Cryptographic Mechanisms: Recommendations and Key Lengths

Similar documents
UNCLASSIFIED INFORMATION TECHNOLOGY SECURITY GUIDANCE

Key Lifecycle Security Requirements. Version 1.0.2

Extended Package for Secure Shell (SSH) Version: National Information Assurance Partnership

Contents. Configuring SSH 1

Internet Engineering Task Force (IETF) ISSN: January Suite B Profile for Transport Layer Security (TLS)

CPSC 467: Cryptography and Computer Security

Internet Engineering Task Force (IETF) Request for Comments: 6594 Category: Standards Track April 2012 ISSN:

Network Working Group Request for Comments: 4432 March 2006 Category: Standards Track

Category: Standards Track Queen s University December Elliptic Curve Algorithm Integration in the Secure Shell Transport Layer

UNCLASSIFIED INFORMATION TECHNOLOGY SECURITY GUIDANCE

Internet Engineering Task Force (IETF) Category: Standards Track Queensland University of Technology March 2011

Internet Engineering Task Force (IETF) Request for Comments: 7192 Category: Standards Track April 2014 ISSN:

Internet Engineering Task Force (IETF) Request for Comments: 6160 Category: Standards Track April 2011 ISSN:

Acronyms. International Organization for Standardization International Telecommunication Union ITU Telecommunication Standardization Sector

FIPS Compliance of Industry Protocols in Edward Morris September 25, 2013

NIST Cryptographic Toolkit

APNIC elearning: Cryptography Basics

The Secure Shell (SSH) Protocol

Internet Engineering Task Force (IETF) Category: Informational ISSN: October 2013

Internet Engineering Task Force (IETF) Request for Comments: 5959 Category: Standards Track August 2010 ISSN:

WAP Security. Helsinki University of Technology S Security of Communication Protocols

Internet Engineering Task Force. Updates: 4250 (if approved) January 2, 2018 Intended status: Standards Track Expires: July 6, 2018

PKI Knowledge Dissemination Program. PKI Standards. Dr. Balaji Rajendran Centre for Development of Advanced Computing (C-DAC) Bangalore

Transport Level Security

Internet Engineering Task Force (IETF) Request for Comments: Category: Informational ISSN: March 2011

Intended status: Standards Track January 13, 2015 Expires: July 17, 2015

Internet Engineering Task Force (IETF) April Elliptic Curve Digital Signature Algorithm (DSA) for DNSSEC

FIPS Non-Proprietary Security Policy. Level 1 Validation Version 1.2

BSI Technical Guideline

Internet Engineering Task Force (IETF) Category: Informational. July Reclassification of Suite B Documents to Historic Status

OpenSSH. 24th February ASBL CSRRT-LU (Computer Security Research and Response Team Luxembourg) 1 / 12

SMPTE Standards Transition Issues for NIST/FIPS Requirements

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Network Working Group Request for Comments: 4419 Category: Standards Track March 2006

Privacy and Security in Smart Grids

VPN Overview. VPN Types

Internet Engineering Task Force (IETF) Request for Comments: 5754 Updates: 3370 January 2010 Category: Standards Track ISSN:

CPSC 467b: Cryptography and Computer Security

CSE 127: Computer Security Cryptography. Kirill Levchenko

SSH Algorithms for Common Criteria Certification

Digital Signatures. Public-Key Signatures. Arbitrated Signatures. Digital Signatures With Encryption. Terminology. Message Authentication Code (MAC)

BIG-IP System: SSL Administration. Version

FUJITSU Software BS2000 internet Services. Version 3.4A May Readme

IBM Education Assistance for z/os V2R1

Internet Engineering Task Force (IETF) Request for Comments: 7518 Category: Standards Track May 2015 ISSN:

eidas compliant Trust Services with Utimaco HSMs

Cryptography. Summer Term 2010

Category: Informational March Methods for Avoiding the "Small-Subgroup" Attacks on the Diffie-Hellman Key Agreement Method for S/MIME

Tectia Client/Server 6.4. Enabling Elliptic Curve Cryptography. Practical Guide

FIPS Security Policy

Secure Remote Access: SSH & HTTPS

Internet Engineering Task Force (IETF) Request for Comments: Category: Informational ISSN: January 2010

Transport Layer Security

The OpenSSH Protocol under the Hood

New Security Features in DLMS/COSEM

Internet Engineering Task Force (IETF) Request for Comments: 6403 Category: Informational ISSN: M. Peck November 2011

Message authentication codes

Cryptographic Systems

TLS 1.1 Security fixes and TLS extensions RFC4346

BlackVault Hardware Security Platform SECURE TRUSTED INTUITIVE. Cryptographic Appliances with Integrated Level 3+ Hardware Security Module

(a) Symmetric model (b) Cryptography (c) Cryptanalysis (d) Steganography

State of TLS usage current and future. Dave Thompson

Designing Network Encryption for the Future Emily McAdams Security Engagement Manager, Security & Trust Organization BRKSEC-2015

NCP Secure Entry macos Client Release Notes

Requirements from the. Functional Package for Transport Layer Security (TLS)

Introduction to Public-Key Cryptography

Updates: 2409 May 2005 Category: Standards Track. Algorithms for Internet Key Exchange version 1 (IKEv1)

Speed-ups of Elliptic Curve-Based

AN12120 A71CH for electronic anticounterfeit protection

Advanced Security Mechanisms for Machine Readable Travel Documents and eidas Token

JSON Web Algorithms (JWA) draft-ietf-jose-json-web-algorithms-01

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

NCP Secure Enterprise macos Client Release Notes

Request for Comments: 4255 Category: Standards Track SPARTA January Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints

Sankalchand Patel College of Engineering, Visnagar Department of Computer Engineering & Information Technology. Question Bank

Computer Security: Principles and Practice

CSE484 Final Study Guide

Oracle Solaris Userland Cryptographic Framework Software Version 1.0 and 1.1

About FIPS, NGE, and AnyConnect

XML Security Algorithm Cross-Reference

Payment Card Industry (PCI) PIN Transaction Security (PTS) Hardware Security Module (HSM) Evaluation Vendor Questionnaire Version 2.

Protect Yourself Against Security Challenges with Next-Generation Encryption

Cryptography MIS

Deploying a New Hash Algorithm. Presented By Archana Viswanath

Elaine Barker and Allen Roginsky NIST June 29, 2010

E-commerce security: SSL/TLS, SET and others. 4.1

Coming of Age: A Longitudinal Study of TLS Deployment

Introducing Hardware Security Modules to Embedded Systems

CRYPTOGRAPHY AND NETWORK SECURITY

L13. Reviews. Rocky K. C. Chang, April 10, 2015

UNIT - IV Cryptographic Hash Function 31.1

Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms

Imprivata FIPS Cryptographic Module Non-Proprietary Security Policy Version: 2.9 Date: August 10, 2016

Understand the TLS handshake Understand client/server authentication in TLS. Understand session resumption Understand the limitations of TLS

POST-QUANTUM CRYPTOGRAPHY VIENNA CYBER SECURITY WEEK DR. DANIEL SLAMANIG

Linux Network Administration

Cryptography and Network Security

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 11 Basic Cryptography

Hosts have the top level of webinar control and can grant and revoke various privileges for participants.

This document is a preview generated by EVS

Transcription:

Technical Guideline TR-02102-4 Cryptographic Mechanisms: Recommendations and Key Lengths Part 4 Use of Secure Shell (SSH) (Version 2018-01)

Federal Office for Information Security P.O.B. 20 03 63 D-53133 Bonn (Germany) E-mail: TR02102@bsi.bund.de Internet: https://www.bsi.bund.de Federal Office for Information Security (BSI) 2018

Table of contents Table of contents 1 Introduction...4 2 Basic information...4 3 Recommendations...5 3.1 General notes...5 3.1.1 Periods of use...5 3.1.2 Security level...5 3.2 SSH versions...6 3.2.1 Conformity to the SSH specification...6 3.3 Key agreement...6 3.3.1 Key re-exchange...7 3.4 Encryption algorithms...7 3.5 MAC protection...8 3.6 Server authentication...8 3.7 Client authentication...9 4 Keys and random numbers...10 4.1 Key storage...10 4.2 Handling of ephemeral keys...10 4.3 Random numbers...10 5 References...11 List of tables Table 1: Recommended key exchange methods...6 Table 2: Recommended encryption algorithms...8 Table 3: Recommended functions for MAC protection...8 Table 4: Recommended methods for server authentication...9 Federal Office for Information Security (BSI) 3

Introduction 1 Introduction This Technical Guideline provides recommendations for the use of the cryptographic protocol Secure Shell (SSH). This protocol can be used to establish a secure channel within an insecure network. The most common applications of the SSH protocol are logging on to a remote system (remote command-line login) and executing commands or running applications on remote systems. This Technical Guideline contains recommendations for the protocol version to be used and the cryptographic algorithms as a concretisation of the general recommendations in Part 1 of this Technical Guideline (see [TR-02102-1]). This Technical Guideline does not contain recommendations for specific applications, risk assessments or points of attack, which result from errors in the implementation of the protocol. Note: Even if all recommendations for the use of SSH are taken into account, data can leak from a cryptographic system to a considerable extent, e.g. by using side channels (measurement of timing behaviour, power consumption, data rates etc.). Therefore, the developer should identify possible side channels by involving experts in this field and implement corresponding countermeasures. Depending on the application, this also applies to fault attacks. Note: For the definitions of the cryptographic terms used in this document, please refer to the glossary in [TR-02102-1]. 2 Basic information The SSH protocol consists of the three subprotocols Transport Layer Protocol, User Authentication Protocol and Connection Protocol. The Transport Layer Protocol (see [RFC4253]) allows server authentication, encryption, protection of the integrity and, optionally, data compression. It is based logically on the TCP/IP protocol. The User Authentication Protocol (see [RFC4252]) is used to authenticate the user to the server. It is based on the Transport Layer Protocol. The Connection Protocol (see [RFC4254]) is responsible for creating and managing logical channels within the encrypted tunnel. It is based on the User Authentication Protocol. For more detailed information about the protocol architecture of SSH, see [RFC4251]. The comprehensive specification of the SSH-2 (see Section 3.2) protocol can be found in the following RFCs: RFC 4250: The Secure Shell (SSH) Protocol Assigned Numbers (January 2006) RFC 4251: The Secure Shell (SSH) Protocol Architecture (January 2006) RFC 4252: The Secure Shell (SSH) Authentication Protocol (January 2006) RFC 4253: The Secure Shell (SSH) Transport Layer Protocol (January 2006) RFC 4254: The Secure Shell (SSH) Connection Protocol (January 2006) RFC 4256: Generic Message Exchange Authentication for the Secure Shell Protocol (SSH) (January 2006) RFC 4335: The Secure Shell (SSH) Session Channel Break Extension (January 2006) RFC 4344: The Secure Shell (SSH) Transport Layer Encryption Modes (January 2006) 4 Federal Office for Information Security (BSI)

Basic information The following RFCs contain extensions and additions to the SSH protocol: RFC 4255: Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints (January 2006) RFC 4419: Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol (March 2006) RFC 4432: RSA Key Exchange for the Secure Shell (SSH) Transport Layer Protocol (March 2006) RFC 4462: Generic Security Service Application Program Interface (GSS-API) Authentication and Key Exchange for the Secure Shell (SSH) Protocol (May 2006) RFC 4716: The Secure Shell (SSH) Public Key File Format (November 2006) RFC 4819: Secure Shell Public Key Subsystem (March 2007) RFC 5647: AES Galois Counter Mode for the Secure Shell Transport Layer Protocol (August 2009) RFC 5656: Elliptic Curve Algorithm Integration in the Secure Shell Transport Layer (December 2009) RFC 6187: X.509v3 Certificates for Secure Shell Authentication (March 2011) RFC 6239: Suite B Cryptographic Suites for Secure Shell (SSH) (May 2011) RFC 6594: Use of the SHA-256 Algorithm with RSA: Digital Signature Algorithm (DSA): and Elliptic Curve DSA (ECDSA) in SSHFP Resource Records (April 2012) RFC 6668: SHA-2 Data Integrity Verification for the Secure Shell (SSH) Transport Layer Protocol (July 2012) 3 Recommendations This chapter provides recommendations for the use of the SSH protocol. They refer to the cryptographic mechanisms to be used and the SSH versions. This Technical Guideline does not contain configuration instructions for specific implementations of the SSH protocol, but general cryptographic recommendations that can be used for all SSH implementations. 3.1 General notes 3.1.1 Periods of use The recommendations in this Technical Guideline have a maximum period of use. The indication of the year means that the respective mechanism is recommended until the end of the year stated. If the year is marked with a "+" sign, it is possible to extend the period of use. 3.1.2 Security level The security level for all cryptographic mechanisms in this Technical Guideline depends on the security level stated in Section 1.1 in [TR-02102-1]. The current security level is 100 bit. Note: It is planned to raise the security level to 120 bit from 2023. See also Section 1.1 in [TR- 02102-1]. Federal Office for Information Security (BSI) 5

Recommendations 3.2 SSH versions In 1995, the first version of the SSH protocol was developed by Tatu Ylönen, a researcher at Helsinki University of Technology. Today, this version is referred to as SSH-1. In 2006, a revised version of the protocol was adopted by the IETF as an internet standard (RFC). This version is referred to as SSH-2. The following recommendations apply to the choice of the SSH protocol version: The use of SSH-2 is recommended. Using SSH-1 is not recommended, since this protocol version contains cryptographic vulnerabilities. 3.2.1 Conformity to the SSH specification The specification of the SSH protocol contains cryptographic algorithms which must be supported by applications conforming to the standard. In this Technical Guideline, not all of them may be recommended. The reason for this is that the SSH specification (see list of RFCs in Chapter 2) dates back basically to the year 2006 and therefore some algorithms from these specifications are potentially outdated or not sufficiently secure anymore. If an application has to fully comply with the SSH specification, the following procedure should be used: The application should support the algorithms recommended in this document and the algorithms given in the specification, but be configured in such a way that the recommended (cryptographically strong) algorithms are used with high priority and the (possibly cryptographically weak or obsolete 1 ) algorithms from the SSH specification are used with low priority or, if possible, are not used. 3.3 Key agreement When establishing the SSH connection, keys are exchanged in order to create and exchange shared session keys for authentication and encryption. The following key exchange methods are recommended: No. Key exchange method Specification Use up to 1 diffie-hellman-groupexchange-sha256 Section 4.2 in [RFC4419] 2024+ 2 rsa2048-sha256 Chapter 4 and 6 in [RFC4432] 2022 3 ecdh-sha2-* Section 6.3 in [RFC5656] 2024+ Remark on key exchange method no. 1: Using the notation from Chapter 3 in [RFC4419]: Table 1: Recommended key exchange methods 1. The length of the prime number p should be at least 2000 bits (see also Section 7.2.1 in [TR-02102-1]). 1 The most important specifications of the SSH protocol date back to 2006. 6 Federal Office for Information Security (BSI)

Recommendations p will be re- Important note: From the year 2023, a minimum bit length of 3000 bit for commended. See also Section 3.1.2. 2. The order of the generator g should at least have the size 2 250 (see also Section 7.2.1 in [TR-02102-1]). 3. According to Chapter 3 in [RFC4419], p should be a safe prime, which means that with p=2 q+1, both p and q are prime. Since p is a safe prime, we have p 1=2q, which means that the order of the generator g can only be 2 or q. If the recommendation in Item 2 is taken into account, only q remains as the possible order. Due to the additional requirement in Item 3 (safe prime), the bit length of q is much greater than the minimum recommendation in Item 2. This circumstance must be accepted if the implementation is to comply with [RFC4419], [TR-02102-1] and this Technical Guideline. Note: For this key exchange method, SHA-256 must also be used for the key derivation pseudorandom function (PRF). Remark on key exchange method no. 3: The "*" symbol is replaced by the identifier of an elliptic curve from Section 10.1 in [RFC5656]. The following elliptic curves are currently recommended: nistp256, nistp384, nistp521 The corresponding hash function from the SHA-2 family must be chosen depending on the bit length of the curve according to Section 6.2.1 in [RFC5656]. It is planned to also recommend the Brainpool curves as soon as they have been standardised in an internet standard for the SSH protocol. 3.3.1 Key re-exchange It makes sense to renew the key material of a connection after a certain period of time or a certain amount of data transmitted in order to make it more difficult to attack the session keys. With SSH, it is possible to renew the session keys by sending the message SSH_MSG_KEXINIT. Both the client and the server can initiate this process. It is recommended to re-exchange the keys according to Chapter 9 in [RFC4253], i.e. the session keys are renewed after one hour or after one gigabyte has been transmitted (whichever happens first). 3.4 Encryption algorithms During the key exchange, the client and the server agree on an encryption algorithm as well as a shared encryption key. The following encryption algorithms are recommended in this respect: Federal Office for Information Security (BSI) 7

Recommendations No. Algorithm Specification Use up to 1 AEAD_AES_128_GCM Section 6.1 in [RFC5647] 2024+ 2 AEAD_AES_256_GCM Section 6.2 in [RFC5647] 2024+ 3 aes256-cbc Section 6.3 in [RFC4253] 2024+ 4 aes192-cbc Section 6.3 in [RFC4253] 2024+ 5 aes128-cbc Section 6.3 in [RFC4253] 2024+ 6 aes128-ctr Section 4 in [RFC4344] 2024+ 7 aes192-ctr Section 4 in [RFC4344] 2024+ 8 aes256-ctr Section 4 in [RFC4344] 2024+ Table 2: Recommended encryption algorithms Note: Algorithm no. 1 and no. 2 already include MAC protection by the GCM mode. Note: If possible, algorithms no. 1 and 2 from the table above should be used, since there are provable security statements for the GCM mode with respect to the security objective of authenticated encryption. For algorithms no. 3 to 8, there are no comparable security guarantees, because SSH combines encryption and authentication in the encrypt-and-mac mode (instead of the provable secure encrypt-then-mac order). 3.5 MAC protection For the MAC protection, the following functions are recommended: No. Function Specification Use up to 1 hmac-sha1 2 Section 6.4 in [RFC4253] 2018+ 2 hmac-sha2-256 Chapter 2 in [RFC6668] 2024+ 3 hmac-sha2-512 Chapter 2 in [RFC6668] 2024+ Table 3: Recommended functions for MAC protection 3.6 Server authentication The server authenticates to the client. This process is carried out as part of the Transport Layer Protocol. Chapter 7 in [RFC4253] describes the explicit server authentication. The key exchange messages contain a digital signature of the server (or other proof) in order to prove its authenticity. The client can check the signature with the public key of the server and thus determine the authenticity of the server. 2 Due to attacks on the collision resistance properties of SHA-1 (see also Section 1.4 and Remark 13 in [TR-02102-1] as well as [SKP15]), it should be taken into account whether the collision resistance is required when using SHA-1. This is the case when creating signatures. For HMAC calculations, however, the collision resistance is not required. Therefore, SHA-1 can still be used for HMAC calculations on an interim basis, but not for the creation of signatures. 8 Federal Office for Information Security (BSI)

Recommendations The algorithms for digital signatures are called "Public Key Algorithms" in [RFC4253] (see Section 6.6 in [RFC4253]). Note: For recommendations in relation to authentication, the Technical Guideline [TR-03116-4] is referred to. When using the SSH protocol in Federal Government projects, the recommendations stated in the Technical Guideline mentioned above must be taken into account. The following methods are recommended for server authentication: No. Method Specification Key length Use up to 1 pgp-sign-rsa 3 well as Section 9.1 and Section Section 6.6 in [RFC4253] as 9.4 in [RFC4880] 2 pgp-sign-dss 3 well as Section 9.1 and Section Section 6.6 in [RFC4253] as 9.4 in [RFC4880] 2000 bits 2020 2000 bits / 250 bits 2022 3 ecdsa-sha2-* Chapter 3 in [RFC5656] 250 bits 2024+ 4 x509v3-rsa2048-sha256 Section 3.3 in [RFC6187] 2048 bits 2020 5 x509v3-ecdsa-sha2-* Section 3.4 in [RFC6187] 250 bits 2024+ Table 4: Recommended methods for server authentication Remark: Methods no. 1 and no. 4 use the encoding scheme EMSA-PKCS1-v1_5 (see Section 9.2 in [RFC3447]). As a result of this, the period of use is shorter. Remark on method no. 2: From the year 2023, a key length of at least 3000 bit will be recommended. See also Section 3.1.2. Note: The methods ssh-dss, ssh-rsa (see Section 6.6 in [RFC4253]) as well as x509v3- ssh-dss, x509v3-ssh-rsa (see Section 3.1 and Section 3.2 in [RFC6187]) use the hash function SHA-1 when creating signatures and are therefore not recommended 2. Since the first two mentioned methods are required or recommended according to [RFC4253], the note in Section 3.2 is referred to. Remark on methods no. 3 and no. 5: The "*" symbol is replaced by the identifier of an elliptic curve from Section 10.1 in [RFC5656]. The following elliptic curves are currently recommended: nistp256, nistp384, nistp521 The corresponding hash function from the SHA-2 family must be chosen depending on the bit length of the curve according to Section 6.2.1 in [RFC5656]. It is planned to also recommend the Brainpool curves for methods no. 3 and no. 5 as soon as they have been standardised in an internet standard for the SSH protocol. 3.7 Client authentication (Unlike server authentication), client authentication does not take place in the Transport Layer Protocol, but in the User Authentication Protocol. This protocol is logically based on the Transport Layer Protocol. 3 This method is only recommended in connection with a hash function from the SHA-2 family that is adequate for the key length (see Section 9.4 in [RFC4880]). Federal Office for Information Security (BSI) 9

Recommendations The most important methods for client authentication include: Public key authentication Password authentication Host-based authentication Recommendation: For client authentication, "public key authentication" together with one of the methods from Table 4, Section 3.6 is recommended. Remark: According to [RFC4252], public key authentication must be supported by all SSH implementations. The corresponding Authentication Method Name according to [RFC4250], Section 4.8 is referred to as "publickey". The authentication method is described in Chapter 7 of [RFC4242]. For authentication when TLS is used in Federal Government projects, the recommendations given in the Technical Guideline [TR-03116-4] must be taken into account. 4 Keys and random numbers 4.1 Key storage Private cryptographic keys, especially static keys and signature keys, must be stored and processed in a secure manner. This includes, among other things, the protection against copying, misuse and manipulation of the keys. The keys can be stored securely, for example by using certified hardware (chip card, HSM). The public keys of bodies considered trusted (trust anchors) must also be stored in such a manner that they cannot be manipulated. 4.2 Handling of ephemeral keys If an SSH connection is secured by means of an encryption algorithm, it must be ensured that all ephemeral keys are deleted irrevocably after they have been used and that no copies of these keys were made. Ephemeral or session keys may only be used for one connection and should generally not be stored persistently. 4.3 Random numbers To generate random numbers, e.g. for cryptographic keys or for creating signatures, adequate random number generators must be used. A random number generator from one of the classes DRG.3, DRG.4, PTG.3 or NTG.1 according to [AIS20/31] is recommended, see also Chapter 9 in Part 1 of this Technical Guideline. 10 Federal Office for Information Security (BSI)

References 5 References Abbr. AIS20/31 RFC3447 RFC4251 RFC4252 RFC4253 RFC4254 RFC4344 RFC4419 RFC4432 RFC4880 RFC5647 RFC5656 RFC6668 SKP15 TR-02102-1 TR-03116-4 Reference BSI: W. Killmann, W. Schindler, AIS 20/31 -- A proposal for: Functionality classes for random number generators, 2011 J. Jonsson, B. Kaliski: RFC 3447, Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1, 2003 T. Ylonen, C. Lonvick: RFC 4251, The Secure Shell (SSH) Protocol Architecture, 2006 T. Ylonen, C. Lonvick: RFC 4252, The Secure Shell (SSH) Authentication Protocol, 2006 T. Ylonen, C. Lonvick: RFC 4253, The Secure Shell (SSH) Transport Layer Protocol, 2006 T. Ylonen, C. Lonvick: RFC 4254, The Secure Shell (SSH) Connection Protocol, 2006 M. Bellare, T. Kohno, C. Namprempre: RFC 4344, The Secure Shell (SSH) Transport Layer Encryption Modes, 2006 M. Friedl, N. Provos, W. Simpson: RFC 4419, Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol, 2006 B. Harris: RFC 4432, RSA Key Exchange for the Secure Shell (SSH) Transport Layer Protocol, 2006 J. Callas, L. Donnerhacke, H. Finney, D. Shaw, R. Thayer: RFC 4880, OpenPGP Message Format, 2007 K. Igoe, J. Solinas: RFC 5647, AES Galois Counter Mode for the Secure Shell Transport Layer Protocol, 2009 D. Stebila, J. Green: RFC 5656, Elliptic Curve Algorithm Integration in the Secure Shell Transport Layer, 2009 D. Bider, M. Baushke: RFC 6668, SHA-2 Data Integrity Verification for the Secure Shell (SSH) Transport Layer Protocol, 2012 Marc Stevens, Pierre Karpman, Thomas Peyrin: Freestart collision for full SHA-1, EUROCRYPT 2016, Lecture Notes in Computer Science, vol. 9665, Springer, 2016, pp. 459-483 BSI: Technical Guideline TR-02102-1, Cryptographic Mechanisms: Recommendations and Key Lengths, 2017 BSI: Technische Richtlinie TR-03116-4, Kryptographische Vorgaben für Projekte der Bundesregierung, Teil 4 - Kommunikationsverfahren in Anwendungen, 2017 Federal Office for Information Security (BSI) 11

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback