From Fedora Project Wiki
Line 1: Line 1:
 
<!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name.  This keeps all change proposals in the same namespace -->
 
<!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name.  This keeps all change proposals in the same namespace -->
= Strict crypto settings =
+
= Strong crypto settings =
  
 
== Summary ==
 
== Summary ==
This change is about updating the current system-wide crypto policy to disable legacy and other unused protocols.
+
This change is about updating the current system-wide crypto policy to disable legacy and unused cryptographic protocols.
  
 
== Owner ==
 
== Owner ==
Line 43: Line 43:
 
The propose changes for default policy are:
 
The propose changes for default policy are:
 
  * Keep only TLS 1.2 (and TLS 1.3 when available) as enabled protocols and move the TLS 1.x, x<=1 to legacy level.
 
  * Keep only TLS 1.2 (and TLS 1.3 when available) as enabled protocols and move the TLS 1.x, x<=1 to legacy level.
 
+
* Require finite field parameters (RSA, Diffie-Hellman) of 2048 and more in the default settings
  
 
That is a policy of:
 
That is a policy of:
Line 59: Line 59:
 
   MACs: All HMAC with SHA1 or better + all modern MACs (poly1305 etc)
 
   MACs: All HMAC with SHA1 or better + all modern MACs (poly1305 etc)
 
   Curves: all prime >= 255 bits (including bernstein curves)
 
   Curves: all prime >= 255 bits (including bernstein curves)
   Signature algorithms: SHA-1 hash or better (SHA-1 disabled during internal alpha testing, re-enabled possibly for alpha, revise again at beta)
+
   Signature algorithms: with SHA-1 hash or better
   Ciphers: >= 128-bit key, >= 128-bit block (aes, camellia, chacha20, including aes-cbc for compatibility with rhel6 gnutls)
+
   Ciphers: >= 128-bit key, >= 128-bit block (aes, camellia, chacha20, including aes-cbc)
 
   key exchange: ECDHE, RSA, DHE
 
   key exchange: ECDHE, RSA, DHE
 
   DH params size: >= 2048
 
   DH params size: >= 2048
 
   RSA params size: >= 2048
 
   RSA params size: >= 2048
   TLS protocols: >= TLS 1.2, TLS 1.3
+
   TLS protocols: TLS >= 1.2
  
 
  FUTURE
 
  FUTURE
Line 70: Line 70:
 
   Curves: all prime >= 384 bits (including bernstein curves)
 
   Curves: all prime >= 384 bits (including bernstein curves)
 
   Signature algorithms: SHA-384 hash or better
 
   Signature algorithms: SHA-384 hash or better
   Ciphers: >= 256-bit key, >= 128-bit block, only AE (aes, camellia, chacha20)
+
   Ciphers: >= 256-bit key, >= 128-bit block, only Authenticated Encryption (AE) ciphers
 
   key exchange: ECDHE, DHE
 
   key exchange: ECDHE, DHE
 
   DH params size: >= 3072
 
   DH params size: >= 3072
 
   RSA params size: >= 3072
 
   RSA params size: >= 3072
   TLS protocols: >= TLS 1.2, TLS 1.3
+
   TLS protocols: TLS >= 1.2
  
  
Line 83: Line 83:
 
== Scope ==
 
== Scope ==
 
* Proposal owners:
 
* Proposal owners:
<!-- What work do the feature owners have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
+
The policies include in crypto-policies package need to be updated.
  
 
* Other developers:  
 
* Other developers:  
 
  * Crypto policies are updated to the settings above
 
  * Crypto policies are updated to the settings above
  * OpenSSL is updated to allow setting policies
+
  * [https://bugzilla.redhat.com/show_bug.cgi?id=1487607 OpenSSL is updated to allow setting policies for TLS versions]
  * [https://bugzilla.redhat.com/show_bug.cgi?id=1487607 Cannot set TLS versions and accepted key lengths]
 
  
 
* Release engineering: [https://pagure.io/releng/issues #Releng issue number] (a check of an impact with Release Engineering is needed) <!-- REQUIRED FOR SYSTEM WIDE AS WELL AS FOR SELF CONTAINED CHANGES -->
 
* Release engineering: [https://pagure.io/releng/issues #Releng issue number] (a check of an impact with Release Engineering is needed) <!-- REQUIRED FOR SYSTEM WIDE AS WELL AS FOR SELF CONTAINED CHANGES -->
Line 94: Line 93:
 
** [[Fedora_Program_Management/ReleaseBlocking/Fedora{{FedoraVersionNumber|next}}|List of deliverables]]:
 
** [[Fedora_Program_Management/ReleaseBlocking/Fedora{{FedoraVersionNumber|next}}|List of deliverables]]:
 
  * Crypto policies are updated to the settings above
 
  * Crypto policies are updated to the settings above
  * OpenSSL is updated to allow setting policies
+
  * OpenSSL is updated to allow setting TLS protocol policies
  
 
* Policies and guidelines:
 
* Policies and guidelines:
Line 143: Line 142:
 
== Release Notes ==
 
== Release Notes ==
  
[[Category:ChangePageIncomplete]]
+
[[Category:SystemWideChange]]
<!-- [[Category:SystemWideChange]] -->
 

Revision as of 11:35, 18 December 2017

Strong crypto settings

Summary

This change is about updating the current system-wide crypto policy to disable legacy and unused cryptographic protocols.

Owner

Current status

  • Targeted release: Fedora 28
  • Last updated: 2017-12-18
  • Tracker bug: <will be assigned by the Wrangler>

Detailed Description

Fedora includes several cryptographic components who's security doesn't remain constant over time. Algorithms such as (cryptographic) hashing and encryption typically have a lifetime after which they are considered either too risky to use or plain insecure. That would mean we need to phase out such algorithms from the default settings, or completely disable if they could cause irreparable issue.

While in the past we did not disable algorithms in a consistent way (different applications utilized different policies), today we have a system-wide policy followed by a large part of Fedora components. That allows us to move consistently and deprecate algorithms system-wide. For rationale see RFC 7457 for a more complete list of attacks taking advantage of legacy crypto algorithms.

The propose changes for default policy are:

* Keep only TLS 1.2 (and TLS 1.3 when available) as enabled protocols and move the TLS 1.x, x<=1 to legacy level.
* Require finite field parameters (RSA, Diffie-Hellman) of 2048 and more in the default settings

That is a policy of:

LEGACY
 MACs: All HMAC with SHA1 or better + all modern MACs (poly1305 etc)
 Curves: all prime >= 255 bits (including bernstein curves)
 Signature algorithms: SHA-1 hash or better (not RIPEMD)
 Ciphers: all available > 112-bit key, >= 128-bit block (no rc4, but with 3DES)
 key exchange: ECDHE, RSA, DHE
 DH params size: >=1024
 RSA params size: >=1024
 TLS protocols: TLS >= 1.0
DEFAULT
 MACs: All HMAC with SHA1 or better + all modern MACs (poly1305 etc)
 Curves: all prime >= 255 bits (including bernstein curves)
 Signature algorithms: with SHA-1 hash or better
 Ciphers: >= 128-bit key, >= 128-bit block (aes, camellia, chacha20, including aes-cbc)
 key exchange: ECDHE, RSA, DHE
 DH params size: >= 2048
 RSA params size: >= 2048
 TLS protocols: TLS >= 1.2
FUTURE
 MACs: All HMAC with SHA256 or better + all modern MACs (poly1305 etc)
 Curves: all prime >= 384 bits (including bernstein curves)
 Signature algorithms: SHA-384 hash or better
 Ciphers: >= 256-bit key, >= 128-bit block, only Authenticated Encryption (AE) ciphers
 key exchange: ECDHE, DHE
 DH params size: >= 3072
 RSA params size: >= 3072
 TLS protocols: TLS >= 1.2


Benefit to Fedora

With this change we protect users from relying on enabled-by-default weak cryptography, as well as reduce our maintenance cost for future attacks that rely on weak crypto for exploitation.

Scope

  • Proposal owners:

The policies include in crypto-policies package need to be updated.

  • Other developers:
* Crypto policies are updated to the settings above
* OpenSSL is updated to allow setting policies for TLS versions
* Crypto policies are updated to the settings above
* OpenSSL is updated to allow setting TLS protocol policies
  • Policies and guidelines:

No changes to packaging or other guidelines is needed.

  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

It may be that the new settings break software that connects to servers which utilize weak algorithms. Compatibility can be obtained by switching the system to legacy mode.


How To Test

Applications which follow the system-wide policy (e.g., curl,wget) should be tested:

* whether they can connect to legacy (TLS1.0, TLS1.1) servers when system is in legacy mode
* whether the previous connection breaks when system is in default mode
* whether the system can connect to TLS 1.2 servers when in default, legacy or future mode.


User Experience

Given the existing deployment of TLS 1.2 on the internet, there should not be significant user experience degradation, although that's a speculation.

Dependencies

* nss
* gnutls
* openssl
* crypto-policies


Contingency Plan

  • Contingency mechanism: (What to do? Who will do it?)

If we notice significant user experience degradation, e.g., due to many custom servers utilizing legacy protocols, we should consider postponing that change. The change owner will take care of this.

  • Contingency deadline: beta freeze
  • Blocks release? No


Documentation

None


Release Notes