1.6.4 Ensure system wide crypto policy disables macs less than 128 bits

Information

Message Authentication Code (MAC) algorithm is a family of cryptographic functions that is parameterized by a symmetric key. Each of the functions can act on input data (called a "message") of variable length to produce an output value of a specified length. The output value is called the MAC of the input message.

A MAC algorithm can be used to provide data-origin authentication and data-integrity protection

Weak algorithms continue to have a great deal of attention as a weak spot that can be exploited with expanded computing power. An attacker that breaks the algorithm could take advantage of a MiTM position to decrypt the tunnel and capture credentials and information.

A MAC algorithm must be computationally infeasible to determine the MAC of a message without knowledge of the key, even if one has already seen the results of using that key to compute the MAC's of other messages.

Solution

Note:

- The commands below are written for the included DEFAULT system-wide crypto policy. If another policy is in use and follows local site policy, replace DEFAULT with the name of your system-wide crypto policy.
- Multiple subpolicies may be assigned to a policy as a colon separated list. e.g. DEFAULT:NO-SHA1:NO-SSHCBC
- Subpolicies:
- Not included in the update-crypto-policies --set command will not be applied to the system wide crypto policy.
- must exist before they can be applied to the system wide crypto policy.
- pmod file filenames must be in all upper case, upper case, e.g. NO-WEAKMAC.pmod or they will not be read by the update-crypto-policies --set command.

Create or edit a file in /etc/crypto-policies/policies/modules/ ending inpmod and add or modify one of the following lines:

mac = -*-64* # Disables weak macs

Example:

# printf '%s
' "# This is a subpolicy to disable weak macs" "mac = -*-64" >> /etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod

Run the following command to update the system-wide cryptographic policy

# update-crypto-policies --set <CRYPTO_POLICY>:<CRYPTO_SUBPOLICY1>:<CRYPTO_SUBPOLICY2>:<CRYPTO_SUBPOLICY3>

Example:

update-crypto-policies --set DEFAULT:NO-SHA1:NO-WEAKMAC

Run the following command to reboot the system to make your cryptographic settings effective for already running services and applications:

# reboot

See Also

https://workbench.cisecurity.org/benchmarks/18209

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|14.4

Plugin: Unix

Control ID: be1c3795ba018a909ffac9f13e47952969b3d1af9d885773b9e958e3c6bd313c