1CRYPTO-POLICIES(7) CRYPTO-POLICIES(7)
2
6 crypto-policies - system-wide crypto policies overview
7
9 The security of cryptographic components of the operating system does
10 not remain constant over time. Algorithms, such as cryptographic
11 hashing and encryption, typically have a lifetime, after which they are
12 considered either too risky to use or plain insecure. That means, we
13 need to phase out such algorithms from the default settings or
14 completely disable them if they could cause an irreparable problem.
15 While in the past the algorithms were not disabled in a consistent way
17 and different applications applied different policies, the system-wide
18 crypto-policies followed by the crypto core components allow
19 consistently deprecating and disabling algorithms system-wide.
20 The individual policy levels (DEFAULT, LEGACY, FUTURE, and FIPS) are
22 included in the crypto-policies(7) package. In the future, there will
23 be also a mechanism for easy creation and deployment of policies
24 defined by the system administrator or a third party vendor.
25 For rationale, see RFC 7457 for a list of attacks taking advantage of
27 legacy crypto algorithms.
28
30 Crypto-policies apply to the configuration of the core cryptographic
31 subsystems, covering TLS, IKE, IPSec, DNSSec, and Kerberos protocols;
32 i.e., the supported secure communications protocols on the base
33 operating system.
34 Once an application runs in the operating system, it follows the
36 default or selected policy and refuses to fall back to algorithms and
37 protocols not within the policy, unless the user has explicitly
38 requested the application to do so. That is, the policy applies to the
39 default behavior of applications when running with the system-provided
40 configuration but the user can override it on an application-specific
41 basis.
42 The policies currently provide settings for these applications and
44 libraries:
45 · BIND DNS name server daemon
47 · GnuTLS TLS library
49 · OpenJDK runtime environment
51 · Kerberos 5 library
53 · Libreswan IPsec and IKE protocol implementation
55 · NSS TLS library
57 · OpenSSH SSH2 protocol implementation
59 · OpenSSL TLS library
61 Applications using the above libraries and tools are covered by the
63 cryptographic policies unless they are explicitly configured not to be
64 so.
65
67 LEGACY
68 This policy ensures maximum compatibility with legacy systems; it
69 is less secure and it includes support for TLS 1.0, TLS 1.1, and
70 SSH2 protocols or later. The algorithms DSA, 3DES, and RC4 are
71 allowed, while RSA and Diffie-Hellman parameters are accepted if
72 larger than 1023 bits. The level provides at least 64-bit security.
73 · MACs: all HMAC with SHA-1 or better + all modern MACs (Poly1305
75 etc.)
76 · Curves: all prime >= 255 bits (including Bernstein curves)
78 · Signature algorithms: with SHA1 hash or better (DSA allowed)
80 · TLS Ciphers: all available >= 112-bit key, >= 128-bit block
82 (including RC4 and 3DES)
83 · Non-TLS Ciphers: same as TLS ciphers with added Camellia
85 · Key exchange: ECDHE, RSA, DHE
87 · DH params size: >= 1023
89 · RSA keys size: >= 1023
91 · DSA params size: >= 1023
93 · TLS protocols: TLS >= 1.0, DTLS >= 1.0
95 DEFAULT
97 The DEFAULT policy is a reasonable default policy for today’s
98 standards. It allows the TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3
99 protocols, as well as IKEv2 and SSH2. The Diffie-Hellman parameters
100 are accepted if they are at least 1023 bits long. The level
101 provides at least 80-bit security.
102 · MACs: all HMAC with SHA-1 or better + all modern MACs (Poly1305
104 etc.)
105 · Curves: all prime >= 255 bits (including Bernstein curves)
107 · Signature algorithms: with SHA-1 hash or better (no DSA)
109 · TLS Ciphers: >= 128-bit key, >= 128-bit block (AES, ChaCha20,
111 including AES-CBC)
112 · non-TLS Ciphers: as TLS Ciphers with added Camellia
114 · key exchange: ECDHE, RSA, DHE (no DHE-DSS)
116 · DH params size: >= 1023
118 · RSA keys size: >= 2048
120 · TLS protocols: TLS >= 1.0, DTLS >= 1.0
122 NEXT
124 The NEXT policy is a policy prepared for the upcoming release of
125 the operating system so it can be easily tested. It allows the TLS
126 1.2 and TLS 1.3 protocols, as well as IKEv2 and SSH2. The RSA and
127 Diffie-Hellman parameters are accepted if larger than 2047 bits.
128 The level provides at least 112-bit security with the exception of
129 SHA-1 signatures needed for DNSSec and other still prevalent legacy
130 use of SHA-1 signatures.
131 · MACs: all HMAC with SHA-1 or better + all modern MACs (Poly1305
133 etc.)
134 · Curves: all prime >= 255 bits (including Bernstein curves)
136 · Signature algorithms: with SHA-1 hash or better (no DSA)
138 · TLS Ciphers: >= 128-bit key, >= 128-bit block (AES, ChaCha20,
140 including AES-CBC)
141 · non-TLS Ciphers: as TLS Ciphers with added Camellia
143 · key exchange: ECDHE, RSA, DHE (no DHE-DSS)
145 · DH params size: >= 2048
147 · RSA keys size: >= 2048
149 · TLS protocols: TLS >= 1.2, DTLS >= 1.2
151 FUTURE
153 A conservative security level that is believed to withstand any
154 near-term future attacks. This level does not allow the use of
155 SHA-1 in signature algorithms. The level also provides some (not
156 complete) preparation for post-quantum encryption support in form
157 of 256-bit symmetric encryption requirement. The RSA and
158 Diffie-Hellman parameters are accepted if larger than 3071 bits.
159 The level provides at least 128-bit security.
160 · MACs: all HMAC with SHA-256 or better + all modern MACs
162 (Poly1305 etc.)
163 · Curves: all prime >= 255 bits (including Bernstein curves)
165 · Signature algorithms: with SHA-256 hash or better (no DSA)
167 · TLS Ciphers: >= 256-bit key, >= 128-bit block, only
169 Authenticated Encryption (AE) ciphers
170 · non-TLS Ciphers: same as TLS ciphers with added non AE ciphers
172 and Camellia
173 · key exchange: ECDHE, DHE (no DHE-DSS, no RSA)
175 · DH params size: >= 3072
177 · RSA keys size: >= 3072
179 · TLS protocols: TLS >= 1.2, DTLS >= 1.2
181 FIPS
183 A level that conforms to the FIPS 140-2 requirements. This policy
184 is used internally by the fips-mode-setup(8) tool which can switch
185 the system into the FIPS 140-2 compliance mode. The level provides
186 at least 112-bit security.
187 · MACs: all HMAC with SHA1 or better
189 · Curves: all prime >= 256 bits
191 · Signature algorithms: with SHA-256 hash or better (no DSA)
193 · TLS Ciphers: >= 128-bit key, >= 128-bit block (AES, including
195 AES-CBC)
196 · non-TLS Ciphers: same as TLS Ciphers
198 · key exchange: ECDHE, DHE (no DHE-DSS, no RSA)
200 · DH params size: >= 2048
202 · RSA params size: >= 2048
204 · TLS protocols: TLS >= 1.2, DTLS >= 1.2
206 EMPTY
208 All cryptographic algorithms are disabled (used for debugging only,
209 do not use).
210
212 update-crypto-policies(8)
213 This command manages the policies available to the various
214 cryptographic back ends and allows the system administrator to
215 change the active cryptographic policy level.
216 fips-mode-setup(8)
218 This command allows the system administrator to enable, or disable
219 the system FIPS mode and also apply the FIPS cryptographic policy
220 level which limits the allowed algorithms and protocols to these
221 allowed by the FIPS 140-2 requirements.
222
224 Exceptions:
225 · Go-language applications do not yet follow the system-wide policy.
227 · Libssh applications do not yet follow the system-wide policy.
229 · GnuPG-2 application does not follow the system-wide policy.
231 In general only the data-in-transit is currently covered by the
233 system-wide policy.
234 If the system administrator changes the system-wide policy level with
236 the update-crypto-policies(8) command it is advisable to restart the
237 system as the individual back-end libraries read the configuration
238 files usually during their initialization. The changes in the policy
239 level thus take place in most cases only when the applications using
240 the back-end libraries are restarted.
241 Removed cipher suites and protocols
243 The following cipher suites and protocols are completely removed from
245 the core cryptographic libraries listed above:
246 · DES
248 · All export grade cipher suites
250 · MD5 in signatures
252 · SSLv2
254 · SSLv3
256 · All ECC curves smaller than 224 bits
258 · All binary field ECC curves
260 Cipher suites and protocols disabled in all policy levels
262 The following ciphersuites and protocols are available but disabled in
264 all crypto policy levels. They can be enabled only by explicit
265 configuration of individual applications:
266 · DH with parameters < 1024 bits
268 · RSA with key size < 1024 bits
270 · Camellia
272 · ARIA
274 · SEED
276 · IDEA
278 · Integrity only ciphersuites
280 · TLS CBC mode ciphersuites using SHA-384 HMAC
282 · AES-CCM8
284 · all ECC curves incompatible with TLS 1.3, including secp256k1
286 · IKEv1
288
290 /etc/crypto-policies/back-ends
291 The individual cryptographical back-end configuration files.
292 Usually linked to the configuration shipped in the crypto-policies
293 package unless a configuration from local.d is added.
294 /etc/crypto-policies/config
296 The active crypto-policies level set on the system.
297 /etc/crypto-policies/local.d
299 Additional configuration shipped by other packages or created by
300 the system administrator. The contents of the
301 <back-end>-file.config is appended to the configuration from the
302 policy back end as shipped in the crypto-policies package.
303
305 update-crypto-policies(8), fips-mode-setup(8)
306
308 Written by Tomáš Mráz.
309crypto-policies 05/27/2019 CRYPTO-POLICIES(7)