Set Cryptographic Strength Policy from the CLI
To configure a cryptographic strength policy via the CLI, enter the following command:
$ policy crypto set [compliance=value][tlsv1.{0|1|2}=yes|no] [sslv3=yes|no]
Example:
$ policy crypto set compliance=ndpp11
New policy successfully set.
You must REBOOT for crypto policy changes to take effect!
Important
Do not reboot the Makito X at this point.
The possible values for the configurable parameters are:
Parameter | Values | Description |
|---|---|---|
compliance | none | Favors interoperability (default) |
| FIPS140 | Applies cryptographic modules accredited under the Federal Information Processing Standard (FIPS) Publication 140-2 | |
| NDPP11 | Applies cryptographic modules accredited under National Information Assurance Partnership (NIAP) Network Device Protection Profile revision 1.1 | |
| SP800-52r1(Deprecated) | Applies cryptographic modules recommended under the National Institute of Standards and Technology (NIST) Special Publication 800-52, revision 1 (Deprecated) | |
| SP800-52r2 | Applies cryptographic modules recommended under the National Institute of Standards and Technology (NIST) Special Publication 800-52, revision 2 | |
tlsv1 | 0 | 1 | 2 yes | no | Specifies TLS version 1.0, 1.1, or 1.2 Enables or disables the specified TLS version 1.1 |
sslv3 | yes | no | Enables or disables SSL version 3 (permitted only when compliance = none). |
The following table shows the Makito X SSH settings for each cryptographic compliance profile.
SSH setting | None | FIPS140 | NDPP11 | SP800-52r2 |
|---|---|---|---|---|
Host Key(s) | ||||
DSA | 1024 | 1024 | - | - |
EC | 256 | 256 | 256 | 256 |
RSA | 2048 | 2048 | 2048 | 2048 |
Key Exchange | ||||
diffie-hellman-group-exchange-sha256 | √ | - | - | - |
diffie-hellman-group14-sha1 | √ | √ | √ | √ |
ecdh-sha2-nistpXXX | 256,384,521 | 256,384,521 | 256,384,521 | 256,384,521 |
Ciphers | ||||
aesXXX-cbc | 128,192,256 | 128,192,256 | 128,256 | - |
aesXXX-ctr | 128,192,256 | 128,192,256 | - | 128,192,256 |
aesXXX-gcm@openssh.com | 128,256 | 128,256 | 128,256 | 128,256 |
3des-cbc | - | - | - | - |
Message Authentication Codes (MACs) | ||||
hmac-sha1 | √ | √ | √ | √ |
hmac-sha2-XXX | 256,512 | 256,512 | 256,512 | 256,512 |
(aead-aesXXX-gcm) | 128,256 | 128,256 | 128,256 | 128,256 |
Note
It is possible to customize many of the security settings described in this document. For more information, refer to Appendix E: Custom Security Settings.
See also "Policy Settings" in the associated User's Guide.