NIST Revises Guide to Use of Transport Layer Security (TLS) in Networks
From NIST Tech Beat: April 30, 2014
The National Institute of Standards and Technology (NIST) has released an update to a document that helps computer administrators maintain the security of information traveling across their networks.
The document, NIST Special Publication 800-52 Revision 1: Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations, updates the original SP 800-52, released in 2005.
Sensitive data—from credit card numbers to patient health information to social networking details—need protection when transmitted across an insecure network, so administrators employ protocols that reduce the risk of that data being intercepted and used maliciously. TLS, a standard specified by the Internet Engineering Task Force, defines the method by which client and server computers establish a secure connection with one another to protect data that is passed back and forth. TLS is used by a wide variety of everyday applications, including email, secure web browsing, instant messaging and voice-over-IP (VOIP).
The Internet Engineering Task Force found vulnerabilities in TLS 1.0, one of the most widely used protocols, and updated it to TLS 1.1 and then TLS 1.2 to resolve many of these security issues. SP 800-52 Rev. 1 offers guidance to administrators on how to use the new versions of TLS in their networks.
"TLS 1.1 and 1.2 offer administrators a great number of options," says NIST computer security expert Andrew Regenscheid. "We make recommendations in SP 800-52 Rev. 1 on how to configure those options, including which algorithms to use and the length of cryptographic keys."
NIST published the original version of SP 800-52 in 2005, but withdrew it in March 2013 because the guideline had not yet been updated based on the new versions of TLS and known vulnerabilities. This new publication is the final version of SP 800-52 Rev. 1, which incorporates public comments to the draft version made in the fall of 2013.
Chief among the changes in SP 800-52 are the recommendations that government servers and clients move to TLS 1.1 and 1.2. It also recommends that they adopt cipher suites with NIST-approved algorithms to support 112-bit security strength and higher.
The updated version can be downloaded at www.nist.gov/manuscript-publication-search.cfm?pub_id=915295.