1CRYPTO-POLICIES(7)                                          CRYPTO-POLICIES(7)
2
3
4

NAME

6       crypto-policies - system-wide crypto policies overview
7

DESCRIPTION

9       The security of cryptographic components of the operating system does
10       not remain constant over time. Algorithms, such as cryptographic
11       hashing and encryption, typically have a lifetime, after which they are
12       considered either too risky to use or plain insecure. That means, we
13       need to phase out such algorithms from the default settings or
14       completely disable them if they could cause an irreparable problem.
15
16       While in the past the algorithms were not disabled in a consistent way
17       and different applications applied different policies, the system-wide
18       crypto-policies followed by the crypto core components allow
19       consistently deprecating and disabling algorithms system-wide.
20
21       The individual policy levels (DEFAULT, LEGACY, FUTURE, and FIPS) are
22       included in the crypto-policies(7) package. In the future, there will
23       be also a mechanism for easy creation and deployment of policies
24       defined by the system administrator or a third party vendor.
25
26       For rationale, see RFC 7457 for a list of attacks taking advantage of
27       legacy crypto algorithms.
28

COVERED APPLICATIONS

30       Crypto-policies apply to the configuration of the core cryptographic
31       subsystems, covering TLS, IKE, IPSec, DNSSec, and Kerberos protocols;
32       i.e., the supported secure communications protocols on the base
33       operating system.
34
35       Once an application runs in the operating system, it follows the
36       default or selected policy and refuses to fall back to algorithms and
37       protocols not within the policy, unless the user has explicitly
38       requested the application to do so. That is, the policy applies to the
39       default behavior of applications when running with the system-provided
40       configuration but the user can override it on an application-specific
41       basis.
42
43       The policies currently provide settings for these applications and
44       libraries:
45
46       ·   BIND DNS name server daemon
47
48       ·   GnuTLS TLS library
49
50       ·   OpenJDK runtime environment
51
52       ·   Kerberos 5 library
53
54       ·   Libreswan IPsec and IKE protocol implementation
55
56       ·   NSS TLS library
57
58       ·   OpenSSH SSH2 protocol implementation
59
60       ·   OpenSSL TLS library
61
62       ·   libssh SSH2 protocol implementation
63
64       Applications using the above libraries and tools are covered by the
65       cryptographic policies unless they are explicitly configured not to be
66       so.
67

PROVIDED POLICY LEVELS

69       LEGACY
70           This policy ensures maximum compatibility with legacy systems; it
71           is less secure and it includes support for TLS 1.0, TLS 1.1, and
72           SSH2 protocols or later. The algorithms DSA, 3DES, and RC4 are
73           allowed, while RSA and Diffie-Hellman parameters are accepted if
74           larger than 1023 bits. The level provides at least 64-bit security.
75
76           ·   MACs: all HMAC with SHA-1 or better + all modern MACs (Poly1305
77               etc.)
78
79           ·   Curves: all prime >= 255 bits (including Bernstein curves)
80
81           ·   Signature algorithms: with SHA1 hash or better (DSA allowed)
82
83           ·   TLS Ciphers: all available >= 112-bit key, >= 128-bit block
84               (including RC4 and 3DES)
85
86           ·   Non-TLS Ciphers: same as TLS ciphers with added Camellia
87
88           ·   Key exchange: ECDHE, RSA, DHE
89
90           ·   DH params size: >= 1023
91
92           ·   RSA keys size: >= 1023
93
94           ·   DSA params size: >= 1023
95
96           ·   TLS protocols: TLS >= 1.0, DTLS >= 1.0
97
98       DEFAULT
99           The DEFAULT policy is a reasonable default policy for today’s
100           standards. It allows the TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3
101           protocols, as well as IKEv2 and SSH2. The Diffie-Hellman parameters
102           are accepted if they are at least 1023 bits long. The level
103           provides at least 80-bit security.
104
105           ·   MACs: all HMAC with SHA-1 or better + all modern MACs (Poly1305
106               etc.)
107
108           ·   Curves: all prime >= 255 bits (including Bernstein curves)
109
110           ·   Signature algorithms: with SHA-1 hash or better (no DSA)
111
112           ·   TLS Ciphers: >= 128-bit key, >= 128-bit block (AES, ChaCha20,
113               including AES-CBC)
114
115           ·   non-TLS Ciphers: as TLS Ciphers with added Camellia
116
117           ·   key exchange: ECDHE, RSA, DHE (no DHE-DSS)
118
119           ·   DH params size: >= 1023
120
121           ·   RSA keys size: >= 2048
122
123           ·   TLS protocols: TLS >= 1.0, DTLS >= 1.0
124
125       NEXT
126           The NEXT policy is a policy prepared for the upcoming release of
127           the operating system so it can be easily tested. It allows the TLS
128           1.2 and TLS 1.3 protocols, as well as IKEv2 and SSH2. The RSA and
129           Diffie-Hellman parameters are accepted if larger than 2047 bits.
130           The level provides at least 112-bit security with the exception of
131           SHA-1 signatures needed for DNSSec and other still prevalent legacy
132           use of SHA-1 signatures.
133
134           ·   MACs: all HMAC with SHA-1 or better + all modern MACs (Poly1305
135               etc.)
136
137           ·   Curves: all prime >= 255 bits (including Bernstein curves)
138
139           ·   Signature algorithms: with SHA-1 hash or better (no DSA)
140
141           ·   TLS Ciphers: >= 128-bit key, >= 128-bit block (AES, ChaCha20,
142               including AES-CBC)
143
144           ·   non-TLS Ciphers: as TLS Ciphers with added Camellia
145
146           ·   key exchange: ECDHE, RSA, DHE (no DHE-DSS)
147
148           ·   DH params size: >= 2048
149
150           ·   RSA keys size: >= 2048
151
152           ·   TLS protocols: TLS >= 1.2, DTLS >= 1.2
153
154       FUTURE
155           A conservative security level that is believed to withstand any
156           near-term future attacks. This level does not allow the use of
157           SHA-1 in signature algorithms. The level also provides some (not
158           complete) preparation for post-quantum encryption support in form
159           of 256-bit symmetric encryption requirement. The RSA and
160           Diffie-Hellman parameters are accepted if larger than 3071 bits.
161           The level provides at least 128-bit security.
162
163           ·   MACs: all HMAC with SHA-256 or better + all modern MACs
164               (Poly1305 etc.)
165
166           ·   Curves: all prime >= 255 bits (including Bernstein curves)
167
168           ·   Signature algorithms: with SHA-256 hash or better (no DSA)
169
170           ·   TLS Ciphers: >= 256-bit key, >= 128-bit block, only
171               Authenticated Encryption (AE) ciphers
172
173           ·   non-TLS Ciphers: same as TLS ciphers with added non AE ciphers
174               and Camellia
175
176           ·   key exchange: ECDHE, DHE (no DHE-DSS, no RSA)
177
178           ·   DH params size: >= 3072
179
180           ·   RSA keys size: >= 3072
181
182           ·   TLS protocols: TLS >= 1.2, DTLS >= 1.2
183
184       FIPS
185           A level that conforms to the FIPS 140-2 requirements. This policy
186           is used internally by the fips-mode-setup(8) tool which can switch
187           the system into the FIPS 140-2 compliance mode. The level provides
188           at least 112-bit security.
189
190           ·   MACs: all HMAC with SHA1 or better
191
192           ·   Curves: all prime >= 256 bits
193
194           ·   Signature algorithms: with SHA-256 hash or better (no DSA)
195
196           ·   TLS Ciphers: >= 128-bit key, >= 128-bit block (AES, including
197               AES-CBC)
198
199           ·   non-TLS Ciphers: same as TLS Ciphers
200
201           ·   key exchange: ECDHE, DHE (no DHE-DSS, no RSA)
202
203           ·   DH params size: >= 2048
204
205           ·   RSA params size: >= 2048
206
207           ·   TLS protocols: TLS >= 1.2, DTLS >= 1.2
208
209       EMPTY
210           All cryptographic algorithms are disabled (used for debugging only,
211           do not use).
212

CRYPTO POLICY DEFINITON FORMAT

214       The crypto policy definiton files have a simple syntax following an INI
215       file key = value syntax with these particular features:
216
217       ·   Comments are indicated by # character. Everything on the line
218           following the character is ignored.
219
220       ·   Backslash \ character followed immediately with the end-of-line
221           character indicates line continuation. The following line is
222           concatenated to the current line after the backslash and
223           end-of-line characters are removed.
224
225       ·   Value types can be either decimal integers, arbitrary strings, or
226           lists of strings without whitespace characters separated by any
227           number of whitespaces.
228
229       The allowed keys are:
230
231       ·   mac: List of allowed MAC algorithms
232
233       ·   ssh_group: Optional; list of allowed groups or elliptic curves for
234           key exchanges for use with the SSH protocol. If absent, the value
235           is derived from group.
236
237       ·   group: List of allowed groups or elliptic curves for key exchanges
238           for use with other protocols
239
240       ·   hash: List of allowed cryptographic hash (message digest)
241           algorithms
242
243       ·   sign: List of allowed signature algorithms
244
245       ·   tls_cipher: Optional; list of allowed symmetric encryption
246           algorithms (including the modes) for use with the TLS protocol. If
247           absent, the value is derived from cipher.
248
249       ·   ssh_cipher: Optional; list of allowed symmetric encryption
250           algorithms (including the modes) for use with the SSH protocol. If
251           absent, the value is derived from cipher.
252
253       ·   cipher: List of allowed symmetric encryption algorithms (including
254           the modes) for use with other protocols
255
256       ·   key_exchange: List of allowed key exchange algorithms
257
258       ·   protocol: List of allowed TLS and DTLS protocol versions (ignored
259           by OpenSSL and NSS back ends)
260
261       ·   ike_protocol: List of allowed IKE protocol versions
262
263       ·   min_tls_version: Lowest allowed TLS protocol version (used only by
264           OpenSSL a and NSS back ends)
265
266       ·   min_dtls_version: Lowest allowed DTLS protocol version (used only
267           by NSS back end)
268
269       ·   min_dh_size: Integer value of minimum number of bits of parameters
270           for DH key exchange
271
272       ·   min_dsa_size: Integer value of minimum number of bits for DSA keys
273
274       ·   min_rsa_size: Integer value of minimum number of bits for RSA keys
275
276       ·   sha1_in_certs: Value of 1 if SHA1 allowed in certificate
277           signatures, 0 otherwise (Applies to GnuTLS back end only.)
278
279       ·   arbitrary_dh_groups: Value of 1 if arbitrary group in
280           Diffie-Hellman is allowed, 0 otherwise
281
282       ·   ssh_certs: Value of 1 if OpenSSH certificate authentication is
283           allowed, 0 otherwise
284
285       ·   ssh_etm: Value of 1 if OpenSSH EtM (encrypt-then-mac) extension is
286           allowed, 0 otherwise
287
288       The full policy definition files have suffix .pol, the policy module
289       definition files have suffix .pmod. The policy module files do not have
290       to have values set for all the keys listed above.
291
292       The lists as set in the base (full policy) are modified by the lists
293       specified in the module files in following way:
294
295       ·   -list-item: The list-item is removed from the list specified in the
296           base policy.
297
298       ·   +list-item: The list-item is inserted at the beginning of the list
299           specified in the base policy. The inserts are done in the order of
300           appearance in the policy module file so the actual order in the
301           final list will be reversed.
302
303       ·   list-item or list-item+: The list-item is appended to the end of
304           the list specified in the base policy.
305
306       Non-list key values in the policy module files are simply overriden.
307
308       The keys marked as Optional can be omitted in the policy definition
309       files. In that case, the values will be derived from the base keys.
310       Note that, this value propagation only applies to the policy definition
311       files. In the policy module files, each key that needs modification
312       must be explicitly specified.
313

COMMANDS

315       update-crypto-policies(8)
316           This command manages the policies available to the various
317           cryptographic back ends and allows the system administrator to
318           change the active cryptographic policy level.
319
320       fips-mode-setup(8)
321           This command allows the system administrator to enable, or disable
322           the system FIPS mode and also apply the FIPS cryptographic policy
323           level which limits the allowed algorithms and protocols to these
324           allowed by the FIPS 140-2 requirements.
325

NOTES

327       Exceptions:
328
329       ·   Go-language applications do not yet follow the system-wide policy.
330
331       ·   GnuPG-2 application does not follow the system-wide policy.
332
333       In general only the data-in-transit is currently covered by the
334       system-wide policy.
335
336       If the system administrator changes the system-wide policy level with
337       the update-crypto-policies(8) command it is advisable to restart the
338       system as the individual back-end libraries read the configuration
339       files usually during their initialization. The changes in the policy
340       level thus take place in most cases only when the applications using
341       the back-end libraries are restarted.
342
343       Removed cipher suites and protocols
344
345       The following cipher suites and protocols are completely removed from
346       the core cryptographic libraries listed above:
347
348       ·   DES
349
350       ·   All export grade cipher suites
351
352       ·   MD5 in signatures
353
354       ·   SSLv2
355
356       ·   SSLv3
357
358       ·   All ECC curves smaller than 224 bits
359
360       ·   All binary field ECC curves
361
362       Cipher suites and protocols disabled in all policy levels
363
364       The following ciphersuites and protocols are available but disabled in
365       all crypto policy levels. They can be enabled only by explicit
366       configuration of individual applications:
367
368       ·   DH with parameters < 1024 bits
369
370       ·   RSA with key size < 1024 bits
371
372       ·   Camellia
373
374       ·   ARIA
375
376       ·   SEED
377
378       ·   IDEA
379
380       ·   Integrity only ciphersuites
381
382       ·   TLS CBC mode ciphersuites using SHA-384 HMAC
383
384       ·   AES-CCM8
385
386       ·   all ECC curves incompatible with TLS 1.3, including secp256k1
387
388       ·   IKEv1
389

FILES

391       /etc/crypto-policies/back-ends
392           The individual cryptographical back-end configuration files.
393           Usually linked to the configuration shipped in the crypto-policies
394           package unless a configuration from local.d is added.
395
396       /etc/crypto-policies/config
397           The active crypto-policies level set on the system.
398
399       /etc/crypto-policies/local.d
400           Additional configuration shipped by other packages or created by
401           the system administrator. The contents of the
402           <back-end>-file.config is appended to the configuration from the
403           policy back end as shipped in the crypto-policies package.
404

SEE ALSO

406       update-crypto-policies(8), fips-mode-setup(8)
407

AUTHOR

409       Written by Tomáš Mráz.
410
411
412
413crypto-policies                   01/28/2020                CRYPTO-POLICIES(7)
Impressum