'\" t

.\"     Title: crypto-policies

.\"    Author: [see the "AUTHOR" section]

.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>

.\"      Date: 02/08/2019

.\"    Manual: \ \&

.\"    Source: crypto-policies

.\"  Language: English

.\"

.TH "CRYPTO\-POLICIES" "7" "02/08/2019" "crypto\-policies" "\ \&"

.\" -----------------------------------------------------------------

.\" * Define some portability stuff

.\" -----------------------------------------------------------------

.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

.\" http://bugs.debian.org/507673

.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html

.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

.ie \n(.g .ds Aq \(aq

.el       .ds Aq '

.\" -----------------------------------------------------------------

.\" * set default formatting

.\" -----------------------------------------------------------------

.\" disable hyphenation

.nh

.\" disable justification (adjust text to left margin only)

.ad l

.\" -----------------------------------------------------------------

.\" * MAIN CONTENT STARTS HERE *

.\" -----------------------------------------------------------------

.SH "NAME"

crypto-policies \- system\-wide crypto policies overview

.SH "DESCRIPTION"

.sp

The security of cryptographic components of the operating system does not remain constant over time\&. Algorithms, such as cryptographic hashing and encryption, typically have a lifetime, after which they are considered either too risky to use or plain insecure\&. That means, we need to phase out such algorithms from the default settings or completely disable them if they could cause an irreparable problem\&.

.sp

While in the past the algorithms were not disabled in a consistent way and different applications applied different policies, the system\-wide crypto\-policies followed by the crypto core components allow consistently deprecating and disabling algorithms system\-wide\&.

.sp

The individual policy levels (\fBDEFAULT\fR, \fBLEGACY\fR, \fBFUTURE\fR, and \fBFIPS\fR) are included in the \fBcrypto\-policies(7)\fR package\&. In the future, there will be also a mechanism for easy creation and deployment of policies defined by the system administrator or a third party vendor\&.

.sp

For rationale, see \fBRFC 7457\fR for a list of attacks taking advantage of legacy crypto algorithms\&.

.SH "COVERED APPLICATIONS"

.sp

Crypto\-policies apply to the configuration of the core cryptographic subsystems, covering \fBTLS\fR, \fBIKE\fR, \fBIPSec\fR, \fBDNSSec\fR, and \fBKerberos\fR protocols; i\&.e\&., the supported secure communications protocols on the base operating system\&.

.sp

Once an application runs in the operating system, it follows the default or selected policy and refuses to fall back to algorithms and protocols not within the policy, unless the user has explicitly requested the application to do so\&. That is, the policy applies to the default behavior of applications when running with the system\-provided configuration but the user can override it on an application\-specific basis\&.

.sp

The policies currently provide settings for these applications and libraries:

.sp

.RS 4

.ie n \{\

\h'-04'\(bu\h'+03'\c

.\}

.el \{\

.sp -1

.IP \(bu 2.3

.\}

\fBBIND\fR

DNS name server daemon

.RE

.sp

.RS 4

.ie n \{\

\h'-04'\(bu\h'+03'\c

.\}

.el \{\

.sp -1

.IP \(bu 2.3

.\}

\fBGnuTLS\fR

TLS library

.RE

.sp

.RS 4

.ie n \{\

\h'-04'\(bu\h'+03'\c

.\}

.el \{\

.sp -1

.IP \(bu 2.3

.\}

\fBOpenJDK\fR

runtime environment

.RE

.sp

.RS 4

.ie n \{\

\h'-04'\(bu\h'+03'\c

.\}

.el \{\

.sp -1

.IP \(bu 2.3

.\}

\fBKerberos 5\fR

library

.RE

.sp

.RS 4

.ie n \{\

\h'-04'\(bu\h'+03'\c

.\}

.el \{\

.sp -1

.IP \(bu 2.3

.\}

\fBLibreswan\fR

IPsec and IKE protocol implementation

.RE

.sp

.RS 4

.ie n \{\

\h'-04'\(bu\h'+03'\c

.\}

.el \{\

.sp -1

.IP \(bu 2.3

.\}

\fBNSS\fR

TLS library

.RE

.sp

.RS 4

.ie n \{\

\h'-04'\(bu\h'+03'\c

.\}

.el \{\

.sp -1

.IP \(bu 2.3

.\}

\fBOpenSSH\fR

SSH2 protocol implementation

.RE

.sp

.RS 4

.ie n \{\

\h'-04'\(bu\h'+03'\c

.\}

.el \{\

.sp -1

.IP \(bu 2.3

.\}

\fBOpenSSL\fR

TLS library

.RE

.sp

Applications using the above libraries and tools are covered by the cryptographic policies unless they are explicitly configured not to be so\&.

.SH "PROVIDED POLICY LEVELS"

.PP

\fBLEGACY\fR

.RS 4

This policy ensures maximum compatibility with legacy systems; it is less secure and it includes support for

\fBTLS 1\&.0\fR,

\fBTLS 1\&.1\fR, and

\fBSSH2\fR

protocols or later\&. The algorithms

\fBDSA\fR,

\fB3DES\fR, and

\fBRC4\fR

are allowed, while

\fBRSA\fR

and

\fBDiffie\-Hellman\fR

parameters are accepted if larger than 1023 bits\&. The level provides at least 64\-bit security\&.

.sp

.RS 4

.ie n \{\

\h'-04'\(bu\h'+03'\c

.\}

.el \{\

.sp -1

.IP \(bu 2.3

.\}

MACs: all

\fBHMAC\fR

with

\fBSHA\-1\fR

or better + all modern MACs (\fBPoly1305\fR

etc\&.)

.RE

.sp

.RS 4

.ie n \{\

\h'-04'\(bu\h'+03'\c

.\}

.el \{\

.sp -1

.IP \(bu 2.3

.\}

Curves: all prime >= 255 bits (including Bernstein curves)

.RE

.sp

.RS 4

.ie n \{\

\h'-04'\(bu\h'+03'\c

.\}

.el \{\

.sp -1

.IP \(bu 2.3

.\}

Signature algorithms: with

\fBSHA1\fR

hash or better (\fBDSA\fR

allowed)

.RE

.sp

.RS 4

.ie n \{\

\h'-04'\(bu\h'+03'\c

.\}

.el \{\

.sp -1

.IP \(bu 2.3

.\}

\fBTLS\fR

Ciphers: all available >= 112\-bit key, >= 128\-bit block (including

\fBRC4\fR

and

\fB3DES\fR)

.RE

.sp

.RS 4

.ie n \{\

\h'-04'\(bu\h'+03'\c

.\}

.el \{\

.sp -1

.IP \(bu 2.3

.\}

Non\-TLS Ciphers: same as

\fBTLS\fR

ciphers with added

\fBCamellia\fR

.RE

.sp

.RS 4

.ie n \{\

\h'-04'\(bu\h'+03'\c

.\}

.el \{\

.sp -1

.IP \(bu 2.3

.\}

Key exchange:

\fBECDHE\fR,

\fBRSA\fR,

\fBDHE\fR

.RE

.sp

.RS 4

.ie n \{\

\h'-04'\(bu\h'+03'\c

.\}

.el \{\

.sp -1

.IP \(bu 2.3

.\}

\fBDH\fR

params size: >= 1023

.RE

.sp

.RS 4

.ie n \{\

\h'-04'\(bu\h'+03'\c

.\}

.el \{\

.sp -1

.IP \(bu 2.3

.\}

\fBRSA\fR

keys size: >= 1023

.RE

.sp

.RS 4

.ie n \{\

\h'-04'\(bu\h'+03'\c

.\}

.el \{\

.sp -1

.IP \(bu 2.3

.\}

\fBDSA\fR

params size: >= 1023

.RE

.sp

.RS 4

.ie n \{\

\h'-04'\(bu\h'+03'\c

.\}

.el \{\

.sp -1

.IP \(bu 2.3

.\}

\fBTLS\fR

protocols:

\fBTLS\fR

>= 1\&.0,

\fBDTLS\fR

>= 1\&.0

.RE

.RE

.PP

\fBDEFAULT\fR

.RS 4

The

\fBDEFAULT\fR

policy is a reasonable default policy for today\(cqs standards, compatible with

\fBPCI\-DSS\fR

requirements\&. It allows the

\fBTLS 1\&.2\fR

and

\fBTLS 1\&.3\fR

protocols, as well as

\fBIKEv2\fR

and

\fBSSH2\fR\&. The

\fBRSA\fR

and

\fBDiffie\-Hellman\fR

parameters are accepted if larger than 2047 bits\&. The level provides at least 112\-bit security with the exception of

\fBSHA\-1\fR

signatures needed for

\fBDNSSec\fR

and other still prevalent legacy use of

\fBSHA\-1\fR

signatures\&.

.sp

.RS 4

.ie n \{\

\h'-04'\(bu\h'+03'\c

.\}

.el \{\

.sp -1

.IP \(bu 2.3

.\}

MACs: all

\fBHMAC\fR

with

\fBSHA\-1\fR

or better + all modern MACs (\fBPoly1305\fR

etc\&.)

.RE

.sp

.RS 4

.ie n \{\

\h'-04'\(bu\h'+03'\c

.\}

.el \{\

.sp -1

.IP \(bu 2.3

.\}

Curves: all prime >= 255 bits (including Bernstein curves)

.RE

.sp

.RS 4

.ie n \{\

\h'-04'\(bu\h'+03'\c

.\}

.el \{\

.sp -1

.IP \(bu 2.3

.\}

Signature algorithms: with

\fBSHA\-1\fR

hash or better (no

\fBDSA\fR)

.RE

.sp

.RS 4

.ie n \{\

\h'-04'\(bu\h'+03'\c

.\}

.el \{\

.sp -1

.IP \(bu 2.3

.\}

\fBTLS\fR

Ciphers: >= 128\-bit key, >= 128\-bit block (\fBAES\fR,

\fBChaCha20\fR, including

\fBAES\-CBC\fR)

.RE

.sp

.RS 4

.ie n \{\

\h'-04'\(bu\h'+03'\c

.\}

.el \{\

.sp -1

.IP \(bu 2.3

.\}

non\-TLS Ciphers: as

\fBTLS\fR

Ciphers with added

\fBCamellia\fR

.RE

.sp

.RS 4

.ie n \{\

\h'-04'\(bu\h'+03'\c

.\}

.el \{\

.sp -1

.IP \(bu 2.3

.\}

key exchange:

\fBECDHE\fR,

\fBRSA\fR,

\fBDHE\fR

(no

\fBDHE\-DSS\fR)

.RE

.sp

.RS 4

.ie n \{\

\h'-04'\(bu\h'+03'\c

.\}

.el \{\

.sp -1

.IP \(bu 2.3

.\}

\fBDH\fR

params size: >= 2048

.RE

.sp

.RS 4

.ie n \{\

\h'-04'\(bu\h'+03'\c

.\}

.el \{\

.sp -1

.IP \(bu 2.3

.\}

\fBRSA\fR

keys size: >= 2048

.RE

.sp

.RS 4

.ie n \{\

\h'-04'\(bu\h'+03'\c

.\}

.el \{\

.sp -1

.IP \(bu 2.3

.\}

\fBTLS\fR

protocols:

\fBTLS\fR

>= 1\&.2,

\fBDTLS\fR

>= 1\&.2

.RE

.RE

.PP

\fBFUTURE\fR

.RS 4

A conservative security level that is believed to withstand any near\-term future attacks\&. This level does not allow the use of

\fBSHA\-1\fR

in signature algorithms\&. The level also provides some (not complete) preparation for post\-quantum encryption support in form of 256\-bit symmetric encryption requirement\&. The

\fBRSA\fR

and

\fBDiffie\-Hellman\fR

parameters are accepted if larger than 3071 bits\&. The level provides at least 128\-bit security\&.

.sp

.RS 4

.ie n \{\

\h'-04'\(bu\h'+03'\c

.\}

.el \{\

.sp -1

.IP \(bu 2.3

.\}

MACs: all

\fBHMAC\fR

with

\fBSHA\-256\fR

or better + all modern MACs (\fBPoly1305\fR

etc\&.)

.RE

.sp

.RS 4

.ie n \{\

\h'-04'\(bu\h'+03'\c

.\}

.el \{\

.sp -1

.IP \(bu 2.3

.\}

Curves: all prime >= 255 bits (including Bernstein curves)

.RE

.sp

.RS 4

.ie n \{\

\h'-04'\(bu\h'+03'\c

.\}

.el \{\

.sp -1

.IP \(bu 2.3

.\}

Signature algorithms: with

\fBSHA\-256\fR

hash or better (no

\fBDSA\fR)

.RE

.sp

.RS 4

.ie n \{\

\h'-04'\(bu\h'+03'\c

.\}

.el \{\

.sp -1

.IP \(bu 2.3

.\}

\fBTLS\fR

Ciphers: >= 256\-bit key, >= 128\-bit block, only Authenticated Encryption (AE) ciphers

.RE

.sp

.RS 4

.ie n \{\

\h'-04'\(bu\h'+03'\c

.\}

.el \{\

.sp -1

.IP \(bu 2.3

.\}

non\-TLS Ciphers: same as

\fBTLS\fR

ciphers with added non AE ciphers and

\fBCamellia\fR

.RE

.sp

.RS 4

.ie n \{\

\h'-04'\(bu\h'+03'\c

.\}

.el \{\

.sp -1

.IP \(bu 2.3

.\}

key exchange:

\fBECDHE\fR,

\fBDHE\fR

(no

\fBDHE\-DSS\fR, no

\fBRSA\fR)

.RE

.sp

.RS 4

.ie n \{\

\h'-04'\(bu\h'+03'\c

.\}

.el \{\

.sp -1

.IP \(bu 2.3

.\}

\fBDH\fR

params size: >= 3072

.RE

.sp

.RS 4

.ie n \{\

\h'-04'\(bu\h'+03'\c

.\}

.el \{\

.sp -1

.IP \(bu 2.3

.\}

\fBRSA\fR

keys size: >= 3072

.RE

.sp

.RS 4

.ie n \{\

\h'-04'\(bu\h'+03'\c

.\}

.el \{\

.sp -1

.IP \(bu 2.3

.\}

\fBTLS\fR

protocols:

\fBTLS\fR

>= 1\&.2,

\fBDTLS\fR

>= 1\&.2

.RE

.RE

.PP

\fBFIPS\fR

.RS 4

A level that conforms to the

\fBFIPS 140\-2\fR

requirements\&. This policy is used internally by the

\fBfips\-mode\-setup(8)\fR

tool which can switch the system into the

\fBFIPS 140\-2\fR

compliance mode\&. The level provides at least 112\-bit security\&.

.sp

.RS 4

.ie n \{\

\h'-04'\(bu\h'+03'\c

.\}

.el \{\

.sp -1

.IP \(bu 2.3

.\}

MACs: all

\fBHMAC\fR

with

\fBSHA1\fR

or better

.RE

.sp

.RS 4

.ie n \{\

\h'-04'\(bu\h'+03'\c

.\}

.el \{\

.sp -1

.IP \(bu 2.3

.\}

Curves: all prime >= 256 bits

.RE

.sp

.RS 4

.ie n \{\

\h'-04'\(bu\h'+03'\c

.\}

.el \{\

.sp -1

.IP \(bu 2.3

.\}

Signature algorithms: with

\fBSHA\-256\fR

hash or better (no

\fBDSA\fR)

.RE

.sp

.RS 4

.ie n \{\

\h'-04'\(bu\h'+03'\c

.\}

.el \{\

.sp -1

.IP \(bu 2.3

.\}

\fBTLS\fR

Ciphers: >= 128\-bit key, >= 128\-bit block (\fBAES\fR, including

\fBAES\-CBC\fR)

.RE

.sp

.RS 4

.ie n \{\

\h'-04'\(bu\h'+03'\c

.\}

.el \{\

.sp -1

.IP \(bu 2.3

.\}

non\-TLS Ciphers: same as

\fBTLS\fR

Ciphers

.RE

.sp

.RS 4

.ie n \{\

\h'-04'\(bu\h'+03'\c

.\}

.el \{\

.sp -1

.IP \(bu 2.3

.\}

key exchange:

\fBECDHE\fR,

\fBDHE\fR

(no

\fBDHE\-DSS\fR, no

\fBRSA\fR)

.RE

.sp

.RS 4

.ie n \{\

\h'-04'\(bu\h'+03'\c

.\}

.el \{\

.sp -1

.IP \(bu 2.3

.\}

\fBDH\fR

params size: >= 2048

.RE

.sp

.RS 4

.ie n \{\

\h'-04'\(bu\h'+03'\c

.\}

.el \{\

.sp -1

.IP \(bu 2.3

.\}

\fBRSA\fR

params size: >= 2048

.RE

.sp

.RS 4

.ie n \{\

\h'-04'\(bu\h'+03'\c

.\}

.el \{\

.sp -1

.IP \(bu 2.3

.\}

\fBTLS\fR

protocols:

\fBTLS\fR

>= 1\&.2,

\fBDTLS\fR

>= 1\&.2

.RE

.RE

.PP

\fBEMPTY\fR

.RS 4