WingNews logo WingNews
top | item 44871052

(no title)

djmdjm | 6 months ago

FIPS certification is given to an entire "cryptographic module" that includes hardware and software. "FIPS compliant OpenSSH" is therefore a misnomer, you have to certify OpenSSH running on a particular OS on particular hardware.

FIPS compliance does require use of specific algorithms. ML-KEM is NIST approved and AFAIK NIST is on record saying that hybrid KEMs are fine. My understanding is therefore that it would be possible for mlkem768x25519-sha256 (supported by OpenSSH) to be certified.

caveat: IANAFA (I am not a FIPS auditor)

discuss

order

thayne|6 months ago

> you have to certify OpenSSH running on a particular OS on particular hardware

Right, but if you use the certified version of OpenSSH, it will only allow you to use certain algorithms.

> ML-KEM is NIST approved and AFAIK NIST is on record saying that hybrid KEMs are fine. My understanding is therefore that it would be possible for mlkem768x25519-sha256 (supported by OpenSSH) to be certifie

ML-KEM is allowed, and SHA-256 is allowed. But AFAIK, x25519 is not, although finding a definitive list is a lot more difficult for 140-3 than it was for 140-3, so I'm not positive. So I don't think (but IANAFA as well) mlkem768x25519-sha256 would be allowed, although I would expect a hybrid that used ECDSA instead of x25519 would probably be ok. But again, IANAFA, and would be happy if I was wrong.

djmdjm|6 months ago

My understanding is that a hybrid using x25519 as the classical KEM is fine on the basis that the security of the construction rests (for the purposes of approval) on ML-KEM and can't be made worse by the other part of the hybrid algorithm.

I don't have a definitive reference for this though.

throw0101a|6 months ago

> * ML-KEM is NIST approved and AFAIK NIST is on record saying that hybrid KEMs are fine.*

See perhaps ยง3.2, PQC-Classical Hybrid Protocols from interim report "Transition to Post-Quantum Cryptography Standards" (draft):

* https://nvlpubs.nist.gov/nistpubs/ir/2024/NIST.IR.8547.ipd.p...

No algorithm explicitly mentioned, but the general idea/technique discussed.