1.6.2 Ensure system wide crypto policy disables sha1 hash and signature support

Information

SHA-1 (Secure Hash Algorithm) is a cryptographic hash function that produces a 160 bit hash value.

The SHA-1 hash function has an inherently weak design, and advancing cryptanalysis has made it vulnerable to attacks. The most significant danger for a hash algorithm is when a "collision" which happens when two different pieces of data produce the same hash value occurs. This hashing algorithm has been considered weak since 2005.

Note: The use of SHA-1 with hashbased message authentication codes (HMAC) do not rely on the collision resistance of the corresponding hash function, and therefore the recent attacks on SHA-1 have a significantly lower impact on the use of SHA-1 for HMAC. Because of this, the recommendation does not disable the hmac-sha1 MAC.

Solution

Note:

- The commands below are written for the included DEFAULT system-wide crypto policy. If another policy is in use and follows local site policy, replace DEFAULT with the name of your system-wide crypto policy.
- Multiple subpolicies may be assigned to a policy as a colon separated list. e.g. DEFAULT:NO-SHA1:NO-SSHCBC
- The module for disabling SHA-1 is available from release 8.3 in /usr/share/crypto-policies/policies/modules/NO-SHA1.pmod This may be copied to /etc/crypto-policies/policies/modules/NO-SHA1.pmod verified, and used instead of creating a file ending inpmod in the /etc/crypto-policies/policies/modules/ directory.
- Any subpolicy not included in the update-crypto-policies --set command will not be applied to the system wide crypto policy.
- Subpolicies must exist before they can be applied to the system wide crypto policy.

Create or edit a file in /etc/crypto-policies/policies/modules/ ending inpmod and add or modify the following lines:

hash = -SHA1
sign = -*-SHA1
sha1_in_certs = 0

Example:

# echo -e "# This is a subpolicy dropping the SHA1 hash and signature support
hash = -SHA1
sign = -*-SHA1
sha1_in_certs = 0" > /etc/crypto-policies/policies/modules/NO-SHA1.pmod

Run the following command to update the system-wide cryptographic policy

# update-crypto-policies --set <CRYPTO_POLICY>:<CRYPTO_SUBPOLICY1>:<CRYPTO_SUBPOLICY2>:<SUBPOLICY3>

Example:

update-crypto-policies --set DEFAULT:NO-SHA1

Run the following command to reboot the system to make your cryptographic settings effective for already running services and applications:

# reboot

See Also

https://workbench.cisecurity.org/benchmarks/15288

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|14.4

Plugin: Unix

Control ID: 21c5161af7e51a2892c382983a7dda6fdd82fcfd1c3d1530acf6edb6df7b43a2