Daemon crypt v2: How it works and how to get it

The usage of the SHA-1 message digest for cryptographic purposes has been deprecated in RHEL 9. The digest produced by SHA-1 is not considered secure because of many documented successful attacks based on finding hash collisions. The RHEL core crypto components no longer create signatures using SHA-1 by default. Applications in RHEL 9 have been updated to avoid using SHA-1 in security-relevant use cases.

Daemon crypt v2 download

DOWNLOAD

Among the exceptions, the HMAC-SHA1 message authentication code and the Universal Unique Identifier (UUID) values can still be created using SHA-1 because these use cases do not currently pose security risks. SHA-1 can also be used in limited cases connected with important interoperability and compatibility concerns, such as Kerberos and WPA-2. See the List of RHEL applications using cryptography that is not compliant with FIPS 140-3 section for more details.

You can use the new MultiPath TCP daemon (mptcpd) to configure MultiPath TCP (MPTCP) endpoints without using the iproute2 utility. To make MPTCP subflows and endpoints persistent, use a NetworkManager dispatcher script.

In RHEL 9, the libvirt library uses modular daemons that handle individual virtualization driver sets on your host. This makes it possible to fine-grain a variety of tasks that involve virtualization drivers, such as resource load optimization and monitoring.

In addition, Virtual Trusted Platform Module (vTPM) is now fully supported. Using vTPM, you can add a TPM virtual crypto-processor to a VM, which can then be used for generating, storing, and managing cryptographic keys.

See the Performing a standard RHEL 9 installation document for instructions on downloading ISO images, creating installation media, and completing a RHEL installation. For automated Kickstart installations and other advanced topics, see the Performing an advanced RHEL 9 installation document.

With this enhancement, the Clevis framework supports the SHA-256 algorithm as the default hash for JSON Web Key (JWK) thumbprints as recommended by RFC 7638. Because the older thumbprints (SHA-1) are still supported, you can still decrypt the previously encrypted data.

With this update, you can download ansible-freeipa modules from the Ansible Automation Hub (AAH) instead of downloading them from the standard RHEL repository. By using AAH, you can benefit from the faster updates of the ansible-freeipa modules available in this repository.

In Wi-Fi protected access version 3 (WPA3) networks, the simultaneous authentication of equals (SAE) method ensures that the encryption key is not transmitted. With this enhancement, the Networking RHEL System role supports SAE. As a result, administrators can now use the Networking System Role to configure connections to Wi-Fi networks, which use WPA-SAE.

The Networking RHEL System Role now supports Opportunistic Wireless Encryption (owe). owe is a wireless authentication key management type that uses encryption between Wi-Fi clients and access points, and protects Wi-Fi clients from sniffing attacks. To use owe, set the wireless authentication key management type,key_mgmt field, to owe.

Previously, users in disconnected environments that needed to pull packages from a custom server or Satellite users that needed to point to Satellite or Capsule had no support from the microsoft.sql.server role. This update fixes it by providing the mssql_rpm_key, mssql_server_repository, and mssql_client_repository variables that you can use to customize the repositories to download packages from. If no URL is provided, the mssql role uses the official Microsoft servers to download RPMs.

Using virt-install or virt-xml, you can now attach mediated devices to your virtual machines (VMs), such as vfio-ap and vfio-ccw. This for example enables more flexible management of DASD storage devices and cryptographic coprocessors on IBM Z hosts. In addition, using virt-install, you can create a VM that uses an existing DASD mediated device as its primary disk. For instructions to do so, see the Configuring and Managing Virtualization in RHEL 9 guide.

In RHEL 9, the libvirt library uses modular daemons that handle individual virtualization driver sets on your host. For example, the virtqemud daemon handles QEMU drivers. This makes it possible to fine-grain a variety of tasks that involve virtualization drivers, such as resource load optimization and monitoring.

In addition, the monolithic libvirt daemon, libvirtd, has become deprecated. However, if you upgrade from RHEL 8 to RHEL 9, your host will still use libvirtd, which you can continue using in RHEL 9. Nevertheless, Red Hat recommends switching to modular libvirt daemons instead.

The Virtual Trusted Platform Module (vTPM) is fully supported in RHEL 9. Using vTPM, you can add a TPM virtual crypto-processor to a virtual machine (VM) running in the RHEL 9 KVM hypervisor. This makes it possible to use the VM for generating, storing, and managing cryptographic keys.

The openssl image provides an openssl command-line tool for using the various functions of the OpenSSL crypto library. Using the OpenSSL library, you can generate private keys, create certificate signing requests (CSRs), and display certificate information.

Previously, when using virt-who to set up RHEL 9 virtual machines (VMs) on a Hyper-V hypervisor, virt-who did not properly communicate with the hypervisor, and the setup failed. This was because of a deprecated encryption method in the openssl package.

Previously, the Federal Information Processing Standard (FIPS 140-2) did not allow using hardware optimization. Therefore, in previous versions of RHEL, the operation was disabled in the libgcrypt package when in the FIPS mode. RHEL 9 enables hardware optimization in FIPS mode, and as a result, all cryptographic operations are performed faster.

Previously, the crypto-policies package used a wrong keyword to disable the ChaCha20 cipher in OpenSSL. Consequently, you could not disable ChaCha20 for the TLS 1.2 protocol in OpenSSL through crypto-policies. With this update, the -CHACHA20 keyword is used instead of -CHACHA20-POLY1305. As a result, you now can use the cryptographic policies for disabling ChaCha20 cipher usage in OpenSSL for TLS 1.2 and TLS 1.3.

Previously, the usbguard-notifier service did not have inter-process communication (IPC) permissions for connecting to the usbguard-daemon IPC interface. Consequently, usbguard-notifier failed to connect to the interface, and it wrote a corresponding error message to the Journal. Because usbguard-notifier started with the --wait option, which ensured that usbguard-notifier attempted to connect to the IPC interface each second after a connection failure, by default, the log contained an excessive amount of these messages soon.

With this update, usbguard-notifier does not start with --wait by default. The service attempts to connect to the daemon only three times in the 1-second intervals. As a result, the log contains three such error messages at maximum.

Previously, many Wifi and 802.1x Ethernet connections profiles were not able to connect. This bug is now fixed. All the profiles are now connecting properly. Profiles that use legacy cryptographic algorithms still work but you need to manually enable the OpenSSL legacy provider. This is required, for example, when you use DES with MS-CHAPv2 and RC4 with TKIP.

When Directory Server runs in Federal Information Processing Standard (FIPS) mode, the PK11_ExtractKeyValue() function is not available. As a consequence, prior to this update, users with a password hashed with the password-based key derivation function 2 (PBKDF2) algorithm were not able to authenticate to the server when FIPS mode was enabled. With this update, Directory Server now uses the PK11_Decrypt() function to get the password hash data. As a result, authentication with passwords hashed with the PBKDF2 algorithm now works as expected.

WireGuard, which Red Hat provides as an unsupported Technology Preview, is a high-performance VPN solution that runs in the Linux kernel. It uses modern cryptography and is easier to configure than other VPN solutions. Additionally, the small code-basis of WireGuard reduces the surface for attacks and, therefore, improves the security.

RHEL provides Kernel Transport Layer Security (KTLS) as a Technology Preview. KTLS handles TLS records using the symmetric encryption or decryption algorithms in the kernel for the AES-GCM cipher. KTLS also includes the interface for offloading TLS record encryption to Network Interface Controllers (NICs) that provides this functionality.

Identity Management (IdM) servers with integrated DNS now implement DNS Security Extensions (DNSSEC), a set of extensions to DNS that enhance security of the DNS protocol. DNS zones hosted on IdM servers can be automatically signed using DNSSEC. The cryptographic keys are automatically generated and rotated.

Note that SEV and SEV-ES work only on the 2nd generation of AMD EPYC CPUs (codenamed Rome) or later. Also note that RHEL 9 includes SEV and SEV-ES encryption, but not the SEV and SEV-ES security attestation.

Among the exceptions, the HMAC-SHA1 message authentication code and the Universal Unique Identifier (UUID) values can still be created using SHA-1 because these use cases do not currently pose security risks. SHA-1 also can be used in limited cases connected with important interoperability and compatibility concerns, such as Kerberos and WPA-2. See the List of RHEL applications using cryptography that is not compliant with FIPS 140-3 section in the RHEL 9 Security hardening document for more details.

The OpenSSL project has deprecated a set of cryptographic algorithms because they are insecure, uncommonly used, or both. Red Hat also discourages the use of those algorithms, and RHEL 9 provides them for migrating encrypted data to use new algorithms. Users must not depend on those algorithms for the security of their systems. 2ff7e9595c

Space

Alien

Daemon crypt v2: How it works and how to get it

Daemon crypt v2 download

Recent Posts

Comments

Download &

Play Now!