Chapter 3. Security

In Red Hat Enterprise Linux 6.5, integrity verification is performed when the dracut-fips package is present, regardless of whether the kernel operates in FIPS mode or not. For detailed information on how to make Red Hat Enterprise Linux 6.5 FIPS 140-2 compliant, consult the following Knowledge Base Solution:

https://access.redhat.com/site/solutions/137833

OpenSSL has been upgraded to upstream version 1.0.1 to add support for multiple new cryptographic algorithms and support for new versions (1.1, 1.2) of the Transport Layer Security (TLS) protocol.

This update adds the following ciphers needed for transparent encryption and authentication support in GlusterFS:

New additional supported algorithms are especially Elliptic curve Diffie–Hellman (ECDH), Elliptic Curve Digital Signature Algorithm (ECDSA), and Advanced Encryption Standard in Counter with CBC-MAC mode (AES-CCM).

OpenSSH now complies with the PKCS #11 standard, which enables OpenSSH to use smartcards for authentication.

Elliptic Curve Digital Signature Algorithm (ECDSA) is a variant of the Digital Signature Algorithm (DSA) which uses Elliptic Curve Cryptography (ECC). Note that only the nistp256 and nistp384 curves are supported.

Ephemeral Elliptic Curve Diffie-Hellman (ECDHE) is supported, which allows for Perfect Forward Secrecy with much lower computational requirements.

OpenSSL and NSS now support the latest versions of the Transport Layer Security (TLS) protocol, which increases security of network connections and enables full interoperability with other TLS protocol implementations. The TLS protocol allows client-server applications to communicate across a network in a way designed to prevent eavesdropping and tampering.

In Red Hat Enterprise Linux 6.5, the SHA-2 cryptographic hash function can now be used in producing a hash message authentication code (MAC), which enables data integrity and verification in OpenSSH.

The openssl spec file now uses the prefix macro, which allows for rebuilding of the openssl packages in order to relocate them.

Suite B is a set of cryptographic algorithms specified by the NSA as part of its Cryptographic Modernization Program. It serves as an interoperable cryptographic base for both unclassified information and most classified information. It includes:

NSS, GnuTLS, OpenSSL and Java have been enlisted to share a default source for retrieving system certificate anchors and blacklist information to enable a system-wide trust store of static data that is used by crypto toolkits as input for certificate trust decisions. System-level administration of certificates helps ease of use and is required by local system environments and corporate deployments.

If SSSD is configured to use the RFC 2307 schema, and the central LDAP server lists local users from the /etc/passwd file as members of the groups defined centrally, then SSSD properly returns local group members for such groups, when the option is enabled.

Network Security Services's (NSS) own internal cryptographic module in Red Hat Enterprise Linux 6.5 now supports the National Institute of Standards and Technology (NIST) Suite B set of recommended algorithms for Elliptic curve cryptography (ECC).

Red Hat Enterprise Linux 6.5 supports certificate authentication of users and hosts using a new OpenSSH certificate format. Certificates contain a public key, identity information and validity constraints, and are signed with a standard SSH public key using the ssh-keygen utility. Note that in ssh-keygen shipped with Red Hat Enterprise Linux 6, the -Z option is used for specifying the principals. For more information on this functionality, refer to the /usr/share/doc/openssh-5.3p1/PROTOCOL.certkeys file.