1CRYPTO-POLICIES(7) CRYPTO-POLICIES(7)
2
6 crypto-policies - system-wide crypto policies overview
7
9 The security of cryptographic components of the operating system does
10 not remain constant over time. Algorithms, such as cryptographic
11 hashing and encryption, typically have a lifetime, after which they are
12 considered either too risky to use or plain insecure. That means, we
13 need to phase out such algorithms from the default settings or
14 completely disable them if they could cause an irreparable problem.
15 While in the past the algorithms were not disabled in a consistent way
17 and different applications applied different policies, the system-wide
18 crypto-policies followed by the crypto core components allow
19 consistently deprecating and disabling algorithms system-wide.
20 The individual policy levels (DEFAULT, LEGACY, FUTURE, and FIPS) are
22 included in the crypto-policies(7) package. In the future, there will
23 be also a mechanism for easy creation and deployment of policies
24 defined by the system administrator or a third party vendor.
25 For rationale, see RFC 7457 for a list of attacks taking advantage of
27 legacy crypto algorithms.
28
30 Crypto-policies apply to the configuration of the core cryptographic
31 subsystems, covering TLS, IKE, IPSec, DNSSec, and Kerberos protocols;
32 i.e., the supported secure communications protocols on the base
33 operating system.
34 Once an application runs in the operating system, it follows the
36 default or selected policy and refuses to fall back to algorithms and
37 protocols not within the policy, unless the user has explicitly
38 requested the application to do so. That is, the policy applies to the
39 default behavior of applications when running with the system-provided
40 configuration but the user can override it on an application-specific
41 basis.
42 The policies currently provide settings for these applications and
44 libraries:
45 · BIND DNS name server daemon
47 · GnuTLS TLS library
49 · OpenJDK runtime environment
51 · Kerberos 5 library
53 · Libreswan IPsec and IKE protocol implementation
55 · NSS TLS library
57 · OpenSSH SSH2 protocol implementation
59 · OpenSSL TLS library
61 · libssh SSH2 protocol implementation
63 Applications using the above libraries and tools are covered by the
65 cryptographic policies unless they are explicitly configured not to be
66 so.
67
69 LEGACY
70 This policy ensures maximum compatibility with legacy systems; it
71 is less secure and it includes support for TLS 1.0, TLS 1.1, and
72 SSH2 protocols or later. The algorithms DSA, 3DES, and RC4 are
73 allowed, while RSA and Diffie-Hellman parameters are accepted if
74 larger than 1023 bits. The level provides at least 64-bit security.
75 · MACs: all HMAC with SHA-1 or better + all modern MACs (Poly1305
77 etc.)
78 · Curves: all prime >= 255 bits (including Bernstein curves)
80 · Signature algorithms: with SHA1 hash or better (DSA allowed)
82 · TLS Ciphers: all available >= 112-bit key, >= 128-bit block
84 (including RC4 and 3DES)
85 · Non-TLS Ciphers: same as TLS ciphers with added Camellia
87 · Key exchange: ECDHE, RSA, DHE
89 · DH params size: >= 1023
91 · RSA keys size: >= 1023
93 · DSA params size: >= 1023
95 · TLS protocols: TLS >= 1.0, DTLS >= 1.0
97 DEFAULT
99 The DEFAULT policy is a reasonable default policy for today’s
100 standards. It allows the TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3
101 protocols, as well as IKEv2 and SSH2. The Diffie-Hellman parameters
102 are accepted if they are at least 1023 bits long. The level
103 provides at least 80-bit security.
104 · MACs: all HMAC with SHA-1 or better + all modern MACs (Poly1305
106 etc.)
107 · Curves: all prime >= 255 bits (including Bernstein curves)
109 · Signature algorithms: with SHA-1 hash or better (no DSA)
111 · TLS Ciphers: >= 128-bit key, >= 128-bit block (AES, ChaCha20,
113 including AES-CBC)
114 · non-TLS Ciphers: as TLS Ciphers with added Camellia
116 · key exchange: ECDHE, RSA, DHE (no DHE-DSS)
118 · DH params size: >= 1023
120 · RSA keys size: >= 2048
122 · TLS protocols: TLS >= 1.0, DTLS >= 1.0
124 NEXT
126 The NEXT policy is a policy prepared for the upcoming release of
127 the operating system so it can be easily tested. It allows the TLS
128 1.2 and TLS 1.3 protocols, as well as IKEv2 and SSH2. The RSA and
129 Diffie-Hellman parameters are accepted if larger than 2047 bits.
130 The level provides at least 112-bit security with the exception of
131 SHA-1 signatures needed for DNSSec and other still prevalent legacy
132 use of SHA-1 signatures.
133 · MACs: all HMAC with SHA-1 or better + all modern MACs (Poly1305
135 etc.)
136 · Curves: all prime >= 255 bits (including Bernstein curves)
138 · Signature algorithms: with SHA-1 hash or better (no DSA)
140 · TLS Ciphers: >= 128-bit key, >= 128-bit block (AES, ChaCha20,
142 including AES-CBC)
143 · non-TLS Ciphers: as TLS Ciphers with added Camellia
145 · key exchange: ECDHE, RSA, DHE (no DHE-DSS)
147 · DH params size: >= 2048
149 · RSA keys size: >= 2048
151 · TLS protocols: TLS >= 1.2, DTLS >= 1.2
153 FUTURE
155 A conservative security level that is believed to withstand any
156 near-term future attacks. This level does not allow the use of
157 SHA-1 in signature algorithms. The level also provides some (not
158 complete) preparation for post-quantum encryption support in form
159 of 256-bit symmetric encryption requirement. The RSA and
160 Diffie-Hellman parameters are accepted if larger than 3071 bits.
161 The level provides at least 128-bit security.
162 · MACs: all HMAC with SHA-256 or better + all modern MACs
164 (Poly1305 etc.)
165 · Curves: all prime >= 255 bits (including Bernstein curves)
167 · Signature algorithms: with SHA-256 hash or better (no DSA)
169 · TLS Ciphers: >= 256-bit key, >= 128-bit block, only
171 Authenticated Encryption (AE) ciphers
172 · non-TLS Ciphers: same as TLS ciphers with added non AE ciphers
174 and Camellia
175 · key exchange: ECDHE, DHE (no DHE-DSS, no RSA)
177 · DH params size: >= 3072
179 · RSA keys size: >= 3072
181 · TLS protocols: TLS >= 1.2, DTLS >= 1.2
183 FIPS
185 A level that conforms to the FIPS 140-2 requirements. This policy
186 is used internally by the fips-mode-setup(8) tool which can switch
187 the system into the FIPS 140-2 compliance mode. The level provides
188 at least 112-bit security.
189 · MACs: all HMAC with SHA1 or better
191 · Curves: all prime >= 256 bits
193 · Signature algorithms: with SHA-256 hash or better (no DSA)
195 · TLS Ciphers: >= 128-bit key, >= 128-bit block (AES, including
197 AES-CBC)
198 · non-TLS Ciphers: same as TLS Ciphers
200 · key exchange: ECDHE, DHE (no DHE-DSS, no RSA)
202 · DH params size: >= 2048
204 · RSA params size: >= 2048
206 · TLS protocols: TLS >= 1.2, DTLS >= 1.2
208 EMPTY
210 All cryptographic algorithms are disabled (used for debugging only,
211 do not use).
212
214 The crypto policy definiton files have a simple syntax following an INI
215 file key = value syntax with these particular features:
216 · Comments are indicated by # character. Everything on the line
218 following the character is ignored.
219 · Backslash \ character followed immediately with the end-of-line
221 character indicates line continuation. The following line is
222 concatenated to the current line after the backslash and
223 end-of-line characters are removed.
224 · Value types can be either decimal integers, arbitrary strings, or
226 lists of strings without whitespace characters separated by any
227 number of whitespaces.
228 The allowed keys are:
230 · mac: List of allowed MAC algorithms
232 · ssh_group: Optional; list of allowed groups or elliptic curves for
234 key exchanges for use with the SSH protocol. If absent, the value
235 is derived from group.
236 · group: List of allowed groups or elliptic curves for key exchanges
238 for use with other protocols
239 · hash: List of allowed cryptographic hash (message digest)
241 algorithms
242 · sign: List of allowed signature algorithms
244 · tls_cipher: Optional; list of allowed symmetric encryption
246 algorithms (including the modes) for use with the TLS protocol. If
247 absent, the value is derived from cipher.
248 · ssh_cipher: Optional; list of allowed symmetric encryption
250 algorithms (including the modes) for use with the SSH protocol. If
251 absent, the value is derived from cipher.
252 · cipher: List of allowed symmetric encryption algorithms (including
254 the modes) for use with other protocols
255 · key_exchange: List of allowed key exchange algorithms
257 · protocol: List of allowed TLS and DTLS protocol versions (ignored
259 by OpenSSL and NSS back ends)
260 · ike_protocol: List of allowed IKE protocol versions
262 · min_tls_version: Lowest allowed TLS protocol version (used only by
264 OpenSSL a and NSS back ends)
265 · min_dtls_version: Lowest allowed DTLS protocol version (used only
267 by NSS back end)
268 · min_dh_size: Integer value of minimum number of bits of parameters
270 for DH key exchange
271 · min_dsa_size: Integer value of minimum number of bits for DSA keys
273 · min_rsa_size: Integer value of minimum number of bits for RSA keys
275 · sha1_in_certs: Value of 1 if SHA1 allowed in certificate
277 signatures, 0 otherwise (Applies to GnuTLS back end only.)
278 · arbitrary_dh_groups: Value of 1 if arbitrary group in
280 Diffie-Hellman is allowed, 0 otherwise
281 · ssh_certs: Value of 1 if OpenSSH certificate authentication is
283 allowed, 0 otherwise
284 · ssh_etm: Value of 1 if OpenSSH EtM (encrypt-then-mac) extension is
286 allowed, 0 otherwise
287 The full policy definition files have suffix .pol, the policy module
289 definition files have suffix .pmod. The policy module files do not have
290 to have values set for all the keys listed above.
291 The lists as set in the base (full policy) are modified by the lists
293 specified in the module files in following way:
294 · -list-item: The list-item is removed from the list specified in the
296 base policy.
297 · +list-item: The list-item is inserted at the beginning of the list
299 specified in the base policy. The inserts are done in the order of
300 appearance in the policy module file so the actual order in the
301 final list will be reversed.
302 · list-item or list-item+: The list-item is appended to the end of
304 the list specified in the base policy.
305 Non-list key values in the policy module files are simply overriden.
307 The keys marked as Optional can be omitted in the policy definition
309 files. In that case, the values will be derived from the base keys.
310 Note that, this value propagation only applies to the policy definition
311 files. In the policy module files, each key that needs modification
312 must be explicitly specified.
313
315 update-crypto-policies(8)
316 This command manages the policies available to the various
317 cryptographic back ends and allows the system administrator to
318 change the active cryptographic policy level.
319 fips-mode-setup(8)
321 This command allows the system administrator to enable, or disable
322 the system FIPS mode and also apply the FIPS cryptographic policy
323 level which limits the allowed algorithms and protocols to these
324 allowed by the FIPS 140-2 requirements.
325
327 Exceptions:
328 · Go-language applications do not yet follow the system-wide policy.
330 · GnuPG-2 application does not follow the system-wide policy.
332 In general only the data-in-transit is currently covered by the
334 system-wide policy.
335 If the system administrator changes the system-wide policy level with
337 the update-crypto-policies(8) command it is advisable to restart the
338 system as the individual back-end libraries read the configuration
339 files usually during their initialization. The changes in the policy
340 level thus take place in most cases only when the applications using
341 the back-end libraries are restarted.
342 Removed cipher suites and protocols
344 The following cipher suites and protocols are completely removed from
346 the core cryptographic libraries listed above:
347 · DES
349 · All export grade cipher suites
351 · MD5 in signatures
353 · SSLv2
355 · SSLv3
357 · All ECC curves smaller than 224 bits
359 · All binary field ECC curves
361 Cipher suites and protocols disabled in all policy levels
363 The following ciphersuites and protocols are available but disabled in
365 all crypto policy levels. They can be enabled only by explicit
366 configuration of individual applications:
367 · DH with parameters < 1024 bits
369 · RSA with key size < 1024 bits
371 · Camellia
373 · ARIA
375 · SEED
377 · IDEA
379 · Integrity only ciphersuites
381 · TLS CBC mode ciphersuites using SHA-384 HMAC
383 · AES-CCM8
385 · all ECC curves incompatible with TLS 1.3, including secp256k1
387 · IKEv1
389
391 /etc/crypto-policies/back-ends
392 The individual cryptographical back-end configuration files.
393 Usually linked to the configuration shipped in the crypto-policies
394 package unless a configuration from local.d is added.
395 /etc/crypto-policies/config
397 The active crypto-policies level set on the system.
398 /etc/crypto-policies/local.d
400 Additional configuration shipped by other packages or created by
401 the system administrator. The contents of the
402 <back-end>-file.config is appended to the configuration from the
403 policy back end as shipped in the crypto-policies package.
404
406 update-crypto-policies(8), fips-mode-setup(8)
407
409 Written by Tomáš Mráz.
410crypto-policies 12/16/2019 CRYPTO-POLICIES(7)