Professional Documents
Culture Documents
examples
Tomáš Mráz
Principal SW Engineer, Red Hat
1
AGENDA
Motivation
Crypto policies
Examples
Future
Summary
2
Motivation
3
Motivation
You can never think that a crypto system deployed in year X will be
4
Motivation
5
Motivation
bettercrypto.org
6
Motivation
heterogenous environment?
7
Motivation
8
Crypto policies
come to rescue
9
Crypto policies
10
Crypto policies
Single command:
11
Crypto policies
OpenSSL GnuTLS
Controls:
NSS Java
Kerberos 5 Bind
libssh libreswan
12
Crypto policies
supported backends.
13
Crypto policies
14
Crypto policies
Just run:
fips-mode-set --enable
reboot
15
Crypto policies
16
Crypto policies
FIPS support
Simplify FIPS enablement
Where?
Current Fedora and Red Hat Enterprise Linux 8
17
Crypto policies
requirements?
18
Custom crypto policies
come to rescue
19
Custom crypto policies
20
Custom crypto policies
21
Custom crypto policies
22
Custom crypto policies
Placement of the
policy modifier files:
/etc/crypto-policies/policies/modules
/usr/share/crypto-policies/policies/modules
23
Custom crypto policies
Policy modifiers
hash = -SHA1
sign = -RSA-PSS-SHA1 -RSA-SHA1 -ECDSA-SHA1
/usr/share/crypto-policies/policies/modules/NO-SHA1.pmod
The hash value affects other use than signatures.
24
Custom crypto policies
25
Custom crypto policies
26
Custom crypto policies
Policy modifiers
27
Custom crypto policies
Policy modifiers
28
Custom crypto policies
Policy modifiers
29
Custom crypto policies
Policy modifiers
Allow smaller DH
parameters and RSA
# Parameter sizes
keys in FUTURE policy: min_dh_size = 2048
min_rsa_size = 2048
30
Custom crypto policies
Policy modifiers
31
Custom crypto policies
Policy modifiers
32
Custom crypto policies
Policy modifiers
Multiple modifiers
can be applied:
33
Custom crypto policies
34
Custom crypto policies
35
Custom crypto policies
36
Future
37
Future
38
Summary
39
Summary
Single command to rule Multiple pre-designed Custom policies can be Simple policy definition
them (algorithms and policy levels created from scratch or by format
libraries) all policy modification
40
CONFIDENTIAL Designator
youtube.com/user/RedHatVideos
https://gitlab.com/redhat-crypto/fedora-crypto-policies facebook.com/redhatinc
twitter.com/RedHat
41