SlideShare une entreprise Scribd logo

Crypto policies-2016

N
Nikos Mavrogiannopoulos

Fedora crypto policies presentation at OpenSuSe 2016 conference.

Technologie
1  sur  41
Télécharger pour lire hors ligne
Fedora System-wide Crypto Policies Nikos Mavrogiannopoulos Red Hat Security Technologies June, 2016
● Purpose ● Benefi ts ● Status ● Approach ● Lessons Learned ● Future
3/17/13 3Red Hat me • I work at Red Hat Security technologies – Mostly on crypto-related projects (Fedora, RHEL) – I like working on GnuTLS, OpenConnect VPN, OpenWRT – I started the 'System-wide crypto policies' project at Fedora
3/17/13 4Red Hat Purpose
3/17/13 5Red Hat Purpose • Problem statement:
3/17/13 6Red Hat Purpose • Problem statement:
3/17/13 7Red Hat Purpose • Problem statement:
3/17/13 8Red Hat Purpose • Problem statement: Communicates on the LAN and on the Internet
3/17/13 9Red Hat Purpose • Problem statement: Communicates on the LAN and on the Internet using curl, wget, lftp, firefox, apache, ssh, openvpn, ...
3/17/13 10Red Hat Purpose • Problem statement: – How secure is each communication channel established by these applications? – Can we ensure a consistent security level across all these applications?
3/17/13 11Red Hat Purpose • Problem statement: – How secure is each communication channel established by these applications? – Can we ensure a consistent security level across all these applications? • System-wide crypto policies – Apply a consistent default security level across libraries and applications
3/17/13 12Red Hat Purpose • Problem statement: – How secure is each communication channel established by these applications? – Can we ensure a consistent security level across all these applications? • System-wide crypto policies – Apply a consistent default security level across libraries and applications A level that is modifiable by the distributor and user of the software;
3/17/13 13Red Hat Purpose • How is the problem tackled today?
3/17/13 14Red Hat Purpose • How is the problem tackled today? – bettercrypto.org:
3/17/13 15Red Hat Purpose • How is the problem tackled today? – Two years later: system outdated
3/17/13 16Red Hat Benefits
3/17/13 17Red Hat Benefits • The security level used by default by libraries and applications is known. – Reduce administrative burden on setting up services (e.g., no need to follow complex and long advices like in bettercrypto.org) – Reduced support costs (a big class of vulnerabilities that depends on inconsistent parameters is eliminated – e.g., logjam) – Easier audit (only programs that don't support the policy will need to be audited to figure their security level)
3/17/13 18Red Hat Status
3/17/13 19Red Hat Status • Pilot version in Fedora 21 (common policy for GnuTLS and OpenSSL) – 3 default policies to chose from (LEGACY, DEFAULT, FUTURE) • Converted several libraries and applications by Fedora 22 – Web servers: ● Apache httpd, Lighttpd, Libmicrohttpd, ... – Command line applications: ● Wget, Lftp, … • Added BIND in Fedora 23 • Added Kerberos in Fedora 24 • Plan to add Java, NSS applications in Fedora 25
3/17/13 20Red Hat Status • Upstream Patches – GnuTLS ● Read profiles from a pre-configured file (upstream since 3.3.0) – OpenSSL ● Read profiles from configuration file (github PR #192,#193) -- carried as downstream patch – NSS ● Read policies via pkcs11.txt (upstream since 3.24.x)
3/17/13 21Red Hat Approach
3/17/13 22Red Hat Approach • Re-use the existing cipher suite strings in gnutls and openssl – OpenSSL example: “HIGH:aNULL:!MD5” – GnuTLS example: “NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2”
3/17/13 23Red Hat Approach • Re-use the existing cipher suite strings in gnutls and openssl – OpenSSL example: “HIGH:aNULL:!MD5” – GnuTLS example: “NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2” • Store a system-wide pre-configured string which will be loaded when a specific cipher string is detected – OpenSSL example: “PROFILE=SYSTEM” – GnuTLS example: “@SYSTEM”
3/17/13 24Red Hat Approach • Re-use the existing cipher suite strings in gnutls and openssl – OpenSSL example: “HIGH:aNULL:!MD5” – GnuTLS example: “NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2” • Store a system-wide pre-configured string which will be loaded when a specific cipher string is detected – OpenSSL example: “PROFILE=SYSTEM” – GnuTLS example: “@SYSTEM” • Then, modify all program's default configuration files to contain these strings
3/17/13 25Red Hat Approach • Re-use the existing cipher suite strings in gnutls and openssl – OpenSSL example: “HIGH:aNULL:!MD5” – GnuTLS example: “NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2” • Store a system-wide pre-configured string which will be loaded when a specific cipher string is detected – OpenSSL example: “PROFILE=SYSTEM” – GnuTLS example: “@SYSTEM” • Then, modify all program's default configuration files to contain these strings – When that's not possible replace any hard-coded defaults with the system defaults
3/17/13 26Red Hat Approach • Re-use the existing cipher suite strings in gnutls and openssl – OpenSSL example: “HIGH:aNULL:!MD5” – GnuTLS example: “NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2” • Store a system-wide pre-configured string which will be loaded when a specific cipher string is detected – OpenSSL example: “PROFILE=SYSTEM” – GnuTLS example: “@SYSTEM” • Then, modify all program's default configuration files to contain these strings – When that's not possible replace any hard-coded defaults with the system defaults https://fedoraproject.org/wiki/Packaging:CryptoPolicies
3/17/13 27Red Hat Approach • Packager assistance – rpmlint was modified to warn packagers of applications which may need to be modified to adhere to policy (included in F23) $ rpmlint dovecot-2.2.9-1.fc20.x86_64.rpm dovecot.x86_64: W: crypto-policy-non-compliance-openssl /usr/lib64/dovecot/libssl_iostream_openssl.so SSL_CTX_set_cipher_list $ rpmlint -I crypto-policy-non-compliance-openssl crypto-policy-non-compliance-openssl: This application package calls a function to explicitly set crypto ciphers for SSL/TLS. That may cause the application not to use the system-wide set cryptographic policy and should be modified in accordance to: https://fedoraproject.org/wiki/Packaging:CryptoPolicies
3/17/13 28Red Hat Approach • Applications with config files (BIND, Kerberos) – Generate a configuration file with the crypto settings to be included by the main config
3/17/13 29Red Hat Approach • Applications with config files (BIND, Kerberos) – Generate a configuration file with the crypto settings to be included by the main config # This file is automatically generated by update-crypto-policies. permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1- 96 des3-cbc-sha1 camellia256-cts-cmac camellia128-cts-cmac File linked from /etc/krb5.conf.d/ - Administrator can opt-out by deleting link
3/17/13 30Red Hat Approach • Ideally covered settings: – Signature algorithms – MAC algorithms – Cipher algorithms – Key exchange algorithm – Elliptic curves – Size of parameters (RSA, DH) – Protocols (TLS 1.1, 1.2, …) – Compression
3/17/13 31Red Hat Approach • Ideally covered settings: – Signature algorithms – MAC algorithms – Cipher algorithms – Key exchange algorithm – Elliptic curves – Size of parameters (RSA, DH) – Protocols (TLS 1.1, 1.2, …) – Compression GnuTLS, NSS OpenSSL
3/17/13 32Red Hat Lessons learned
3/17/13 33Red Hat Lessons learned ● System-wide changes require a smooth transition – It took 10 minutes to get a bug report in our rawhide (“later Fedora 22”) when we disabled SSL 3.0
3/17/13 34Red Hat Lessons learned ● Nevertheless works with sufficient planning – Disabling RC4 and SSL 3.0 for all applications was possible in Fedora 23 via the system-wide policies
3/17/13 35Red Hat Lessons learned ● Upstream concerns – Each application is free to set their own settings – Changes for pro-active security are slow to adopt ● Unlike CVEs, no time pressure → gets postponed
3/17/13 36Red Hat Lessons learned ● Having a consistent default security level pays off: – The Fix for POODLE would have been a fix in the policy not in 1000+ applications – The same for issues in CBC ciphers, RC4, compression, … – Logjam attack would have been neutralized
3/17/13 37Red Hat Future plans
3/17/13 38Red Hat Future plans ● Include openssh's cipher combinations ● Tracker at https://fedoraproject.org/wiki/User:Nmav/FedoraCryptoPolicies
3/17/13 39Red Hat Future plans ● Auto-generate application policy (rewrite to perl pending) ● Generate the policy in a standardized way for applications to parse
3/17/13 40Red Hat Future plans ● Make it universal, not Fedora-only https://github.com/nmav/fedora-crypto-policies
3/17/13 41Red Hat Questions

Recommandé

CNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis ToolsCNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis Tools
Sam Bowne
 
Linux Security Crash Course
Linux Security Crash CourseLinux Security Crash Course
Linux Security Crash Course
UTD Computer Security Group
 
Tempesta FW - Framework и Firewall для WAF и DDoS mitigation, Александр Крижа...
Tempesta FW - Framework и Firewall для WAF и DDoS mitigation, Александр Крижа...Tempesta FW - Framework и Firewall для WAF и DDoS mitigation, Александр Крижа...
Tempesta FW - Framework и Firewall для WAF и DDoS mitigation, Александр Крижа...
Ontico
 
PulsarCast - Scaling Pub-Sub over the distributed web
PulsarCast - Scaling Pub-Sub over the distributed webPulsarCast - Scaling Pub-Sub over the distributed web
PulsarCast - Scaling Pub-Sub over the distributed web
João Antunes
 
Linux Network Filtering
Linux Network FilteringLinux Network Filtering
Linux Network Filtering
James Daniel
 
RADIUS and LDAP on pfSense 2.4 - pfSense Hangout February 2018
RADIUS and LDAP on pfSense 2.4 - pfSense Hangout February 2018RADIUS and LDAP on pfSense 2.4 - pfSense Hangout February 2018
RADIUS and LDAP on pfSense 2.4 - pfSense Hangout February 2018
Netgate
 
RedHat - Centos Firewalld
RedHat - Centos FirewalldRedHat - Centos Firewalld
RedHat - Centos Firewalld
Manolis Kartsonakis
 
Advanced OpenVPN Concepts - pfSense Hangout September 2014
Advanced OpenVPN Concepts - pfSense Hangout September 2014Advanced OpenVPN Concepts - pfSense Hangout September 2014
Advanced OpenVPN Concepts - pfSense Hangout September 2014
Netgate
 

Recommandé

CNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis ToolsCNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis Tools
Sam Bowne
 
Linux Security Crash Course
Linux Security Crash CourseLinux Security Crash Course
Linux Security Crash Course
UTD Computer Security Group
 
Tempesta FW - Framework и Firewall для WAF и DDoS mitigation, Александр Крижа...
Tempesta FW - Framework и Firewall для WAF и DDoS mitigation, Александр Крижа...Tempesta FW - Framework и Firewall для WAF и DDoS mitigation, Александр Крижа...
Tempesta FW - Framework и Firewall для WAF и DDoS mitigation, Александр Крижа...
Ontico
 
PulsarCast - Scaling Pub-Sub over the distributed web
PulsarCast - Scaling Pub-Sub over the distributed webPulsarCast - Scaling Pub-Sub over the distributed web
PulsarCast - Scaling Pub-Sub over the distributed web
João Antunes
 
Linux Network Filtering
Linux Network FilteringLinux Network Filtering
Linux Network Filtering
James Daniel
 
RADIUS and LDAP on pfSense 2.4 - pfSense Hangout February 2018
RADIUS and LDAP on pfSense 2.4 - pfSense Hangout February 2018RADIUS and LDAP on pfSense 2.4 - pfSense Hangout February 2018
RADIUS and LDAP on pfSense 2.4 - pfSense Hangout February 2018
Netgate
 
RedHat - Centos Firewalld
RedHat - Centos FirewalldRedHat - Centos Firewalld
RedHat - Centos Firewalld
Manolis Kartsonakis
 
Advanced OpenVPN Concepts - pfSense Hangout September 2014
Advanced OpenVPN Concepts - pfSense Hangout September 2014Advanced OpenVPN Concepts - pfSense Hangout September 2014
Advanced OpenVPN Concepts - pfSense Hangout September 2014
Netgate
 
Wissbi osdc pdf
Wissbi osdc pdfWissbi osdc pdf
Wissbi osdc pdf
Chris Huang
 
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009
James Morris
 
Automated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposAutomated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gpos
Priyanka Aash
 
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
Rod Soto
 
Golden Gate - How to start such a project?
Golden Gate - How to start such a project?Golden Gate - How to start such a project?
Golden Gate - How to start such a project?
Trivadis
 
Pacemaker+DRBD
Pacemaker+DRBDPacemaker+DRBD
Pacemaker+DRBD
Dan Frincu
 
Prometheus - Intro, CNCF, TSDB,PromQL,Grafana
Prometheus - Intro, CNCF, TSDB,PromQL,GrafanaPrometheus - Intro, CNCF, TSDB,PromQL,Grafana
Prometheus - Intro, CNCF, TSDB,PromQL,Grafana
Sridhar Kumar N
 
Optimizing Servers for High-Throughput and Low-Latency at Dropbox
Optimizing Servers for High-Throughput and Low-Latency at DropboxOptimizing Servers for High-Throughput and Low-Latency at Dropbox
Optimizing Servers for High-Throughput and Low-Latency at Dropbox
ScyllaDB
 
Linux security quick reference guide
Linux security quick reference guideLinux security quick reference guide
Linux security quick reference guide
Craig Cannon
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
NGINX, Inc.
 
Runos OpenFlow Controller (eng)
Runos OpenFlow Controller (eng)Runos OpenFlow Controller (eng)
Runos OpenFlow Controller (eng)
Alexander Shalimov
 
Aci dp
Aci dpAci dp
Aci dp
Zchabar Jhie
 
Gpfs introandsetup
Gpfs introandsetupGpfs introandsetup
Gpfs introandsetup
asihan
 
25 years of firewalls and network filtering - From antiquity to the cloud
25 years of firewalls and network filtering - From antiquity to the cloud25 years of firewalls and network filtering - From antiquity to the cloud
25 years of firewalls and network filtering - From antiquity to the cloud
shira koper
 
OpenNMS - My Notes
OpenNMS - My NotesOpenNMS - My Notes
OpenNMS - My Notes
ashrawi92
 
Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxRemote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise Linux
Giuseppe Paterno'
 
Unix Security
Unix SecurityUnix Security
Unix Security
replay21
 
Systemd: the modern Linux init system you will learn to love
Systemd: the modern Linux init system you will learn to loveSystemd: the modern Linux init system you will learn to love
Systemd: the modern Linux init system you will learn to love
Alison Chaiken
 
Cloud Data Encryption (Aluhut Edition) - 2019
Cloud Data Encryption (Aluhut Edition) - 2019Cloud Data Encryption (Aluhut Edition) - 2019
Cloud Data Encryption (Aluhut Edition) - 2019
Matthias Grawinkel
 
WarsawITDays_ ApacheNiFi202
WarsawITDays_ ApacheNiFi202WarsawITDays_ ApacheNiFi202
WarsawITDays_ ApacheNiFi202
Timothy Spann
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Michael W. Hawkins
 

Contenu connexe

Similaire à Crypto policies-2016

SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
Rod Soto
 
Pacemaker+DRBD
Pacemaker+DRBDPacemaker+DRBD
Pacemaker+DRBD
Dan Frincu
 
Optimizing Servers for High-Throughput and Low-Latency at Dropbox
Optimizing Servers for High-Throughput and Low-Latency at DropboxOptimizing Servers for High-Throughput and Low-Latency at Dropbox
Optimizing Servers for High-Throughput and Low-Latency at Dropbox
ScyllaDB
 
Linux security quick reference guide
Linux security quick reference guideLinux security quick reference guide
Linux security quick reference guide
Craig Cannon
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
NGINX, Inc.
 
25 years of firewalls and network filtering - From antiquity to the cloud
25 years of firewalls and network filtering - From antiquity to the cloud25 years of firewalls and network filtering - From antiquity to the cloud
25 years of firewalls and network filtering - From antiquity to the cloud
shira koper
 
Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxRemote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise Linux
Giuseppe Paterno'
 
WarsawITDays_ ApacheNiFi202
WarsawITDays_ ApacheNiFi202WarsawITDays_ ApacheNiFi202
WarsawITDays_ ApacheNiFi202
Timothy Spann
 

Similaire à Crypto policies-2016 (20)

Wissbi osdc pdf
Wissbi osdc pdfWissbi osdc pdf
Wissbi osdc pdf
 
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009
 
Automated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposAutomated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gpos
 
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
 
Golden Gate - How to start such a project?
Golden Gate - How to start such a project?Golden Gate - How to start such a project?
Golden Gate - How to start such a project?
 
Pacemaker+DRBD
Pacemaker+DRBDPacemaker+DRBD
Pacemaker+DRBD
 
Prometheus - Intro, CNCF, TSDB,PromQL,Grafana
Prometheus - Intro, CNCF, TSDB,PromQL,GrafanaPrometheus - Intro, CNCF, TSDB,PromQL,Grafana
Prometheus - Intro, CNCF, TSDB,PromQL,Grafana
 
Optimizing Servers for High-Throughput and Low-Latency at Dropbox
Optimizing Servers for High-Throughput and Low-Latency at DropboxOptimizing Servers for High-Throughput and Low-Latency at Dropbox
Optimizing Servers for High-Throughput and Low-Latency at Dropbox
 
Linux security quick reference guide
Linux security quick reference guideLinux security quick reference guide
Linux security quick reference guide
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
 
Runos OpenFlow Controller (eng)
Runos OpenFlow Controller (eng)Runos OpenFlow Controller (eng)
Runos OpenFlow Controller (eng)
 
Aci dp
Aci dpAci dp
Aci dp
 
Gpfs introandsetup
Gpfs introandsetupGpfs introandsetup
Gpfs introandsetup
 
25 years of firewalls and network filtering - From antiquity to the cloud
25 years of firewalls and network filtering - From antiquity to the cloud25 years of firewalls and network filtering - From antiquity to the cloud
25 years of firewalls and network filtering - From antiquity to the cloud
 
OpenNMS - My Notes
OpenNMS - My NotesOpenNMS - My Notes
OpenNMS - My Notes
 
Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxRemote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise Linux
 
Unix Security
Unix SecurityUnix Security
Unix Security
 
Systemd: the modern Linux init system you will learn to love
Systemd: the modern Linux init system you will learn to loveSystemd: the modern Linux init system you will learn to love
Systemd: the modern Linux init system you will learn to love
 
Cloud Data Encryption (Aluhut Edition) - 2019
Cloud Data Encryption (Aluhut Edition) - 2019Cloud Data Encryption (Aluhut Edition) - 2019
Cloud Data Encryption (Aluhut Edition) - 2019
 
WarsawITDays_ ApacheNiFi202
WarsawITDays_ ApacheNiFi202WarsawITDays_ ApacheNiFi202
WarsawITDays_ ApacheNiFi202
 

Dernier

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 

Dernier (20)

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 

Crypto policies-2016

  • 1. Fedora System-wide Crypto Policies Nikos Mavrogiannopoulos Red Hat Security Technologies June, 2016
  • 3. 3/17/13 3Red Hat me • I work at Red Hat Security technologies – Mostly on crypto-related projects (Fedora, RHEL) – I like working on GnuTLS, OpenConnect VPN, OpenWRT – I started the 'System-wide crypto policies' project at Fedora
  • 5. 3/17/13 5Red Hat Purpose • Problem statement:
  • 6. 3/17/13 6Red Hat Purpose • Problem statement:
  • 7. 3/17/13 7Red Hat Purpose • Problem statement:
  • 8. 3/17/13 8Red Hat Purpose • Problem statement: Communicates on the LAN and on the Internet
  • 9. 3/17/13 9Red Hat Purpose • Problem statement: Communicates on the LAN and on the Internet using curl, wget, lftp, firefox, apache, ssh, openvpn, ...
  • 10. 3/17/13 10Red Hat Purpose • Problem statement: – How secure is each communication channel established by these applications? – Can we ensure a consistent security level across all these applications?
  • 11. 3/17/13 11Red Hat Purpose • Problem statement: – How secure is each communication channel established by these applications? – Can we ensure a consistent security level across all these applications? • System-wide crypto policies – Apply a consistent default security level across libraries and applications
  • 12. 3/17/13 12Red Hat Purpose • Problem statement: – How secure is each communication channel established by these applications? – Can we ensure a consistent security level across all these applications? • System-wide crypto policies – Apply a consistent default security level across libraries and applications A level that is modifiable by the distributor and user of the software;
  • 13. 3/17/13 13Red Hat Purpose • How is the problem tackled today?
  • 14. 3/17/13 14Red Hat Purpose • How is the problem tackled today? – bettercrypto.org:
  • 15. 3/17/13 15Red Hat Purpose • How is the problem tackled today? – Two years later: system outdated
  • 17. 3/17/13 17Red Hat Benefits • The security level used by default by libraries and applications is known. – Reduce administrative burden on setting up services (e.g., no need to follow complex and long advices like in bettercrypto.org) – Reduced support costs (a big class of vulnerabilities that depends on inconsistent parameters is eliminated – e.g., logjam) – Easier audit (only programs that don't support the policy will need to be audited to figure their security level)
  • 19. 3/17/13 19Red Hat Status • Pilot version in Fedora 21 (common policy for GnuTLS and OpenSSL) – 3 default policies to chose from (LEGACY, DEFAULT, FUTURE) • Converted several libraries and applications by Fedora 22 – Web servers: ● Apache httpd, Lighttpd, Libmicrohttpd, ... – Command line applications: ● Wget, Lftp, … • Added BIND in Fedora 23 • Added Kerberos in Fedora 24 • Plan to add Java, NSS applications in Fedora 25
  • 20. 3/17/13 20Red Hat Status • Upstream Patches – GnuTLS ● Read profiles from a pre-configured file (upstream since 3.3.0) – OpenSSL ● Read profiles from configuration file (github PR #192,#193) -- carried as downstream patch – NSS ● Read policies via pkcs11.txt (upstream since 3.24.x)
  • 22. 3/17/13 22Red Hat Approach • Re-use the existing cipher suite strings in gnutls and openssl – OpenSSL example: “HIGH:aNULL:!MD5” – GnuTLS example: “NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2”
  • 23. 3/17/13 23Red Hat Approach • Re-use the existing cipher suite strings in gnutls and openssl – OpenSSL example: “HIGH:aNULL:!MD5” – GnuTLS example: “NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2” • Store a system-wide pre-configured string which will be loaded when a specific cipher string is detected – OpenSSL example: “PROFILE=SYSTEM” – GnuTLS example: “@SYSTEM”
  • 24. 3/17/13 24Red Hat Approach • Re-use the existing cipher suite strings in gnutls and openssl – OpenSSL example: “HIGH:aNULL:!MD5” – GnuTLS example: “NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2” • Store a system-wide pre-configured string which will be loaded when a specific cipher string is detected – OpenSSL example: “PROFILE=SYSTEM” – GnuTLS example: “@SYSTEM” • Then, modify all program's default configuration files to contain these strings
  • 25. 3/17/13 25Red Hat Approach • Re-use the existing cipher suite strings in gnutls and openssl – OpenSSL example: “HIGH:aNULL:!MD5” – GnuTLS example: “NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2” • Store a system-wide pre-configured string which will be loaded when a specific cipher string is detected – OpenSSL example: “PROFILE=SYSTEM” – GnuTLS example: “@SYSTEM” • Then, modify all program's default configuration files to contain these strings – When that's not possible replace any hard-coded defaults with the system defaults
  • 26. 3/17/13 26Red Hat Approach • Re-use the existing cipher suite strings in gnutls and openssl – OpenSSL example: “HIGH:aNULL:!MD5” – GnuTLS example: “NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2” • Store a system-wide pre-configured string which will be loaded when a specific cipher string is detected – OpenSSL example: “PROFILE=SYSTEM” – GnuTLS example: “@SYSTEM” • Then, modify all program's default configuration files to contain these strings – When that's not possible replace any hard-coded defaults with the system defaults https://fedoraproject.org/wiki/Packaging:CryptoPolicies
  • 27. 3/17/13 27Red Hat Approach • Packager assistance – rpmlint was modified to warn packagers of applications which may need to be modified to adhere to policy (included in F23) $ rpmlint dovecot-2.2.9-1.fc20.x86_64.rpm dovecot.x86_64: W: crypto-policy-non-compliance-openssl /usr/lib64/dovecot/libssl_iostream_openssl.so SSL_CTX_set_cipher_list $ rpmlint -I crypto-policy-non-compliance-openssl crypto-policy-non-compliance-openssl: This application package calls a function to explicitly set crypto ciphers for SSL/TLS. That may cause the application not to use the system-wide set cryptographic policy and should be modified in accordance to: https://fedoraproject.org/wiki/Packaging:CryptoPolicies
  • 28. 3/17/13 28Red Hat Approach • Applications with config files (BIND, Kerberos) – Generate a configuration file with the crypto settings to be included by the main config
  • 29. 3/17/13 29Red Hat Approach • Applications with config files (BIND, Kerberos) – Generate a configuration file with the crypto settings to be included by the main config # This file is automatically generated by update-crypto-policies. permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1- 96 des3-cbc-sha1 camellia256-cts-cmac camellia128-cts-cmac File linked from /etc/krb5.conf.d/ - Administrator can opt-out by deleting link
  • 30. 3/17/13 30Red Hat Approach • Ideally covered settings: – Signature algorithms – MAC algorithms – Cipher algorithms – Key exchange algorithm – Elliptic curves – Size of parameters (RSA, DH) – Protocols (TLS 1.1, 1.2, …) – Compression
  • 31. 3/17/13 31Red Hat Approach • Ideally covered settings: – Signature algorithms – MAC algorithms – Cipher algorithms – Key exchange algorithm – Elliptic curves – Size of parameters (RSA, DH) – Protocols (TLS 1.1, 1.2, …) – Compression GnuTLS, NSS OpenSSL
  • 33. 3/17/13 33Red Hat Lessons learned ● System-wide changes require a smooth transition – It took 10 minutes to get a bug report in our rawhide (“later Fedora 22”) when we disabled SSL 3.0
  • 34. 3/17/13 34Red Hat Lessons learned ● Nevertheless works with sufficient planning – Disabling RC4 and SSL 3.0 for all applications was possible in Fedora 23 via the system-wide policies
  • 35. 3/17/13 35Red Hat Lessons learned ● Upstream concerns – Each application is free to set their own settings – Changes for pro-active security are slow to adopt ● Unlike CVEs, no time pressure → gets postponed
  • 36. 3/17/13 36Red Hat Lessons learned ● Having a consistent default security level pays off: – The Fix for POODLE would have been a fix in the policy not in 1000+ applications – The same for issues in CBC ciphers, RC4, compression, … – Logjam attack would have been neutralized
  • 38. 3/17/13 38Red Hat Future plans ● Include openssh's cipher combinations ● Tracker at https://fedoraproject.org/wiki/User:Nmav/FedoraCryptoPolicies
  • 39. 3/17/13 39Red Hat Future plans ● Auto-generate application policy (rewrite to perl pending) ● Generate the policy in a standardized way for applications to parse
  • 40. 3/17/13 40Red Hat Future plans ● Make it universal, not Fedora-only https://github.com/nmav/fedora-crypto-policies