NIST Issues Revised TLS Protocol Guidance

Protecting Sensitive Data Conveyed Across Networks
NIST Issues Revised TLS Protocol Guidance

In the nine years since the National Institute of Standards and Technology issued guidance on transport layer security protocol, two new versions of TLS protocols have been published. To address new features and new threats, NIST has revised its guidance, issuing a special publication.

See Also: Rethinking Endpoint Security

The guidance - SP 800-52 Rev. 1: Guidelines for the Selection, Configuration and Use of Transport Layer Security Implementations - provides mechanisms to protect sensitive data during electronic transmission across networks. It's aimed to help organizations to select and configure TLS protocol implementations while making effective use of NIST-recommended cryptographic algorithms and Federal Information Processing Standards, known as FIPS, which are followed by all non-military federal agencies and government contractors.

A successor to Secure Sockets Layer, TLS is a cryptographic protocol that is designed to provide communications security over the Internet.

"The revised publication recommends that agencies support these more secure versions of the protocol on their servers and clients, along with stronger cryptographic algorithms and key lengths," says Andy Regenscheid, a mathematician in NIST's computer security division.

Tangential Link to Heartbleed

TLS gained some notoriety with the open-source OpenSSL flaw known as Heartbleed (see Hearbleed Discoverer Speaks Out). OpenSSL is widely used to implement the TLS protocol.

Regenscheid says the Heartbleed vulnerability was caused by a defect in a particular software library that implements the TLS rather than a weakness in the protocol itself.

"While SP 800-52 Rev. 1 does not address this vulnerability, organizations should certainly take steps to identify systems vulnerable to Heartbleed and take any necessary remediating actions," he says.

NIST says the revised guidance promotes:

  • More consistent use of authentication, confidentiality and integrity mechanisms for the protection of information transport across the Internet;
  • Consistent use of recommended cipher suites that encompass NIST-approved algorithms and open standards;
  • Protection against known and anticipated attacks on the TLS protocol; and
  • Informed decisions by system administrators and managers in the integration of transport layer security implementations.

NIST says that while these guidelines are primarily designed for federal users and system administrators to adequately protect sensitive but unclassified government data against serious threats on the Internet, they may also be used within closed network environments to segregate data. The revised guidance also can be applied in other sectors outside the government.

* * *

This story was modified from an earlier version that incorrectly stated that transport layer security protocol was a predecessor of secure sockets layer.


About the Author

Eric Chabrow

Eric Chabrow

Executive Editor, GovInfoSecurity & InfoRiskToday

Chabrow, who oversees ISMG's GovInfoSecurity and InfoRiskToday, is a veteran multimedia journalist who has covered information technology, government and business. He's the former top editor at the award-winning business journal CIO Insight and a long-time editor and writer at InformationWeek.




Around the Network