5. crypto-policies(7) - system-wide crypto policies overview.

crypto-policies(7) - system-wide crypto policies overview. 


  • CRYPTO-POLICIES(7)                                          CRYPTO-POLICIES(7)

NAME
       crypto-policies - system-wide crypto policies overview

DESCRIPTION
       The security of cryptographic components of the operating system does
       not remain constant over time. Algorithms, such as cryptographic
       hashing and encryption, typically have a lifetime, after which they are
       considered either too risky to use or plain insecure. That means, we
       need to phase out such algorithms from the default settings or
       completely disable them if they could cause an irreparable problem.

       While in the past the algorithms were not disabled in a consistent way
       and different applications applied different policies, the system-wide
       crypto-policies followed by the crypto core components allow
       consistently deprecating and disabling algorithms system-wide.

       The individual policy levels (DEFAULT, LEGACY, FUTURE, and FIPS) are
       included in the crypto-policies(7) package. In the future, there will
       be also a mechanism for easy creation and deployment of policies
       defined by the system administrator or a third party vendor.

       For rationale, see RFC 7457 for a list of attacks taking advantage of
       legacy crypto algorithms.

COVERED APPLICATIONS
       Crypto-policies apply to the configuration of the core cryptographic
       subsystems, covering TLS, IKE, IPSec, DNSSec, and Kerberos protocols;
       i.e., the supported secure communications protocols on the base
       operating system.

       Once an application runs in the operating system, it follows the
       default or selected policy and refuses to fall back to algorithms and
       protocols not within the policy, unless the user has explicitly
       requested the application to do so. That is, the policy applies to the
       default behavior of applications when running with the system-provided
       configuration but the user can override it on an application-specific
       basis.

       The policies currently provide settings for these applications and
       libraries:

       ·   BIND DNS name server daemon

       ·   GnuTLS TLS library

       ·   OpenJDK runtime environment

       ·   Kerberos 5 library

       ·   Libreswan IPsec and IKE protocol implementation

       ·   NSS TLS library

       ·   OpenSSH SSH2 protocol implementation

       ·   OpenSSL TLS library

       ·   libssh SSH2 protocol implementation

       Applications using the above libraries and tools are covered by the
       cryptographic policies unless they are explicitly configured not to be
       so.

PROVIDED POLICY LEVELS
       LEGACY
           This policy ensures maximum compatibility with legacy systems; it
           is less secure and it includes support for TLS 1.0, TLS 1.1, and
           SSH2 protocols or later. The algorithms DSA, 3DES, and RC4 are
           allowed, while RSA and Diffie-Hellman parameters are accepted if
           larger than 1023 bits. The level provides at least 64-bit security.

           ·   MACs: all HMAC with SHA-1 or better + all modern MACs (Poly1305
               etc.)

           ·   Curves: all prime >= 255 bits (including Bernstein curves)

           ·   Signature algorithms: with SHA1 hash or better (DSA allowed)

           ·   TLS Ciphers: all available >= 112-bit key, >= 128-bit block
               (including RC4 and 3DES)

           ·   Non-TLS Ciphers: same as TLS ciphers with added Camellia

           ·   Key exchange: ECDHE, RSA, DHE

           ·   DH params size: >= 1023

           ·   RSA keys size: >= 1023

           ·   DSA params size: >= 1023

           ·   TLS protocols: TLS >= 1.0, DTLS >= 1.0

       DEFAULT
           The DEFAULT policy is a reasonable default policy for today’s
           standards. It allows the TLS 1.2 and TLS 1.3 protocols, as well as
           IKEv2 and SSH2. The RSA and Diffie-Hellman parameters are accepted
           if larger than 2047 bits. The level provides at least 112-bit
           security with the exception of SHA-1 signatures needed for DNSSec
           and other still prevalent legacy use of SHA-1 signatures.

           ·   MACs: all HMAC with SHA-1 or better + all modern MACs (Poly1305
               etc.)

           ·   Curves: all prime >= 255 bits (including Bernstein curves)

           ·   Signature algorithms: with SHA-1 hash or better (no DSA)

           ·   TLS Ciphers: >= 128-bit key, >= 128-bit block (AES, ChaCha20,
               including AES-CBC)

           ·   non-TLS Ciphers: as TLS Ciphers with added Camellia

           ·   key exchange: ECDHE, RSA, DHE (no DHE-DSS)

           ·   DH params size: >= 2048

           ·   RSA keys size: >= 2048

           ·   TLS protocols: TLS >= 1.2, DTLS >= 1.2

       FUTURE
           A conservative security level that is believed to withstand any
           near-term future attacks. This level does not allow the use of
           SHA-1 in signature algorithms. The level also provides some (not
           complete) preparation for post-quantum encryption support in form
           of 256-bit symmetric encryption requirement. The RSA and
           Diffie-Hellman parameters are accepted if larger than 3071 bits.
           The level provides at least 128-bit security.

           ·   MACs: all HMAC with SHA-256 or better + all modern MACs
               (Poly1305 etc.)

           ·   Curves: all prime >= 255 bits (including Bernstein curves)

           ·   Signature algorithms: with SHA-256 hash or better (no DSA)

           ·   TLS Ciphers: >= 256-bit key, >= 128-bit block, only
               Authenticated Encryption (AE) ciphers

           ·   non-TLS Ciphers: same as TLS ciphers with added non AE ciphers
               and Camellia

           ·   key exchange: ECDHE, DHE (no DHE-DSS, no RSA)

           ·   DH params size: >= 3072

           ·   RSA keys size: >= 3072

           ·   TLS protocols: TLS >= 1.2, DTLS >= 1.2

       FIPS
           A level that conforms to the FIPS 140-2 requirements. This policy
           is used internally by the fips-mode-setup(8) tool which can switch
           the system into the FIPS 140-2 compliance mode. The level provides
           at least 112-bit security.

           ·   MACs: all HMAC with SHA1 or better

           ·   Curves: all prime >= 256 bits

           ·   Signature algorithms: with SHA-256 hash or better (no DSA)

           ·   TLS Ciphers: >= 128-bit key, >= 128-bit block (AES, including
               AES-CBC)

           ·   non-TLS Ciphers: same as TLS Ciphers

           ·   key exchange: ECDHE, DHE (no DHE-DSS, no RSA)

           ·   DH params size: >= 2048

           ·   RSA params size: >= 2048

           ·   TLS protocols: TLS >= 1.2, DTLS >= 1.2

       EMPTY
           All cryptographic algorithms are disabled (used for debugging only,
           do not use).

COMMANDS
       update-crypto-policies(8)
           This command manages the policies available to the various
           cryptographic back ends and allows the system administrator to
           change the active cryptographic policy level.

       fips-mode-setup(8)
           This command allows the system administrator to enable, or disable
           the system FIPS mode and also apply the FIPS cryptographic policy
           level which limits the allowed algorithms and protocols to these
           allowed by the FIPS 140-2 requirements.

NOTES
       Exceptions:

       ·   Go-language applications do not yet follow the system-wide policy.

       ·   GnuPG-2 application does not follow the system-wide policy.

       In general only the data-in-transit is currently covered by the
       system-wide policy.

       If the system administrator changes the system-wide policy level with
       the update-crypto-policies(8) command it is advisable to restart the
       system as the individual back-end libraries read the configuration
       files usually during their initialization. The changes in the policy
       level thus take place in most cases only when the applications using
       the back-end libraries are restarted.

       Removed cipher suites and protocols

       The following cipher suites and protocols are completely removed from
       the core cryptographic libraries listed above:

       ·   DES

       ·   All export grade cipher suites

       ·   MD5 in signatures

       ·   SSLv2

       ·   SSLv3

       ·   All ECC curves smaller than 224 bits

       ·   All binary field ECC curves

       Cipher suites and protocols disabled in all policy levels

       The following ciphersuites and protocols are available but disabled in
       all crypto policy levels. They can be enabled only by explicit
       configuration of individual applications:

       ·   DH with parameters < 1024 bits

       ·   RSA with key size < 1024 bits

       ·   Camellia

       ·   ARIA

       ·   SEED

       ·   IDEA

       ·   Integrity only ciphersuites

       ·   TLS CBC mode ciphersuites using SHA-384 HMAC

       ·   AES-CCM8

       ·   all ECC curves incompatible with TLS 1.3, including secp256k1

       ·   IKEv1

FILES
       /etc/crypto-policies/back-ends
           The individual cryptographical back-end configuration files.
           Usually linked to the configuration shipped in the crypto-policies
           package unless a configuration from local.d is added.

       /etc/crypto-policies/config
           The active crypto-policies level set on the system.

       /etc/crypto-policies/local.d
           Additional configuration shipped by other packages or created by
           the system administrator. The contents of the
           <back-end>-file.config is appended to the configuration from the
           policy back end as shipped in the crypto-policies package.

SEE ALSO
       update-crypto-policies(8), fips-mode-setup(8)

AUTHOR
       Written by Tomáš Mráz.

crypto-policies                   08/07/2019                CRYPTO-POLICIES(7)
redhat manpages 308
Log in to reply
 

© Lightnetics 2024