(→Documentation: A link to packaging guidelines added) |
|||
(18 intermediate revisions by 4 users not shown) | |||
Line 17: | Line 17: | ||
== Current status == | == Current status == | ||
* Targeted release: [[Releases/21 | Fedora 21 ]] | * Targeted release: [[Releases/21 | Fedora 21 ]] | ||
* Last updated: | * Last updated: 2014-01-16 | ||
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page | <!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page | ||
Bugzilla states meaning as usual: | Bugzilla states meaning as usual: | ||
Line 26: | Line 26: | ||
CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development | CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development | ||
--> | --> | ||
* Tracker bug: | * Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=1076390 #1076390] | ||
== Detailed Description == | == Detailed Description == | ||
The idea is to have some predefined security levels such as | The idea is to have some predefined security levels available, such as LEGACY, DEFAULT and FUTURE (see also [https://git.fedorahosted.org/cgit/crypto-profiles.git/tree/update-crypto-policies.8.txt update-crypto-policies(8)]), that an administrator should be able to configure by modifying | ||
/etc/crypto-policies/config. The configured security level will be applied globally, | |||
that | |||
/etc/crypto- | |||
<!-- Additional flags should be specified with the profile using a parenthesis | <!-- Additional flags should be specified with the profile using a parenthesis | ||
after the profile name. The only flag specified now is PFS, which will | after the profile name. The only flag specified now is PFS, which will | ||
restrict the profile options to the ones that offer perfect forward secrecy.--> | restrict the profile options to the ones that offer perfect forward secrecy.--> | ||
after executing update-crypto-profiles. | |||
(Note: it would be better to have a daemon that watches those files and | (Note: it would be better to have a daemon that watches those files and | ||
runs update-crypto-profiles automatically) | runs update-crypto-profiles automatically) | ||
Line 73: | Line 69: | ||
* Proposal owners: | * Proposal owners: | ||
** In GNUTLS the "@SYSTEM" priority string will be used to specify the system ciphers. Any applications using gnutls_set_default_priority() will also use the system ciphers. | |||
** In OpenSSL the cipher string "PROFILE=SYSTEM" will be used to specify the system ciphers. Any applications not explicitly specifying ciphers will use the system ciphers. | |||
** NSS, doesn't support yet similar configuration. Adding support [https://bugzilla.mozilla.org/show_bug.cgi?id=1009429 is work in progress]. | |||
After that a mechanism to specify crypto policies for Fedora has to be devised, as well as the extraction to each libraries' settings. | After that a mechanism to specify crypto policies for Fedora has to be devised, as well as the extraction to each libraries' settings. | ||
* Other developers: | * Other developers: | ||
Packages that use SSL crypto libraries should, after the previous change is complete, replace the default cipher strings with | Packages that use SSL crypto libraries should, after the previous change is complete, replace the default cipher strings with the ones described above. In F21 the number of packages converted will be a selected small set to prevent an overwhelming flow of bugs in case of breakage, and in F22 more packages will be converted. After F21 bugs will be reported to packages using the crypto libraries (detected possibly using repoquery). | ||
A developer could test whether the system crypto policy is being applied using the following steps: | |||
** Test ordinary operation | |||
** Change /etc/crypto-policies/config to FUTURE | |||
** run update-crypto-policies | |||
** Test whether the connection to a public server works (e.g., www.amazon.com). It should have failed as the FUTURE level disallows SHA-1 which is used by most servers today. | |||
* Release engineering: | * Release engineering: | ||
Line 84: | Line 88: | ||
* Policies and guidelines: | * Policies and guidelines: | ||
After the change is complete the packaging guidelines, should mention abouve replacing the default cipher strings with "SYSTEM". This of course need not affect programs that do not have a mechanism for setting ciphers/modes that is already in wide use (e.g., browsers). It mostly targets applications that use some reasonable (or unreasonable) defaults and the user/administrator has little control of them. | After the change is complete the packaging guidelines, should mention abouve replacing the default cipher strings with "SYSTEM". This of course need not affect programs that do not have a mechanism for setting ciphers/modes that is already in wide use (e.g., browsers). It mostly targets applications that use some reasonable (or unreasonable) defaults and the user/administrator has little control of them. The high level descriptions of the selected levels follows. | ||
LEGACY: A level that will ensure maximum compatibility with legacy systems. It should provide at least 64-bit security | |||
and include RC4 and MD5 (for HMAC) | |||
MACs: MD5, SHA1+ | |||
Curves: All supported | |||
Signature algorithms: must use SHA-1 hash or better (Note: signature algorithms restrictions shouldn't apply to self-signatures) | |||
Ciphers: AES-GCM, AES-CBC, CAMELLIA-GCM, CAMELLIA-CBC, 3DES-CBC, RC4 | |||
Key exchange: ECDHE, RSA, DHE | |||
DH params size: 767+ | |||
RSA params size: 767+ | |||
Protocols: All supported (SSL3.0+) | |||
DEFAULT: A reasonable default for today's standards. For F21 it should provide 80-bit security and no broken ciphers like RC4. | |||
MACs: SHA1+ | |||
Curves: All supported | |||
Signature algorithms: must use SHA-1 hash or better | |||
Ciphers: AES-GCM, AES-CBC, CAMELLIA-GCM, CAMELLIA-CBC, 3DES-CBC (Note that AES256 should be prioritized after AES128 to conserve resources). | |||
Key exchange: ECDHE, RSA, DHE | |||
DH params size: 1023+ | |||
RSA params size: 1023+ | |||
Protocols: All supported (SSL3.0+) | |||
FUTURE: A level that will provide security on a conservative level that is believed to withstand any near-term future attacks. That will | |||
be an 112-bit security level, without including protocols with known attacks available (e.g. SSL 3.0). This level may prevent | |||
communication with many used systems that provide weaker security levels (e.g., systems that use SHA-1 as signature algorithm). | |||
MACs: SHA1+ | |||
Curves: of size 256+ or better | |||
Signature algorithms: must use SHA-256 hash or better | |||
Ciphers: AES-GCM, AES-CBC, CAMELLIA-GCM, CAMELLIA-CBC (Note that AES256 should be prioritized after AES128 to conserve resources.) | |||
Key exchange: ECDHE, RSA, DHE | |||
DH params size: 2048+ | |||
RSA params size: 2048+ | |||
Protocols: TLS1.2+ | |||
== Upgrade/compatibility impact == | == Upgrade/compatibility impact == | ||
Line 96: | Line 133: | ||
== Dependencies == | == Dependencies == | ||
There are many packages that depend on the mentioned crypto libraries. | There are many packages that depend on the mentioned crypto libraries. Bugs will be filled to the major ones for the F21 release, and the plan is have all relevant packages to use the default settings by F22. | ||
== Contingency Plan == | == Contingency Plan == | ||
Line 109: | Line 146: | ||
== Documentation == | == Documentation == | ||
My notes are above in the description. | * My notes are above in the description. | ||
* [https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies/ Enforcing system crypto policies packaging guidelines] | |||
== Release Notes == | == Release Notes == | ||
Line 118: | Line 156: | ||
--> | --> | ||
[[Category: | [[Category:ChangeAcceptedF21]] | ||
<!-- When your change proposal page is completed and ready for review and announcement --> | <!-- When your change proposal page is completed and ready for review and announcement --> | ||
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler --> | <!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler --> |
Latest revision as of 09:13, 11 February 2020
System-wide crypto policy
Summary
Unify the crypto policies used by different applications and libraries. That is allow setting a consistent security level for crypto on all applications in a Fedora system. The implementation approach will be to initially modify SSL libraries to respect the policy and gradually adding more libraries and applications.
Owner
- Name: Nikos Mavrogiannopoulos
- Email: nmav@redhat.com
- Release notes owner:
Current status
Detailed Description
The idea is to have some predefined security levels available, such as LEGACY, DEFAULT and FUTURE (see also update-crypto-policies(8)), that an administrator should be able to configure by modifying /etc/crypto-policies/config. The configured security level will be applied globally, after executing update-crypto-profiles. (Note: it would be better to have a daemon that watches those files and runs update-crypto-profiles automatically)
After that the administrator should be assured that any application that uses the system settings will follow a policy that adheres to the configured profile.
Ideally setting a profile should be setting:
- the acceptable TLS/SSL (and DTLS) versions
- the acceptable ciphersuites and the preferred order
- acceptable parameters in certificates and key exchange, i.e.:
- the minimum acceptable size of parameters (DH,ECDH,RSA,DSA,ECDSA)
- the acceptable elliptic curves (ECDH,ECDSA)
- the acceptable signature hash functions
- other TLS options such as:
- safe renegotiation
An idea of how this will be implemented is to have each Fedora application's configuration file or compilation option will set a system default option. That is for example for applications that use GnuTLS or OpenSSL a priority string or cipher named "SYSTEM". Then the shipped library will make sure that once the "SYSTEM" option is encountered the preconfigured system settings will be applied. When an application doesn't specify any default settings the system settings should apply.
The preconfigured settings for each SSL library will be auto-generated from the default profile in /etc/crypto-profiles/generated/$(libname)/config
Benefit to Fedora
With this change a Fedora system will have a consistent way of setting a default security profile for all applications.
Scope
There are changes required in GnuTLS, OpenSSL and NSS libraries. On a second phase non-SSL crypto libraries could use these settings.
- Proposal owners:
- In GNUTLS the "@SYSTEM" priority string will be used to specify the system ciphers. Any applications using gnutls_set_default_priority() will also use the system ciphers.
- In OpenSSL the cipher string "PROFILE=SYSTEM" will be used to specify the system ciphers. Any applications not explicitly specifying ciphers will use the system ciphers.
- NSS, doesn't support yet similar configuration. Adding support is work in progress.
After that a mechanism to specify crypto policies for Fedora has to be devised, as well as the extraction to each libraries' settings.
- Other developers:
Packages that use SSL crypto libraries should, after the previous change is complete, replace the default cipher strings with the ones described above. In F21 the number of packages converted will be a selected small set to prevent an overwhelming flow of bugs in case of breakage, and in F22 more packages will be converted. After F21 bugs will be reported to packages using the crypto libraries (detected possibly using repoquery).
A developer could test whether the system crypto policy is being applied using the following steps:
- Test ordinary operation
- Change /etc/crypto-policies/config to FUTURE
- run update-crypto-policies
- Test whether the connection to a public server works (e.g., www.amazon.com). It should have failed as the FUTURE level disallows SHA-1 which is used by most servers today.
- Release engineering:
This feature does not require coordination with release engineering.
- Policies and guidelines:
After the change is complete the packaging guidelines, should mention abouve replacing the default cipher strings with "SYSTEM". This of course need not affect programs that do not have a mechanism for setting ciphers/modes that is already in wide use (e.g., browsers). It mostly targets applications that use some reasonable (or unreasonable) defaults and the user/administrator has little control of them. The high level descriptions of the selected levels follows.
LEGACY: A level that will ensure maximum compatibility with legacy systems. It should provide at least 64-bit security and include RC4 and MD5 (for HMAC) MACs: MD5, SHA1+ Curves: All supported Signature algorithms: must use SHA-1 hash or better (Note: signature algorithms restrictions shouldn't apply to self-signatures) Ciphers: AES-GCM, AES-CBC, CAMELLIA-GCM, CAMELLIA-CBC, 3DES-CBC, RC4 Key exchange: ECDHE, RSA, DHE DH params size: 767+ RSA params size: 767+ Protocols: All supported (SSL3.0+)
DEFAULT: A reasonable default for today's standards. For F21 it should provide 80-bit security and no broken ciphers like RC4. MACs: SHA1+ Curves: All supported Signature algorithms: must use SHA-1 hash or better Ciphers: AES-GCM, AES-CBC, CAMELLIA-GCM, CAMELLIA-CBC, 3DES-CBC (Note that AES256 should be prioritized after AES128 to conserve resources). Key exchange: ECDHE, RSA, DHE DH params size: 1023+ RSA params size: 1023+ Protocols: All supported (SSL3.0+)
FUTURE: A level that will provide security on a conservative level that is believed to withstand any near-term future attacks. That will be an 112-bit security level, without including protocols with known attacks available (e.g. SSL 3.0). This level may prevent communication with many used systems that provide weaker security levels (e.g., systems that use SHA-1 as signature algorithm). MACs: SHA1+ Curves: of size 256+ or better Signature algorithms: must use SHA-256 hash or better Ciphers: AES-GCM, AES-CBC, CAMELLIA-GCM, CAMELLIA-CBC (Note that AES256 should be prioritized after AES128 to conserve resources.) Key exchange: ECDHE, RSA, DHE DH params size: 2048+ RSA params size: 2048+ Protocols: TLS1.2+
Upgrade/compatibility impact
There should be no upgrade/compatibility issues. Programs that use their own strings will continue to work as before, although they will not adhere to system's policy.
How To Test
By trying the different security levels and evaluating whether connecting to specific SSL server using applications that use distinct libraries, and then verifying whether the results are the expected. It will require writing a test application that uses all 3 libraries for that purpose.
User Experience
It may be that setting a high security level could prevent applications that connected to servers below that level to connect. Thus, care must be taken when selecting the default level.
Dependencies
There are many packages that depend on the mentioned crypto libraries. Bugs will be filled to the major ones for the F21 release, and the plan is have all relevant packages to use the default settings by F22.
Contingency Plan
- Contingency mechanism:
The backup plan if anything goes wrong is to delay for f22. If the infrastructure is in place but doesn't work for any reason, then the packages shouldn't use the system settings and should be reverted to the original settings.
- Contingency deadline: beta freeze
- Blocks release? No
Documentation
- My notes are above in the description.
- Enforcing system crypto policies packaging guidelines