Chapter 3. Security
Changes Related to FIPS 140-2 Certification
In Red Hat Enterprise Linux 6.5, integrity verification is performed when the dracut-fips package is present, regardless of whether the kernel operates in FIPS mode or not. For detailed information on how to make Red Hat Enterprise Linux 6.5 FIPS 140-2 compliant, consult the following Knowledge Base Solution:
OpenSSL Updated to Version 1.0.1
OpenSSL has been upgraded to upstream version 1.0.1 to add support for multiple new cryptographic algorithms and support for new versions (1.1, 1.2) of the Transport Layer Security (TLS) protocol.
This update adds the following ciphers needed for transparent encryption and authentication support in GlusterFS:
- CMAC (Cipher-based MAC)
- XTS (XEX Tweakable Block Cipher with Ciphertext Stealing)
- GCM (Galois/Counter Mode)
New additional supported algorithms are especially Elliptic curve Diffie–Hellman (ECDH), Elliptic Curve Digital Signature Algorithm (ECDSA), and Advanced Encryption Standard in Counter with CBC-MAC mode (AES-CCM).
Smartcard Support in OpenSSH
OpenSSH now complies with the PKCS #11 standard, which enables OpenSSH to use smartcards for authentication.
ECDSA Support in OpenSSL
Elliptic Curve Digital Signature Algorithm (ECDSA) is a variant of the Digital Signature Algorithm (DSA) which uses Elliptic Curve Cryptography (ECC). Note that only the
nistp256
and nistp384
curves are supported.
ECDHE Support in OpenSSL
Ephemeral Elliptic Curve Diffie-Hellman (ECDHE) is supported, which allows for Perfect Forward Secrecy with much lower computational requirements.
Support of TLS 1.1 and 1.2 in OpenSSL and NSS
OpenSSL and NSS now support the latest versions of the Transport Layer Security (TLS) protocol, which increases security of network connections and enables full interoperability with other TLS protocol implementations. The TLS protocol allows client-server applications to communicate across a network in a way designed to prevent eavesdropping and tampering.
OpenSSH Support of HMAC-SHA2 Algorithm
In Red Hat Enterprise Linux 6.5, the SHA-2 cryptographic hash function can now be used in producing a hash message authentication code (MAC), which enables data integrity and verification in OpenSSH.
prefix Macro in OpenSSL
The openssl spec file now uses the prefix macro, which allows for rebuilding of the openssl packages in order to relocate them.
NSA Suite B Cryptography Support
Suite B is a set of cryptographic algorithms specified by the NSA as part of its Cryptographic Modernization Program. It serves as an interoperable cryptographic base for both unclassified information and most classified information. It includes:
- Advanced Encryption Standard (AES) with key sizes of 128 and 256 bits. For traffic flow, AES should be used with either Counter Mode (CTR) for low bandwidth traffic or Galois/Counter Mode (GCM) of operation for high bandwidth traffic and symmetric encryption.
- Elliptic Curve Digital Signature Algorithm (ECDSA) digital signatures.
- Elliptic Curve Diffie-Hellman (ECDH) key agreement.
- Secure Hash Algorithm 2 (SHA-256 and SHA-384) message digest.
Shared System Certificates
NSS, GnuTLS, OpenSSL and Java have been enlisted to share a default source for retrieving system certificate anchors and blacklist information to enable a system-wide trust store of static data that is used by crypto toolkits as input for certificate trust decisions. System-level administration of certificates helps ease of use and is required by local system environments and corporate deployments.
LDAP Groups Are Permitted To Contain Local Users Stored in the /etc/passwd
File
If SSSD is configured to use the RFC 2307 schema, and the central LDAP server lists local users from the
/etc/passwd
file as members of the groups defined centrally, then SSSD properly returns local group members for such groups, when the option is enabled.
ECC Support in NSS
Network Security Services's (NSS) own internal cryptographic module in Red Hat Enterprise Linux 6.5 now supports the National Institute of Standards and Technology (NIST) Suite B set of recommended algorithms for Elliptic curve cryptography (ECC).
Certificate Support in OpenSSH
Red Hat Enterprise Linux 6.5 supports certificate authentication of users and hosts using a new OpenSSH certificate format. Certificates contain a public key, identity information and validity constraints, and are signed with a standard SSH public key using the ssh-keygen utility. Note that in ssh-keygen shipped with Red Hat Enterprise Linux 6, the
-Z
option is used for specifying the principals. For more information on this functionality, refer to the /usr/share/doc/openssh-5.3p1/PROTOCOL.certkeys
file.