1CRYPTO-POLICIES(7) CRYPTO-POLICIES(7)
2
3
4
6 crypto-policies - system-wide crypto policies overview
7
9 The security of cryptographic components of the operating system does
10 not remain constant over time. Algorithms, such as cryptographic
11 hashing and encryption, typically have a lifetime, after which they are
12 considered either too risky to use or plain insecure. That means, we
13 need to phase out such algorithms from the default settings or
14 completely disable them if they could cause an irreparable problem.
15
16 While in the past the algorithms were not disabled in a consistent way
17 and different applications applied different policies, the system-wide
18 crypto-policies followed by the crypto core components allow
19 consistently deprecating and disabling algorithms system-wide.
20
21 The individual policy levels (DEFAULT, LEGACY, FUTURE, and FIPS) are
22 included in the crypto-policies(7) package. In the future, there will
23 be also a mechanism for easy creation and deployment of policies
24 defined by the system administrator or a third party vendor.
25
26 For rationale, see RFC 7457 for a list of attacks taking advantage of
27 legacy crypto algorithms.
28
30 Crypto-policies apply to the configuration of the core cryptographic
31 subsystems, covering TLS, IKE, IPSec, DNSSec, and Kerberos protocols;
32 i.e., the supported secure communications protocols on the base
33 operating system.
34
35 Once an application runs in the operating system, it follows the
36 default or selected policy and refuses to fall back to algorithms and
37 protocols not within the policy, unless the user has explicitly
38 requested the application to do so. That is, the policy applies to the
39 default behavior of applications when running with the system-provided
40 configuration but the user can override it on an application-specific
41 basis.
42
43 The policies currently provide settings for these applications and
44 libraries:
45
46 · BIND DNS name server daemon
47
48 · GnuTLS TLS library
49
50 · OpenJDK runtime environment
51
52 · Kerberos 5 library
53
54 · Libreswan IPsec and IKE protocol implementation
55
56 · NSS TLS library
57
58 · OpenSSH SSH2 protocol implementation
59
60 · OpenSSL TLS library
61
62 Applications using the above libraries and tools are covered by the
63 cryptographic policies unless they are explicitly configured not to be
64 so.
65
67 LEGACY
68 This policy ensures maximum compatibility with legacy systems; it
69 is less secure and it includes support for TLS 1.0, TLS 1.1, and
70 SSH2 protocols or later. The algorithms DSA, 3DES, and RC4 are
71 allowed, while RSA and Diffie-Hellman parameters are accepted if
72 larger than 1023 bits. The level provides at least 64-bit security.
73
74 · MACs: all HMAC with SHA-1 or better + all modern MACs (Poly1305
75 etc.)
76
77 · Curves: all prime >= 255 bits (including Bernstein curves)
78
79 · Signature algorithms: with SHA1 hash or better (DSA allowed)
80
81 · TLS Ciphers: all available >= 112-bit key, >= 128-bit block
82 (including RC4 and 3DES)
83
84 · Non-TLS Ciphers: same as TLS ciphers with added Camellia
85
86 · Key exchange: ECDHE, RSA, DHE
87
88 · DH params size: >= 1023
89
90 · RSA keys size: >= 1023
91
92 · DSA params size: >= 1023
93
94 · TLS protocols: TLS >= 1.0, DTLS >= 1.0
95
96 DEFAULT
97 The DEFAULT policy is a reasonable default policy for today’s
98 standards, compatible with PCI-DSS requirements. It allows the TLS
99 1.2 and TLS 1.3 protocols, as well as IKEv2 and SSH2. The RSA and
100 Diffie-Hellman parameters are accepted if larger than 2047 bits.
101 The level provides at least 112-bit security with the exception of
102 SHA-1 signatures needed for DNSSec and other still prevalent legacy
103 use of SHA-1 signatures.
104
105 · MACs: all HMAC with SHA-1 or better + all modern MACs (Poly1305
106 etc.)
107
108 · Curves: all prime >= 255 bits (including Bernstein curves)
109
110 · Signature algorithms: with SHA-1 hash or better (no DSA)
111
112 · TLS Ciphers: >= 128-bit key, >= 128-bit block (AES, ChaCha20,
113 including AES-CBC)
114
115 · non-TLS Ciphers: as TLS Ciphers with added Camellia
116
117 · key exchange: ECDHE, RSA, DHE (no DHE-DSS)
118
119 · DH params size: >= 2048
120
121 · RSA keys size: >= 2048
122
123 · TLS protocols: TLS >= 1.2, DTLS >= 1.2
124
125 FUTURE
126 A conservative security level that is believed to withstand any
127 near-term future attacks. This level does not allow the use of
128 SHA-1 in signature algorithms. The level also provides some (not
129 complete) preparation for post-quantum encryption support in form
130 of 256-bit symmetric encryption requirement. The RSA and
131 Diffie-Hellman parameters are accepted if larger than 3071 bits.
132 The level provides at least 128-bit security.
133
134 · MACs: all HMAC with SHA-256 or better + all modern MACs
135 (Poly1305 etc.)
136
137 · Curves: all prime >= 255 bits (including Bernstein curves)
138
139 · Signature algorithms: with SHA-256 hash or better (no DSA)
140
141 · TLS Ciphers: >= 256-bit key, >= 128-bit block, only
142 Authenticated Encryption (AE) ciphers
143
144 · non-TLS Ciphers: same as TLS ciphers with added non AE ciphers
145 and Camellia
146
147 · key exchange: ECDHE, DHE (no DHE-DSS, no RSA)
148
149 · DH params size: >= 3072
150
151 · RSA keys size: >= 3072
152
153 · TLS protocols: TLS >= 1.2, DTLS >= 1.2
154
155 FIPS
156 A level that conforms to the FIPS 140-2 requirements. This policy
157 is used internally by the fips-mode-setup(8) tool which can switch
158 the system into the FIPS 140-2 compliance mode. The level provides
159 at least 112-bit security.
160
161 · MACs: all HMAC with SHA1 or better
162
163 · Curves: all prime >= 256 bits
164
165 · Signature algorithms: with SHA-256 hash or better (no DSA)
166
167 · TLS Ciphers: >= 128-bit key, >= 128-bit block (AES, including
168 AES-CBC)
169
170 · non-TLS Ciphers: same as TLS Ciphers
171
172 · key exchange: ECDHE, DHE (no DHE-DSS, no RSA)
173
174 · DH params size: >= 2048
175
176 · RSA params size: >= 2048
177
178 · TLS protocols: TLS >= 1.2, DTLS >= 1.2
179
180 EMPTY
181 All cryptographic algorithms are disabled (used for debugging only,
182 do not use).
183
185 update-crypto-policies(8)
186 This command manages the policies available to the various
187 cryptographic back ends and allows the system administrator to
188 change the active cryptographic policy level.
189
190 fips-mode-setup(8)
191 This command allows the system administrator to enable, or disable
192 the system FIPS mode and also apply the FIPS cryptographic policy
193 level which limits the allowed algorithms and protocols to these
194 allowed by the FIPS 140-2 requirements.
195
197 Exceptions:
198
199 · Go-language applications do not yet follow the system-wide policy.
200
201 · Libssh applications do not yet follow the system-wide policy.
202
203 · GnuPG-2 application does not follow the system-wide policy.
204
205 In general only the data-in-transit is currently covered by the
206 system-wide policy.
207
208 If the system administrator changes the system-wide policy level with
209 the update-crypto-policies(8) command it is advisable to restart the
210 system as the individual back-end libraries read the configuration
211 files usually during their initialization. The changes in the policy
212 level thus take place in most cases only when the applications using
213 the back-end libraries are restarted.
214
215 Removed cipher suites and protocols
216
217 The following cipher suites and protocols are completely removed from
218 the core cryptographic libraries listed above:
219
220 · DES
221
222 · All export grade cipher suites
223
224 · MD5 in signatures
225
226 · SSLv2
227
228 · SSLv3
229
230 · All ECC curves smaller than 224 bits
231
232 · All binary field ECC curves
233
234 Cipher suites and protocols disabled in all policy levels
235
236 The following ciphersuites and protocols are available but disabled in
237 all crypto policy levels. They can be enabled only by explicit
238 configuration of individual applications:
239
240 · DH with parameters < 1024 bits
241
242 · RSA with key size < 1024 bits
243
244 · Camellia
245
246 · ARIA
247
248 · SEED
249
250 · IDEA
251
252 · Integrity only ciphersuites
253
254 · TLS CBC mode ciphersuites using SHA-384 HMAC
255
256 · AES-CCM8
257
258 · all ECC curves incompatible with TLS 1.3, including secp256k1
259
260 · IKEv1
261
263 /etc/crypto-policies/back-ends
264 The individual cryptographical back-end configuration files.
265 Usually linked to the configuration shipped in the crypto-policies
266 package unless a configuration from local.d is added.
267
268 /etc/crypto-policies/config
269 The active crypto-policies level set on the system.
270
271 /etc/crypto-policies/local.d
272 Additional configuration shipped by other packages or created by
273 the system administrator. The contents of the
274 <back-end>-file.config is appended to the configuration from the
275 policy back end as shipped in the crypto-policies package.
276
278 update-crypto-policies(8), fips-mode-setup(8)
279
281 Written by Tomáš Mráz.
282
283
284
285crypto-policies 02/08/2019 CRYPTO-POLICIES(7)