Tweak SSH rules for FIPS 186-5 addition of curve25519-sha256

usnistgov / macos_security

macOS Security Compliance Project

Other

1.69k stars 197 forks source link

Tweak SSH rules for FIPS 186-5 addition of curve25519-sha256 #227

Closed GaryGapinski closed 6 months ago

GaryGapinski commented 1 year ago

Summary

FIPS 186-5 adds Ed25519 curve in §7. See also NIST SP 800-186.

Steps to reproduce

That curve was previously not an approved algorithm.

Operating System version

Any current or subsequent macOS version with old (older than FIPS 186-5) CMVP validation should exclude curve25519-sha256 in KexAlgorithms in /etc/ssh/sshd/config.

Any macOS version after FIPS 186-5 publication should probably† allow curve25519-sha256 in KexAlgorithms in /etc/ssh/sshd/config.

† Though the macOS version may not have been validated with that algorithm, so perhaps there is a need to wait for a novel validation.

Intel or Apple Silicon

CMVP module validations can be hardware-specific.

What is the current bug behavior?

Not tested.

What is the expected correct behavior?

curve25519-sha256should be allowed in KexAlgorithmsin /etc/ssh/sshd/config.

Possible fixes

macOS CMVP validation-tracking versions for os_sshd_fips_compliant.yaml (e.g.).

GaryGapinski commented 1 year ago

https://support.apple.com/guide/certifications/macos-security-certifications-apc35eb3dc4fa/1/web/1.0 has some interesting information.

robertgendler commented 1 year ago

@GaryGapinski I believe Apple is going to have to update their validated algorithms.

GaryGapinski commented 1 year ago

I agree. I think that means another CMVP validation (in which proper operation is tested). I am not in a position to test macOS FIPS mode but until FIPS 186-5 came out curve25519-sha256 should have been rejected. There are likely other algorithm changes but I haven't had time to closely read 186-5 (which is not an easy read; neither is SP 800-186). But it is usable despite being not previously allowed. Perhaps not in strict FIPS mode.

gapinski@flexion-mac-C02FCBVSMD6N macos_security % ssh -Q kex
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256
curve25519-sha256@libssh.org
sntrup761x25519-sha512@openssh.com
gapinski@flexion-mac-C02FCBVSMD6N macos_security %

GaryGapinski commented 1 year ago

Also, ditch all finite field Diffie-Hellman algorithms (diffie-hellman-*) since they are unnecessary and no one bothers to recompute /etc/ssh/moduli. Ignore any with an @.

robertgendler commented 6 months ago

Closing for now. It's up to Apple to add it to it's approved algorithms in SSH.