' on what Red Hat has/has not certified is the US
Gov Standards page:
https://www.redhat.com/en/technologies/industries/government/standards

Which has URLs to the formal NIST 140-2 certification paperwork. In the
case of OpenSSH (server):
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#2630

Which points you to the 'Security Policy' paperwork:
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf

Certified algorithms are listed in '10.1.1 OpenSSH Configuration', which
reads:

> The user must not use DSA keys for performing key-based authentication
> as OpenSSH only allows DSA keys with 1024 bit size which are
> disallowed as per SP800-131A.
>
> The user must not accept DSA host keys potentially offered during the
> first contact of an SSH server as OpenSSH only allows DSA keys with
> 1024 bit size which are disallowed as per SP800- 131A.
>
> When re-generating RSA host keys, the crypto officer should generate
> RSA keys with a size of 2048 bit or higher according to [SP800-131A].
> The crypto officer should inform the user base to not use RSA keys
> with key sizes smaller than 2048 bits.
>
> In FIPS 140-2 mode, the following restrictions are applicable. When
> these restrictions are violated by configuration options or command
> line options, the module will not be in the FIPS mode of operation:
>
> • SSH protocol version 1 is not allowed
> • GSSAPI is not allowed
> • Only the following ciphers are allowed:
> • aes128-ctr
> • aes192-ctr
> • aes256-ctr
> • aes128-cbc
> • aes192-cbc
> • aes256-cbc
> • 3des-cbc
> • rijnda...@lysator.liu.se
>
> Only the following message authentication codes are allowed:
> • hmac-sha1
> • hmac-sha2-256
> • hmac-sha2-512
> • hmac-s...@openssh.com
> • hmac-sha...@openssh.com
> • hmac-sha...@openssh.com
>
> Any use of other ciphers or algorithms will results in the module
> entering the non-FIPS mode of operation.


Note the gcm ciphers Trevor mentioned are not listed =/

[Trevor Vaughan]

Hey Shawn, methinks there is a bug....

Trevor

--
You received this message because you are subscribed to the Google Groups "SIMP Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simp-users+unsubscribe@googlegroups.com.
To post to this group, send email to simp-...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/simp-users/c26629a5-e6ff-02be-bae7-b1f2aff4a188%40redhat.com.

For more options, visit https://groups.google.com/d/optout.

[Shawn Wells]

I don't know. Checked our internal docs and didn't find mention of GCM. Sent a query to the team who managed our FIPS evals. Will report back.

-Shawn

-- 
Shawn Wells
Chief Security Strategist
U.S. Public Sector
sh...@redhat.com | 443.534.0130 

[Samuel Vange]

FYI,

I have been directed to the Common Criteria (BSI-DSZ-CC-0999-2016 for Red Hat Enterprise Linux Version 7.1 from Red Hat) (https://www.commoncriteriaportal.org/files/epfiles/0999a_pdf.pdf) for guidance. On page 27/50 there is a list of ciphers that are said to be compliant. These are the same ciphers that Shawn found: AES in CBC mode, and CTR mode (aes128-cbc, aes192-cbc, aes256-cbc) (aes128-ctr, aes192-ctr, aes256-ctr).

[Trevor Vaughan]

Hi Samuel,

Thanks for the follow up.

Per this PR (https://github.com/simp/pupmod-simp-ssh/pull/52) we're restricting them to the ones approved in the documentation.

Bug filed at https://bugzilla.redhat.com/show_bug.cgi?id=1420910

Thanks,

Trevor

[Shawn Wells]

On 2/9/17 3:47 PM, Trevor Vaughan wrote:
> Hi Samuel,
>
> Thanks for the follow up.
>
> Per this PR (https://github.com/simp/pupmod-simp-ssh/pull/52) we're
> restricting them to the ones approved in the documentation.
>
> Bug filed at https://bugzilla.redhat.com/show_bug.cgi?id=1420910

Feedback from the FIPS team: At the time of RHEL7 FIPS evaluations, NIST
did not allow AES-GCM in other protocols than TLS and IPSec. So doesn't
look like it was actually included.

Forwarded your BZ to the right internal people. Bugzilla's don't carry
SLAs, so if you can attach a customer support case, that'd be great :)
If you send me the ticket # I can do the association between BZ->Support.

[Trevor Vaughan]

01789608

--
You received this message because you are subscribed to the Google Groups "SIMP Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simp-users+unsubscribe@googlegroups.com.
To post to this group, send email to simp-...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/simp-users/7a0a811a-338a-7896-e58a-14bf02ca88fc%40redhat.com.

For more options, visit https://groups.google.com/d/optout.

[Shawn Wells]

Mapped. Also tipped off your TAM.