Across enterprise IT the security landscape is changing and attackers are coming up with more sophisticated attacks. The cryptographic algorithms that might be robust and reliable today, may not necessarily be so tomorrow. Applying a consistent cryptographic policy at scale can be quite challenging. To solve this, we introduced system-wide crypto policies in RHEL 8, and based on customer feedback, have extended it in RHEL 8.2 to enable users to specify their own crypto policies if the built-in policies do not meet their requirements.
As a refresher, system-wide crypto policies introduced in RHEL 8 are:
1. Centrally managed on the system using a simple command to show the currently set system-wide crypto policy and update the system-wide crypto policy.
**Show the system-wide crypto policy currently in effect
**
$ update-crypto-policies --show
DEFAULT
Update the system-wide crypto policy to set the level to future
Update the system-wide crypto policy to set the level to future
$ update-crypto-policies --set FUTURE
Setting system policy to FUTURE
2. Effective across applications built using core cryptographic subsystems. For example, if your application leverages OpenSSL, or GnuTLS, these applications will be able to benefit from the RHEL crypto policies.
3. Configurable to a particular predefined policy level. In RHEL 8, four policies are provided under the names "LEGACY", "DEFAULT", "FUTURE" and "FIPS". Detailed settings about each policy are summarized in this post about strong crypto defaults in RHEL 8 and update-crypto-policies man pages.
However, the predefined policy level settings are one-size-fits-all. They cannot be used to fine tune the security requirements of a system if needed. That’s where custom crypto policies come to the rescue.
Custom crypto policies in RHEL 8.2 enable users to modify predefined policy levels (by adding or removing enabled algorithms or protocols), or to write a new crypto policy from scratch.
However, the predefined policy level settings are one-size-fits-all. They cannot be used to fine tune the security requirements of a system if needed. That’s where custom crypto policies come to the rescue.
Custom crypto policies in RHEL 8.2 enable users to modify predefined policy levels (by adding or removing enabled algorithms or protocols), or to write a new crypto policy from scratch.
To modify existing crypto policies, use policy modifier modules. These are text files that include policy instructions to the update-crypto-policies
tool.
The naming of these files must follow the following convention: .pmod, where is the name of the modifier in uppercase without spaces, and .pmod is the file extension in lowercase.
The location of these files should be /etc/crypto-policies/policies/modules folder (or the /usr/share/crypto-policies/policies/modules
folder if they are in installed packages).
For example, suppose we want to remove support for RSA and PSK (pre-shared keys) key exchanges as they do not provide forward secrecy.
In this case, missing forward secrecy means that if an attacker who is recording the encrypted data exchanged between client and server somehow obtains the RSA key, they can decrypt the pre-master secret for all recorded sessions which used the same key compromising confidentiality. Section 2 of RFC4279 details how the pre-master secret is computed. This is not possible with key exchanges providing forward secrecy such as DiffieHellman and Elliptic Curve Diffie Hellman key exchanges.
To accomplish this, create a policy modifier module called PFS-KEX.pmod
with this line:
key_exchange = -RSA -PSK
Before you apply the modifier, you can check the crypto policy using the update-crypto-policies
tool:
update-crypto-policies --show
Output:
DEFAULT
Next, you can then apply this policy modifier to other crypto policies using a command like this:
update-crypto-policies --set DEFAULT:PFS-KEX
Output:
Setting system policy to DEFAULT:PFS-KEX
Note: System-wide crypto policies are applied on application start-up. It is recommended to restart the system for the change of policies to fully take place.
To confirm that you have applied this policy modifier properly, you can check the set crypto policy again using:
update-crypto-policies --show
Output:
DEFAULT:PFS-KEX
Depending on your requirements, you can also choose to write up a new crypto policy from scratch. As a starting point, you can create a copy of the DEFAULT.pol policy file, edit and rename it to create a new policy.
The system-wide crypto policy definition files should be owned by root and must not be writable by non-privileged users just like other system-wide configuration files.
Copy one of the four predefined policy levels and edit it:
# cp /usr/share/crypto-policies/policies/DEFAULT.pol /etc/crypto-policies/policies/MYPOLICY.pol
# vi /etc/crypto-policies/policies/MYPOLICY.pol
After updating the MYPOLICY policy file, set the crypto-policy:
# update-crypto-policies --set MYPOLICY
Reboot the system to make the crypto-policy settings effective for all running services and applications
# reboot
Confirm after the reboot that the crypto-policy is effective. This should show MYPOLICY
.
# update-crypto-policies --show
The examples in this blog showcase the flexibility you get with system-wide crypto policies in RHEL 8.2, that allow writing a new policy from scratch, or modifying an existing one.
Supporting system-wide crypto policies raises the security bar of default installations in Red Hat Enterprise Linux systems and with this enhancement to crypto policies, administrators now have a way to tweak security settings for cryptographic algorithms and protocols. This opens up a whole new way to meet today’s evolving security requirements.
So, if you are a system administrator needing to interoperate with other systems, needing compatibility with old devices, or a compliance auditor wanting to ensure that only approved ciphers are being used, the new customizable system-wide cryptographic policies in RHEL 8.2 are for you.
Get started today by examining the crypto_policies
man pages and RHEL 8.2 documentation. Feel free to test out various options; all of the system profiles will remain there, untouched, and easy for you to fall back to.
RHEL 8.2 can be found on Alibaba Cloud Marketplace:
https://marketplace.alibabacloud.com/products/56732001/_em_Red_em_em_Hat_em_Enterprise_Linux_8_2_64bit-sgcmjj00024958.html?spm=a3c0i.730005.0.0.4e392faax76adK&innerSource=search_red%20hat
ABOUT THE AUTHORS
Tomáš Mráz, Principal Software Engineer
Don Pinto, Technical Product Marketing Manager
Tomáš Mráz is a Principal Software Engineer in the Crypto Team at Red Hat. He works on System-Wide Cryptographic Policies and the OpenSSL library.
Don Pinto is a Technical Product Marketing Manager at Red Hat focused on helping customers understand why Red Hat Enterprise Linux is an ideal operating system platform for modern application workloads. Don is passionate about data management and operating systems, having authored several technical blogs and white papers on various tech topics. Don holds a Masters degree in Computer Science and a Bachelor's degree in Computer Engineering from the University of Toronto, Canada.
Reengineering the networking landscape, work from anywhere with Alibaba Cloud
Alibaba Cloud and Palo Alto Networks Joint solutions for Remote Educations
21 posts | 12 followers
FollowMarketplace - October 5, 2020
Marketplace - October 13, 2020
Alibaba Clouder - September 27, 2018
GhulamQadir - December 30, 2019
Alibaba Clouder - April 19, 2021
Alibaba Clouder - June 13, 2019
21 posts | 12 followers
FollowAlibaba Cloud Linux is a free-to-use, native operating system that provides a stable, reliable, and high-performance environment for your applications.
Learn MoreAlibaba Cloud is committed to safeguarding the cloud security for every business.
Learn MoreSimple, secure, and intelligent services.
Learn MoreProtect, backup, and restore your data assets on the cloud with Alibaba Cloud database services.
Learn MoreMore Posts by Marketplace
5344401406140216 November 9, 2020 at 12:38 am
Nice article