NIST.SP.800-52传输层安全选择、配置使用指南

需积分: 17 163 浏览量 2018-12-01 16:26:33 上传评论收藏 710KB PDF 举报

资源推荐

资源详情

资源评论

NIST Special Publication 800-52

Revision 1

Guidelines for the Selection,

Configuration, and Use of

Transport Layer Security (TLS)

Implementations

Tim Polk

Kerry McKay

Santosh Chokhani

http://dx.doi.org/10.6028/NIST.SP.800-52r1

C O M P U T E R S E C U R I T Y

Authority

This publication has been developed by NIST to further its statutory responsibilities under the

Federal Information Security Management Act (FISMA), Public Law (P.L.) 107-347. NIST is

responsible for developing information security standards and guidelines, including minimum

requirements for Federal information systems, but such standards and guidelines shall not apply

to national security systems without the express approval of appropriate Federal officials

exercising policy authority over such systems. This guideline is consistent with the requirements

of the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency

Information Systems, as analyzed in Circular A-130, Appendix IV: Analysis of Key Sections.

Supplemental information is provided in Circular A-130, Appendix III, Security of Federal

Automated Information Resources.

Nothing in this publication should be taken to contradict the standards and guidelines made

mandatory and binding on Federal agencies by the Secretary of Commerce under statutory

authority. Nor should these guidelines be interpreted as altering or superseding the existing

authorities of the Secretary of Commerce, Director of the OMB, or any other Federal official.

This publication may be used by nongovernmental organizations on a voluntary basis and is not

subject to copyright in the United States. Attribution would, however, be appreciated by NIST.

National Institute of Standards and Technology Special Publication 800-52 Revision 1

Natl. Inst. Stand. Technol. Spec. Publ. 800-52 Revision 1, 66 pages (April 2014)

http://dx.doi.org/10.6028/NIST.SP.800-52r1

CODEN: NSPUE2

Comments on this publication may be submitted to:

National Institute of Standards and Technology

Attn: Computer Security Division, Information Technology Laboratory

100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930

Email:

SP80052-comments@nist.gov

Certain commercial entities, equipment, or materials may be identified in this document in order to

describe an experimental procedure or concept adequately. Such identification is not intended to imply

recommendation or endorsement by NIST, nor is it intended to imply that the entities, materials, or

equipment are necessarily the best available for the purpose.

There may be references in this publication to other publications currently under development by NIST

in accordance with its assigned statutory responsibilities. The information in this publication, including

concepts and methodologies, may be used by Federal agencies even before the completion of such

companion publications. Thus, until each publication is completed, current requirements, guidelines,

and procedures, where they exist, remain operative. For planning and transition purposes, Federal

agencies may wish to closely follow the development of these new publications by NIST.

Organizations are encouraged to review all draft publications during public comment periods and

provide feedback to NIST. All NIST Computer Security Division publications, other than the ones

noted above, are available at http://csrc.nist.gov/publications.

iii

Reports on Computer Systems Technology

The Information Technology Laboratory (ITL) at the National Institute of Standards and

Technology (NIST) promotes the U.S. economy and public welfare by providing

technical leadership for the Nation’s measurement and standards infrastructure. ITL

develops tests, test methods, reference data, proof of concept implementations, and

technical analyses to advance the development and productive use of information

technology. ITL’s responsibilities include the development of management,

administrative, technical, and physical standards and guidelines for the cost-effective

security and privacy of other than national security-related information in Federal

information systems. The Special Publication 800-series reports on ITL’s research,

guidelines, and outreach efforts in information system security, and its collaborative

activities with industry, government, and academic organizations.

Abstract

Transport Layer Security (TLS) provides mechanisms to protect sensitive data during

electronic dissemination across the Internet. This Special Publication provides guidance

to the selection and configuration of TLS protocol implementations while making

effective use of Federal Information Processing Standards (FIPS) and NIST-

recommended cryptographic algorithms, and requires that TLS 1.1 configured with FIPS-

based cipher suites as the minimum appropriate secure transport protocol and

recommends that agencies develop migration plans to TLS 1.2 by January 1, 2015. This

Special Publication also identifies TLS extensions for which mandatory support must be

provided and other recommended extensions.

Keywords

information security; network security; SSL; TLS; Transport Layer Security

Acknowledgements

The authors, Tim Polk and Kerry McKay of NIST, and Santosh Chokhani of CygnaCom

Solutions would like to thank the many people who assisted with the development of this

document. In particular we would like to acknowledge Matthew J. Fanto and C. Michael

Chernick of NIST and Charles Edington III and Rob Rosenthal of Booz Allen and Hamilton who

wrote the initial published version of this document.

Table of Contents

EXECUTIVE SUMMARY ......................................................................................................... VI

1 INTRODUCTION ................................................................................................................ 1

1.1 B

ACKGROUND ................................................................................................................ 1

1.2 H

ISTORY OF TLS ............................................................................................................ 1

1.3 S

COPE ............................................................................................................................. 2

1.4 D

OCUMENT CONVENTIONS ............................................................................................ 3

2 TLS OVERVIEW ................................................................................................................. 4

2.1 H

ANDSHAKE PROTOCOL ................................................................................................ 4

2.2 S

HARED SECRET NEGOTIATION ..................................................................................... 5

2.3 C

ONFIDENTIALITY .......................................................................................................... 6

2.4 I

NTEGRITY ...................................................................................................................... 6

2.5 A

UTHENTICATION .......................................................................................................... 7

2.6 A

NTI-REPLAY ................................................................................................................. 7

2.7 K

EY MANAGEMENT ....................................................................................................... 7

3 MINIMUM REQUIREMENTS FOR TLS SERVERS ..................................................... 9

3.1 P

ROTOCOL VERSION SUPPORT ....................................................................................... 9

3.2 S

ERVER KEYS AND CERTIFICATES ................................................................................. 9

3.2.1 Server Certificate Profile ......................................................................................... 10

3.2.2 Obtaining Revocation Status Information for the Client Certificate ....................... 13

3.2.3 Server Public Key Certificate Assurance................................................................. 13

3.3 C

RYPTOGRAPHIC SUPPORT .......................................................................................... 14

3.3.1 Cipher Suites ............................................................................................................ 14

3.3.2 Validated Cryptography .......................................................................................... 19

3.4 TLS

EXTENSION SUPPORT ........................................................................................... 20

3.4.1 Mandatory TLS Extensions ...................................................................................... 20

3.4.2 Conditional TLS Extensions .................................................................................... 21

3.4.3 Discouraged TLS Extensions ................................................................................... 22

3.5 C

LIENT AUTHENTICATION ........................................................................................... 23

3.5.1 Path Validation ........................................................................................................ 23

3.5.2 Trust Anchor Store ................................................................................................... 24

3.5.3 Checking the Client Key Size ................................................................................... 25

3.5.4 Server Hints List ...................................................................................................... 25

3.6 S

ESSION RESUMPTION .................................................................................................. 26

3.7 C

OMPRESSION METHODS ............................................................................................. 26

3.8 O

PERATIONAL CONSIDERATIONS ................................................................................. 26

3.9 S

ERVER RECOMMENDATIONS ...................................................................................... 27

3.9.1 Recommendations for Server Selection ................................................................... 27

3.9.2 Recommendations for Server Installation and Configuration ................................. 27

3.9.3 Recommendations for Server System Administrators .............................................. 31

4 MINIMUM REQUIREMENTS FOR TLS CLIENTS .................................................... 33

4.1 P

ROTOCOL VERSION SUPPORT ..................................................................................... 33

4.2 C

LIENT KEYS AND CERTIFICATES ................................................................................ 33

4.2.1 Client Certificate Profile ......................................................................................... 33

4.2.2 Obtaining Revocation Status Information for the Server Certificate ...................... 35

4.2.3 Client Public Key Certificate Assurance ................................................................. 36

剩余66页未读，继续阅读

评论收藏

内容反馈

vR搬砖人

粉丝: 0
资源: 3

NIST.SP.800-52传输层安全选择、配置使用指南

你该知道的NIST SP 800系列指南.pdf

NIST SP800-52.pdf

5.4 NIST SP800-30 IT系统风险管理指南

NIST SP800-30信息安全文档

关于NIST SP 800-53新版浅说

NIST SP800-52r2-draft2.pdf

SP800-30，风险评估指南

NIST.SP.800-190容器安全指南.pdf

NIST.SP.800-53r5-draft.pdf

NIST.SP.800-207-draft2

NIST.SP.800-190容器安全标准(中文版).pdf

NIST SP 800-53A: 联邦信息系统中安全控制评价指南

NIST SP800-26 中文版

NIST SP 800-193(中文)

NIST.SP.800-90B 随机数熵评估标准

NIST.SP.800-12r1.pdf

NIST.SP.800-90B.pdf

NIST.SP.800-61 R2：2012 Computer Security Incident Handling Guide

NIST.SP.800-90Ar1.pdf

NIST.SP.800-207-Zero Trust Architecture（final）.pdf

信息安全测试评估技术指南NIST SP 800-115

NIST SP800-39.pdf

《工业控制系统安全指南》NIST.SP.800-82.r1

NIST.SP.800-90B.pdf NIST 随机数生成标准及建议

NIST.SP.800-186-draft.pdf

NIST SP800-56Br2.pdf

NIST.SP.800-82r2 工业控制系统安全指南 原版

NIST SP800-61r2.pdf

最新资源

NIST.SP.800-82r2 工业控制系统安全指南原版