Information About SSH Algorithms for Common Criteria Certification
This section provides information about the Secure Shell (SSH) Algorithms for Common Criteria Certification, the Cisco IOS SSH Server Algorithms and Cisco IOS SSH Client Algorithms.
SSH Algorithms for Common Criteria Certification
A Secure Shell (SSH) configuration enables a Cisco IOS SSH server and client to authorize the negotiation of only those algorithms that are configured from the allowed list. If a remote party tries to negotiate using only those algorithms that are not part of the allowed list, the request is rejected and the session is not established.
Cisco IOS SSH Server Algorithms
Cisco IOS secure shell (SSH) servers support the encryption algorithms (Advanced Encryption Standard Counter Mode [AES-CTR], AES Cipher Block Chaining [AES-CBC], Triple Data Encryption Standard [3DES]) in the following order:
Supported Default Encryption Order:
-
aes128-ctr
-
aes192-ctr
-
aes256-ctr
Supported Non-Default Encrytion Order:
-
aes128-cbc
-
aes192-cbc
-
aes256-cbc
-
3des
Cisco IOS SSH clients support the Message Authentication Code (MAC) algorithms in the following order:
Supported Default HMAC order:
-
hmac-sha2-256
-
hmac-sha2-512
-
hmac-sha1
-
hmac-sha1-96
Cisco IOS SSH clients support only one host key algorithm and do not need a CLI configuration.
Supported Default Host Key order:
-
x509v3-ssh-rsa
-
ssh-rsa
Cisco IOS SSH Client Algorithms
Cisco IOS secure shell (SSH) clients support the encryption algorithms (Advanced Encryption Standard counter mode [AES-CTR], AES Cipher Block Chaining [AES-CBC], Triple Data Encryption Standard [3DES]) in the following order:
Supported Default Encryption Order:
-
aes128-ctr
-
aes192-ctr
-
aes256-ctr
Supported Non-Default Encrytion Order:
-
aes128-cbc
-
aes192-cbc
-
aes256-cbc
-
3des
Cisco IOS SSH clients support the Message Authentication Code (MAC) algorithms in the following order:
Supported Default HMAC order:
-
hmac-sha2-256
-
hmac-sha2-512
-
hmac-sha1
-
hmac-sha1-96
Cisco IOS SSH clients support only one host key algorithm and do not need a CLI configuration.
Supported Default Host Key order:
-
x509v3-ssh-rsa
-
ssh-rsa