SDB:Crypto-policies
Introduction
In order to unify the cryptographic policies, as used by different applications and libraries, we have introduced the crypto-policies package in SUSE and openSUSE. This package allows to set the cryptographic security level for all applications that use a cryptographic back-end supported by the policies. The list of packages that follow crypto-policies is quite extensive, this includes OpenSSL, GnuTLS, Apache2, Java/OpenJDK, Stunnel, BIND, Python, perl-IO-Socket-SSL, NSS/mozilla-nss, pacemaker, Kerberos/krb5, openssh, libssh, vsftpd,... Note that, the crypto-policies support was added in Tumbleweed since snapshot 20201216.
Predefined security levels
The main idea is having four predefined security levels that an administrator can configure by modifying /etc/crypto-policies/config or by using the update-crypto-policies script. These groups of policies are LEGACY, DEFAULT, NEXT, FUTURE, BSI, FIPS and EMPTY which have the following details:
* LEGACY
MACs: All HMAC with SHA-1 or better + all modern MACs (Poly1305, ...)
Curves: All prime >= 256 bits (including Bernstein curves)
Signature algorithms: SHA-1 hash or better (DSA allowed)
TLS Ciphers: All available >= 112-bit key, >= 128-bit block (including 3DES and excluding RC4)
Non-TLS Ciphers: Same as TLS ciphers with added Camellia
key exchange: ECDHE, RSA, DHE
DH params size: >= 1024
RSA params size: >= 1024
DSA params size: >= 1024
TLS protocols: TLS >= 1.0, DTLS >= 1.0
* DEFAULT
MACs: All HMAC with SHA-1 or better + all modern MACs (Poly1305, ...)
Curves: All prime >= 256 bits (including Bernstein curves)
Signature algorithms: With SHA-256 hash or better (no DSA)
TLS Ciphers: >= 128-bit key, >= 128-bit block (AES, ChaCha20, including AES-CBC)
non-TLS Ciphers: Same as TLS Ciphers with added Camellia
key exchange: ECDHE, RSA, DHE (no DHE-DSS)
DH params size: >= 2048
RSA params size: >= 2048
DSA params size: >= 2048
TLS protocols: TLS >= 1.2, DTLS >= 1.2
* NEXT
The NEXT policy is just an alias to the DEFAULT policy.
* FIPS
MACs: All HMAC with SHA-1 or better
Curves: All prime >= 256 bits
Signature algorithms: SHA-256 hash or better (no DSA)
TLS Ciphers: >= 128-bit key, >= 128-bit block (AES, including AES-CBC)
non-TLS Ciphers: Same as TLS ciphers
key exchange: ECDHE, RSA, DHE (no DHE-DSS, no RSA)
DH params size: >= 2048
RSA params size: >= 2048
DSA params size: >= 2048
TLS protocols: TLS >= 1.2, DTLS >= 1.2
* BSI
MACs: All HMAC with SHA-256 or better + all modern MACs
Curves: All prime >= 256 bits (including Bernstein curves)
Signature algorithms: SHA-256 hash or better (no DSA)
TLS Ciphers: >= 256-bit key, >= 128-bit block, only Authenticated Encryption (AE) ciphers
non-TLS Ciphers: Same as TLS ciphers with added non AE ciphers
key exchange: ECDHE, DHE (no *DHE-DSS*, no *RSA*)
DH params size: >= 3072
RSA params size: >= 2048 (until the end of 2023, then it will switch to 3072)
DSA params size: >= 3072
TLS protocols: TLS >= 1.2, DTLS >= 1.2
* FUTURE
MACs: All HMAC with SHA-256 or better + all modern MACs (Poly1305, ...)
Curves: All prime >= 256 bits (including Bernstein curves)
Signature algorithms: SHA-256 hash or better (no DSA)
TLS Ciphers: >= 256-bit key, >= 128-bit block, only Authenticated Encryption (AE) ciphers
non-TLS Ciphers: Same as TLS ciphers with added non AE ciphers and Camellia
key exchange: ECDHE, DHE (no DHE-DSS, no RSA)
DH params size: >= 3072
RSA params size: >= 3072
DSA params size: >= 3072
TLS protocols: TLS >= 1.2, DTLS >= 1.2
* EMPTY
All cryptographic algorithms are disabled (used for debugging only, do not use).
These policies can also change over time together with the security of the cryptographic components. Having crypto-policies allows to easily handle the deprecation of algorithms or protocols system-wide and in a transparent manner.
On a fresh install of the crypto-policies package, the DEFAULT policy is set as the default policy. The actual policy in use can be checked with the update-crypto-policies command:
update-crypto-policies --show
Some policies could break applications that connect to servers which use weak cryptographic algorithms. If this occurs, you could use the LEGACY policy level until resolved by using update-crypto-policies:
update-crypto-policies --set LEGACY
If we notice significant user experience degradation, e.g., due to many custom servers utilizing legacy protocols, we will consider postponing that change or adapt that policy.
Create a new policy
Defining a new policy from scratch requires to create a file named <POLICY>.pol, where the name must be in uppercase and without spaces. This file must be located in the /etc/crypto-policies/policies folder or in /usr/share/crypto-policies/policies. As shown before, the newly created policy can be applied with:
update-crypto-policies --set <POLICY>
As examples of policies, see the .pol files in /usr/share/crypto-policies/policies/.
Modify existing cryptographic policies
The cryptographic policies can be set with policy modifiers to adjust certain algorithms or protocols. Modifying an existing policy can be done via policy modifier modules. These policy modifiers are text files, with extension .pmod, that include the modifications. The name of the modifier module must be <MODULE>.pmod, where <MODULE> is the name of the modifier in uppercase and without spaces. These files must be located in the /etc/crypto-policies/policies/modules folder, or in the /usr/share/crypto-policies/policies/modules folder if they come pre-installed).
For example, to disable SHA-1 hash, the modifier module /usr/share/crypto-policies/policies/modules/NO-SHA1.pmod contains:
hash = -SHA1 sign = -RSA-PSS-SHA1 -RSA-SHA1 -ECDSA-SHA1
And, the newly customized policy can be applied with:
update-crypto-policies --set DEFAULT:NO-SHA1
Enforcing system crypto-policies
To follow the crypto-policies, some application's configuration file or compilation option should set a system default option. That is, for example, for applications that use OpenSSL or GnuTLS a priority string or cipher named "SYSTEM" is used. Then, the shipped library will make sure that, once the "SYSTEM" option is encountered the pre-configured system settings will be applied. When an application doesn't specify any default settings the system settings should apply.
For example, for OpenSSL and GnuTLS this is:
* OpenSSL: The cipher string "PROFILE=SYSTEM" will be used to specify the system ciphers. Any applications not explicitly specifying ciphers will use the system ciphers.
* GnuTLS: The "@SYSTEM" priority string will be used to specify the system ciphers. Any applications using gnutls_set_default_priority() will also use the system ciphers.
We have carefully reviewed the packages that depend on OpenSSL and GnuTLS. Please, report back to us if you find any inconsistency by opening a bug report in openSUSE bugzilla.
Enable the Kernel FIPS mode
The fips-mode-setup command can be used to enable the kernel FIPS mode which also sets the system policy to FIPS:
# fips-mode-setup --enable Setting system policy to FIPS FIPS mode will be enabled. [...] Please reboot the system for the setting to take effect.
After a reboot, the fips mode can be verified with the following command:
# fips-mode-setup --check FIPS mode is enabled. Initramfs fips module is enabled. The current crypto policy (FIPS) is based on the FIPS policy.
The fips mode can be verified also with the following command:
# sysctl -a | grep fips crypto.fips_enabled = 1
Similarly, to disable the FIPS mode:
# fips-mode-setup --disable Setting system policy to DEFAULT FIPS mode will be disabled. [...] Please reboot the system for the setting to take effect.
Please, note that at this moment there is a bug in OpenSSH that prevents SSH access in FIPS mode.
Documentation and upstream project
For more information, please refer to the following man pages:
man 7 crypto-policies man 8 update-crypto-policies man 8 fips-mode-setup man 8 fips-finish-install
Check out also the upstream project in crypto-policies GitLab and the openSUSE conference presentation.