| ▲ | djmdjm 5 days ago | |||||||
FIPS certification is given to an entire "cryptographic module" that includes hardware and software. "FIPS compliant OpenSSH" is therefore a misnomer, you have to certify OpenSSH running on a particular OS on particular hardware. FIPS compliance does require use of specific algorithms. ML-KEM is NIST approved and AFAIK NIST is on record saying that hybrid KEMs are fine. My understanding is therefore that it would be possible for mlkem768x25519-sha256 (supported by OpenSSH) to be certified. caveat: IANAFA (I am not a FIPS auditor) | ||||||||
| ▲ | thayne 5 days ago | parent | next [-] | |||||||
> you have to certify OpenSSH running on a particular OS on particular hardware Right, but if you use the certified version of OpenSSH, it will only allow you to use certain algorithms. > ML-KEM is NIST approved and AFAIK NIST is on record saying that hybrid KEMs are fine. My understanding is therefore that it would be possible for mlkem768x25519-sha256 (supported by OpenSSH) to be certifie ML-KEM is allowed, and SHA-256 is allowed. But AFAIK, x25519 is not, although finding a definitive list is a lot more difficult for 140-3 than it was for 140-3, so I'm not positive. So I don't think (but IANAFA as well) mlkem768x25519-sha256 would be allowed, although I would expect a hybrid that used ECDSA instead of x25519 would probably be ok. But again, IANAFA, and would be happy if I was wrong. | ||||||||
| ||||||||
| ▲ | throw0101a 4 days ago | parent | prev [-] | |||||||
> * ML-KEM is NIST approved and AFAIK NIST is on record saying that hybrid KEMs are fine.* See perhaps §3.2, PQC-Classical Hybrid Protocols from interim report "Transition to Post-Quantum Cryptography Standards" (draft): * https://nvlpubs.nist.gov/nistpubs/ir/2024/NIST.IR.8547.ipd.p... No algorithm explicitly mentioned, but the general idea/technique discussed. | ||||||||