Technical Guideline TR-02102-4 Cryptographic Mechanisms: Recommendations and Key Lengths Part 4 – Use of Secure Shell (SSH) Version 2021-01 Document history Version Date Description 2019-01 2019-02-22 Adjustment of the periods of use, recommendations of Diffie-Hellman groups of RFC 8268 2020-01 2020-01-31 Adjustment of the periods of use, discontinuation of HMAC-SHA-1 2021-01 2021-03-12 Adjustment of the periods of use Federal Office for Information Security Post Box 20 03 63 D-53133 Bonn E-Mail: [email protected] Internet: https://www.bsi.bund.de © Federal Office for Information Security 2021 Table of Contents Table of Contents Document history.............................................................................................................................................................................. 2 1 Introduction......................................................................................................................................................................................... 5 2 Basic information............................................................................................................................................................................... 6 3 Recommendations............................................................................................................................................................................. 8 3.1 General notes................................................................................................................................................................................. 8 3.1.1 Periods of use.......................................................................................................................................................................... 8 3.1.2 Security level............................................................................................................................................................................ 8 3.2 SSH versions................................................................................................................................................................................... 8 3.2.1 Conformity to the SSH specification.............................................................................................................................8 3.3 Key agreement.............................................................................................................................................................................. 9 3.3.1 Key re-exchange.................................................................................................................................................................. 10 3.4 Encryption algorithms.............................................................................................................................................................. 10 3.5 MAC protection............................................................................................................................................................................ 10 3.6 Server authentication............................................................................................................................................................... 11 3.7 Client authentication................................................................................................................................................................. 11 4 Keys and random numbers......................................................................................................................................................... 13 4.1 Key storage................................................................................................................................................................................... 13 4.2 Handling of ephemeral keys................................................................................................................................................. 13 4.3 Random numbers....................................................................................................................................................................... 13 References........................................................................................................................................................................................... 14 Tables Table 1: Recommended key exchange methods............................................................................................................................... 9 Table 2: Recommended encryption algorithms.............................................................................................................................10 Table 3: Recommended functions for MAC protection..............................................................................................................10 Table 4: Recommended methods for sever authentication......................................................................................................11 Federal Office for Information Security 3 Introduction 1 1 Introduction This Technical Guideline provides recommendations for the use of the cryptographic protocol Secure Shell (SSH). This protocol can be used to establish a secure channel within an insecure network. The most common applications of the SSH protocol are logging on to a remote system (remote command-line login) and executing commands or running applications on remote systems. This Technical Guideline contains recommendations for the protocol version to be used and the cryptographic algorithms as a concretisation of the general recommendations in Part 1 of this Technical Guideline (see [TR-02102-1]). This Technical Guideline does not contain recommendations for specific applications, risk assessments or points of attack, which result from errors in the implementation of the protocol. Note: Even if all recommendations for the use of SSH are taken into account, data can leak from a cryptographic system to a considerable extent, e.g. by using side channels (measurement of timing behaviour, power consumption, data rates etc.). Therefore, the developer should identify possible side channels by involving experts in this field and implement corresponding countermeasures. Depending on the application, this also applies to fault attacks. Note: For the definitions of the cryptographic terms used in this document, please refer to the glossary in [TR-02102-1]. Federal Office for Information Security 5 2 Basic information 2 Basic information The SSH protocol consists of the three subprotocols Transport Layer Protocol, User Authentication Protocol and Connection Protocol. The Transport Layer Protocol (see [RFC4253]) allows server authentication, encryption, protection of the integrity and, optionally, data compression. It is based logically on the TCP/IP protocol. The User Authentication Protocol (see [RFC4252]) is used to authenticate the user to the server. It is based on the Transport Layer Protocol. The Connection Protocol (see [RFC4254]) is responsible for creating and managing logical channels within the encrypted tunnel. It is based on the User Authentication Protocol. For more detailed information about the protocol architecture of SSH, see [RFC4251]. The comprehensive specification of the SSH-2 (see Section 3.2) protocol can be found in the following RFCs: • RFC 4250: The Secure Shell (SSH) Protocol Assigned Numbers (January 2006) • RFC 4251: The Secure Shell (SSH) Protocol Architecture (January 2006) • RFC 4252: The Secure Shell (SSH) Authentication Protocol (January 2006) • RFC 4253: The Secure Shell (SSH) Transport Layer Protocol (January 2006) • RFC 4254: The Secure Shell (SSH) Connection Protocol (January 2006) • RFC 4256: Generic Message Exchange Authentication for the Secure Shell Protocol (SSH) (January 2006) • RFC 4335: The Secure Shell (SSH) Session Channel Break Extension (January 2006) • RFC 4344: The Secure Shell (SSH) Transport Layer Encryption Modes (January 2006) The following RFCs contain extensions and additions to the SSH protocol: • RFC 4255: Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints (January 2006) • RFC 4419: Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol (March 2006) • RFC 4432: RSA Key Exchange for the Secure Shell (SSH) Transport Layer Protocol (March 2006) • RFC 4462: Generic Security Service Application Program Interface (GSS-API) Authentication and Key Exchange for the Secure Shell (SSH) Protocol (May 2006) • RFC 4716: The Secure Shell (SSH) Public Key File Format (November 2006) • RFC 4819: Secure Shell Public Key Subsystem (March 2007) • RFC 5647: AES Galois Counter Mode for the Secure Shell Transport Layer Protocol (August 2009) • RFC 5656: Elliptic Curve Algorithm Integration in the Secure Shell Transport Layer (December 2009) • RFC 6187: X.509v3 Certificates for Secure Shell Authentication (March 2011) • RFC 6239: Suite B Cryptographic Suites for Secure Shell (SSH) (May 2011) • RFC 6594: Use of the SHA-256 Algorithm with RSA: Digital Signature Algorithm (DSA): and Elliptic Curve DSA (ECDSA) in SSHFP Resource Records (April 2012) • RFC 6668: SHA-2 Data Integrity Verification for the Secure Shell (SSH) Transport Layer Protocol (July 2012) • RFC 8268: More Modular Exponentiation (MODP) Diffie-Hellman (DH) Key Exchange (KEX) Groups for Secure Shell (SSH) (December 2017) 6 Federal Office for Information Security Basic information 2 • RFC 8270: