X.509v3 ML-DSA Certificates for the Secure Shell (SSH) Protocol
Sofia 1750 Bulgaria pkixssh@roumenpetrov.info https://roumenpetrov.info/secsh/
sec sshm Module-Lattice-Based Digital Signature Standard ML-DSA Secure Shell SSH Secure remote-login Public Key Algorithm X.509v3 Certificates This document describes the use of Module-Lattice-Based Digital Signature Algorithm (ML-DSA) in Internet X.509 version 3 Public Key Certificate in the Secure Shell protocol. Accordingly, the document updates RFC6187. Document and implementation details The datatracker status page of the draft is draft-rpe-ssh-x509-mldsa. The source of this document is located at I-D ssh-x509-mldsa. Implementation could be found at PKIX-SSHMLDSA-DEMO branch. Discussion of this document takes place on the Secure Shell Maintenance (sshm)" mailing list which is archived here.
Introduction Secure Shell (SSH) is a secure remote-login protocol. It provides for an extensible variety of public key algorithms for identifying servers and users to one another. The Module-Lattice-Based Digital Signature Algorithm (ML-DSA) is a post-quantum digital signature algorithm. It is one of NIST's Post-Quantum Cryptography (PQC) project results standardised in . Note ML-DSA was known as Dilithium but standardised ML-DSA and Dilithium are not compatible. X.509 Version 3(x509v3) digital certificate format is specified in . The use of ML-DSA in Public Key Infrastructure X.509 (PKIX) is specified in . The Secure Shell (SSH) Transport Layer Protocol, see , describes how server is authenticated to the client. The meaning of SSH Public Key Algorithms is described in the same document, see . Authentication of the client to the server is described in SSH Authentication Protocol, see . In are described currently standardised X.509 V3 certificates used in SSH Public Key Algorithms. This document details the use of X.509 digital certificates with ML-DSA signature algorithm to be implemented by SSH and standardize the use of names x509v3-mldsa-44, x509v3-mldsa-65, and x509v3-mldsa-87.
Conventions Used in This Document The descriptions of key and signature formats use the notation introduced in and the string data type from .
Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.
Public Key Algorithms using X.509v3 Certificates with ML-DSA public key The SSH Public Key Algorithms define the type, how the key or certificate is encoded, the signature and/or encryption algorithms, and their encoding. For X.509 certificates is used following "Public Key Format", added here only for reference:
string
key-type
uint32
certificate-count
string
certificate[1..certificate-count]
uint32
ocsp-response-count
string
ocsp-response[0..ocsp-response-count]
For complete description of each item see . In scope of this document is first(sender's) certificate from certificate list whose "subjectPublicKeyInfo" field is a ML-DSA public key in a certificate is specified in . The respective algorithm identifiers are in listed in . In this document ML-DSA certificate and X.509 certificate with ML-DSA public key are used interchangeably. For ML-DSA Certificates key-type field uses prefix "x509v3-" followed by corresponding plain key algorithm. For more details about ML-DSA plain key algorithms see . Signatures are generated as for plain key algorithms i.e., according to the "Pure ML-DSA Signature Generation" procedure described in Algorithm 2 step 10(sign) and Algorithm 3 step 5(verify).
  • The x509v3-mldsa-44 key-type is used when algorithm identifier, in "subjectPublicKeyInfo" field, is id-ml-dsa-44. This means that public key is an octet string of size 1312 without ASN.1 wrapping. Corresponding plain key algorithm is mldsa-44. For both public key algorithms signature is generated and encoded in the same way:
    string
    mldsa-44
    string
    signature
    Here, signature is the 2420-octet signature produced in accordance with Algorithm 2.
  • The x509v3-mldsa-65 key-type is used when algorithm identifier, in "subjectPublicKeyInfo" field, is id-ml-dsa-65. This means that public key is an octet string of size 1952 without ASN.1 wrapping. Corresponding plain key algorithm is mldsa-65. For both public key algorithms signature is generated and encoded in the same way:
    string
    mldsa-65
    string
    signature
    Here, signature is the 3309-octet signature produced in accordance with Algorithm 2.
  • The x509v3-mldsa-87 key-type is used when algorithm identifier, in "subjectPublicKeyInfo" field, is id-ml-dsa-87. This means that public key is an octet string of size 2592 without ASN.1 wrapping. Corresponding plain key algorithm is mldsa-87. For both public key algorithms signature is generated and encoded in the same way:
    string
    mldsa-87
    string
    signature
    Here, signature is the 4627-octet signature produced in accordance with Algorithm 2.
Certificate Extensions Certificate extensions specify additional attributes associated with an X.509v3 Certificate, see .
Key Usage For ML-DSA Certificates keyUsage extension is defined in . As is specified in , certificate used in public key algorithms digitalSignature bit MUST be set. As well, This is applicable to the public key algorithms x509v3-mldsa-44, x509v3-mldsa-65, and x509v3-mldsa-87 defined in this document.
Extended Key Usage Paragraphs in define two SSH specific extension - secureShellClient, and secureShellServer. As stated in the section, in accordance with , ML-DSA certificate MUST be used only for the indicated purposes too.
Subject Alternative Name At end of chapter is detailed recommendation for subjectAlternativeName X.509 certificate extension. These recommendation are relevant for ML-DSA certificate used in SSH as public key algorithm.
Usage The use of X.509v3 Certificates SSH "Public Key Algorithms" is described in . This is applicable to ML-DSA Certificates as well. The ML-DSA digital signature algorithms correspond to the Table 1. defined in Section 4 "Parameter Sets". The table below match parameters sets to "NIST PQC Security Strength Category":
Parameters NIST PQC Security Strength Category
ML-DSA-44 Category 2, NIST Level 2 (128-bit equivalent)
ML-DSA-65 Category 3, NIST Level 3 (192-bit equivalent)
ML-DSA-87 Category 5, NIST Level 2 (256-bit equivalent)
Use of ML-DSA plain key algorithms is specified in and standard implementations of SSH SHOULD implement mldsa-65 public Key algorithm. Implementation of ML-DSA Certificates MUST follow recommendation for plain-key algorithms. In addition certificate algorithm must be offered in preference to plain-key algorithm. This means that x509v3-mldsa-NN must precede mldsa-NN, where NN match number in parameter set. Also if ML-DSA Certificates are supported the public key algorithm x509v3-mldsa-65 SHOULD implemented.
IANA Considerations This document augments the Public Key Algorithm Names described in . This document requests new entries to "Public Key Algorithm Names" in the "Secure Shell (SSH) Protocol Parameters" registry according to the procedures in :
Public Key Algorithm Name Reference
x509v3-mldsa-44 This document.
x509v3-mldsa-65 This document.
x509v3-mldsa-87 This document.
Security Considerations This documents inherits security considerations for public key algorithms used for user and for server authentication. For "user", see , and for "server" see . The both documents refer to as full security considerations for SSH protocol. For X.509v3 Certificates used in secure shell authentication are applicable the security considerations detailed in . The security considerations for ML-DSA plain-keys, see applies to this specification as well. For ML-DSA Certificates applies as well specification of ML-DSA for Internet X.509 Public Key Infrastructure, see .
Normative References Module-lattice-based digital signature standard National Institute of Standards and Technology (U.S.) ML-DSA Public Key Algorithms for the Secure Shell (SSH) Protocol This document describes the use of the ML-DSA digital signature algorithms in the Secure Shell (SSH) protocol. Accordingly, this RFC updates . Informative References Secure Shell (SSH) Protocol Parameters IANA
Acknowledgements TBD