3. 3/17/13 3Red Hat
me
• I work at Red Hat Security technologies
– Mostly on crypto-related projects (Fedora, RHEL)
– I like working on GnuTLS, OpenConnect VPN, OpenWRT
– I started the 'System-wide crypto policies' project at Fedora
9. 3/17/13 9Red Hat
Purpose
• Problem statement:
Communicates on the LAN
and on the Internet using
curl, wget, lftp, firefox,
apache, ssh, openvpn, ...
10. 3/17/13 10Red Hat
Purpose
• Problem statement:
– How secure is each communication channel established by these applications?
– Can we ensure a consistent security level across all these applications?
11. 3/17/13 11Red Hat
Purpose
• Problem statement:
– How secure is each communication channel established by these applications?
– Can we ensure a consistent security level across all these applications?
• System-wide crypto policies
– Apply a consistent default security level across libraries and
applications
12. 3/17/13 12Red Hat
Purpose
• Problem statement:
– How secure is each communication channel established by these applications?
– Can we ensure a consistent security level across all these applications?
• System-wide crypto policies
– Apply a consistent default security level across libraries and
applications
A level that is modifiable by
the distributor and user of
the software;
17. 3/17/13 17Red Hat
Benefits
• The security level used by default by libraries and applications is known.
– Reduce administrative burden on setting up services (e.g., no need to follow
complex and long advices like in bettercrypto.org)
– Reduced support costs (a big class of vulnerabilities that depends on
inconsistent parameters is eliminated – e.g., logjam)
– Easier audit (only programs that don't support the policy will need to be
audited to figure their security level)
19. 3/17/13 19Red Hat
Status
• Pilot version in Fedora 21 (common policy for GnuTLS and OpenSSL)
– 3 default policies to chose from (LEGACY, DEFAULT, FUTURE)
• Converted several libraries and applications by Fedora 22
– Web servers:
●
Apache httpd, Lighttpd, Libmicrohttpd, ...
– Command line applications:
●
Wget, Lftp, …
• Added BIND in Fedora 23
• Added Kerberos in Fedora 24
• Plan to add Java, NSS applications in Fedora 25
20. 3/17/13 20Red Hat
Status
• Upstream Patches
– GnuTLS
●
Read profiles from a pre-configured file (upstream since 3.3.0)
– OpenSSL
●
Read profiles from configuration file (github PR #192,#193) -- carried as
downstream patch
– NSS
●
Read policies via pkcs11.txt (upstream since 3.24.x)
22. 3/17/13 22Red Hat
Approach
• Re-use the existing cipher suite strings in gnutls and openssl
– OpenSSL example: “HIGH:aNULL:!MD5”
– GnuTLS example: “NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2”
23. 3/17/13 23Red Hat
Approach
• Re-use the existing cipher suite strings in gnutls and openssl
– OpenSSL example: “HIGH:aNULL:!MD5”
– GnuTLS example: “NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2”
• Store a system-wide pre-configured string which will be loaded when a specific cipher
string is detected
– OpenSSL example: “PROFILE=SYSTEM”
– GnuTLS example: “@SYSTEM”
24. 3/17/13 24Red Hat
Approach
• Re-use the existing cipher suite strings in gnutls and openssl
– OpenSSL example: “HIGH:aNULL:!MD5”
– GnuTLS example: “NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2”
• Store a system-wide pre-configured string which will be loaded when a specific cipher
string is detected
– OpenSSL example: “PROFILE=SYSTEM”
– GnuTLS example: “@SYSTEM”
• Then, modify all program's default configuration files to contain these strings
25. 3/17/13 25Red Hat
Approach
• Re-use the existing cipher suite strings in gnutls and openssl
– OpenSSL example: “HIGH:aNULL:!MD5”
– GnuTLS example: “NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2”
• Store a system-wide pre-configured string which will be loaded when a specific cipher
string is detected
– OpenSSL example: “PROFILE=SYSTEM”
– GnuTLS example: “@SYSTEM”
• Then, modify all program's default configuration files to contain these strings
– When that's not possible replace any hard-coded defaults with the system
defaults
26. 3/17/13 26Red Hat
Approach
• Re-use the existing cipher suite strings in gnutls and openssl
– OpenSSL example: “HIGH:aNULL:!MD5”
– GnuTLS example: “NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2”
• Store a system-wide pre-configured string which will be loaded when a specific cipher
string is detected
– OpenSSL example: “PROFILE=SYSTEM”
– GnuTLS example: “@SYSTEM”
• Then, modify all program's default configuration files to contain these strings
– When that's not possible replace any hard-coded defaults with the system
defaults https://fedoraproject.org/wiki/Packaging:CryptoPolicies
27. 3/17/13 27Red Hat
Approach
• Packager assistance
– rpmlint was modified to warn packagers of applications which may need to be
modified to adhere to policy (included in F23)
$ rpmlint dovecot-2.2.9-1.fc20.x86_64.rpm
dovecot.x86_64: W: crypto-policy-non-compliance-openssl
/usr/lib64/dovecot/libssl_iostream_openssl.so SSL_CTX_set_cipher_list
$ rpmlint -I crypto-policy-non-compliance-openssl
crypto-policy-non-compliance-openssl:
This application package calls a function to explicitly set crypto ciphers
for SSL/TLS. That may cause the application not to use the system-wide set
cryptographic policy and should be modified in accordance to:
https://fedoraproject.org/wiki/Packaging:CryptoPolicies
28. 3/17/13 28Red Hat
Approach
• Applications with config files (BIND, Kerberos)
– Generate a configuration file with the crypto settings to be included by the
main config
29. 3/17/13 29Red Hat
Approach
• Applications with config files (BIND, Kerberos)
– Generate a configuration file with the crypto settings to be included by the
main config
# This file is automatically generated by update-crypto-policies.
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-
96 des3-cbc-sha1 camellia256-cts-cmac camellia128-cts-cmac
File linked from /etc/krb5.conf.d/ -
Administrator can opt-out by deleting link
33. 3/17/13 33Red Hat
Lessons learned
●
System-wide changes require a smooth transition
– It took 10 minutes to get a bug report in our rawhide (“later Fedora 22”) when
we disabled SSL 3.0
34. 3/17/13 34Red Hat
Lessons learned
●
Nevertheless works with sufficient planning
– Disabling RC4 and SSL 3.0 for all applications was possible in Fedora 23 via
the system-wide policies
35. 3/17/13 35Red Hat
Lessons learned
●
Upstream concerns
– Each application is free to set their own settings
– Changes for pro-active security are slow to adopt
●
Unlike CVEs, no time pressure → gets postponed
36. 3/17/13 36Red Hat
Lessons learned
●
Having a consistent default security level pays off:
– The Fix for POODLE would have been a fix in the policy not in 1000+
applications
– The same for issues in CBC ciphers, RC4, compression, …
– Logjam attack would have been neutralized
38. 3/17/13 38Red Hat
Future plans
●
Include openssh's cipher combinations
●
Tracker at
https://fedoraproject.org/wiki/User:Nmav/FedoraCryptoPolicies
39. 3/17/13 39Red Hat
Future plans
●
Auto-generate application policy (rewrite to perl pending)
●
Generate the policy in a standardized way for applications to parse
40. 3/17/13 40Red Hat
Future plans
●
Make it universal, not Fedora-only
https://github.com/nmav/fedora-crypto-policies