没有合适的资源?快使用搜索试试~ 我知道了~
NIST.SP.800-52传输层安全选择、配置使用指南
需积分: 17 8 下载量 163 浏览量
2018-12-01
16:26:33
上传
评论
收藏 710KB PDF 举报
温馨提示
试读
67页
NIST SP 800-52r1 标准 传输层安全(TLS)选择、配置使用指南
资源推荐
资源详情
资源评论
NIST Special Publication 800-52
Revision 1
Guidelines for the Selection,
Configuration, and Use of
Transport Layer Security (TLS)
Implementations
Tim Polk
Kerry McKay
Santosh Chokhani
http://dx.doi.org/10.6028/NIST.SP.800-52r1
C O M P U T E R S E C U R I T Y
NIST Special Publication 800-52
Revision 1
Guidelines for the Selection,
Configuration, and Use of Transport
Layer Security (TLS) Implementations
Tim Polk
Kerry McKay
Computer Security Division
Information Technology Laboratory
Santosh Chokhani
CygnaCom Solutions
McLean, VA
http://dx.doi.org/10.6028/NIST.SP.800-52r1
April 2014
U.S. Department of Commerce
Penny Pritzker, Secretary
National Institute of Standards and Technology
Patrick D. Gallagher, Under Secretary of Commerce for Standards and Technology and Director
ii
Authority
This publication has been developed by NIST to further its statutory responsibilities under the
Federal Information Security Management Act (FISMA), Public Law (P.L.) 107-347. NIST is
responsible for developing information security standards and guidelines, including minimum
requirements for Federal information systems, but such standards and guidelines shall not apply
to national security systems without the express approval of appropriate Federal officials
exercising policy authority over such systems. This guideline is consistent with the requirements
of the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency
Information Systems, as analyzed in Circular A-130, Appendix IV: Analysis of Key Sections.
Supplemental information is provided in Circular A-130, Appendix III, Security of Federal
Automated Information Resources.
Nothing in this publication should be taken to contradict the standards and guidelines made
mandatory and binding on Federal agencies by the Secretary of Commerce under statutory
authority. Nor should these guidelines be interpreted as altering or superseding the existing
authorities of the Secretary of Commerce, Director of the OMB, or any other Federal official.
This publication may be used by nongovernmental organizations on a voluntary basis and is not
subject to copyright in the United States. Attribution would, however, be appreciated by NIST.
National Institute of Standards and Technology Special Publication 800-52 Revision 1
Natl. Inst. Stand. Technol. Spec. Publ. 800-52 Revision 1, 66 pages (April 2014)
http://dx.doi.org/10.6028/NIST.SP.800-52r1
CODEN: NSPUE2
Comments on this publication may be submitted to:
National Institute of Standards and Technology
Attn: Computer Security Division, Information Technology Laboratory
100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930
Email:
SP80052-comments@nist.gov
Certain commercial entities, equipment, or materials may be identified in this document in order to
describe an experimental procedure or concept adequately. Such identification is not intended to imply
recommendation or endorsement by NIST, nor is it intended to imply that the entities, materials, or
equipment are necessarily the best available for the purpose.
There may be references in this publication to other publications currently under development by NIST
in accordance with its assigned statutory responsibilities. The information in this publication, including
concepts and methodologies, may be used by Federal agencies even before the completion of such
companion publications. Thus, until each publication is completed, current requirements, guidelines,
and procedures, where they exist, remain operative. For planning and transition purposes, Federal
agencies may wish to closely follow the development of these new publications by NIST.
Organizations are encouraged to review all draft publications during public comment periods and
provide feedback to NIST. All NIST Computer Security Division publications, other than the ones
noted above, are available at http://csrc.nist.gov/publications.
iii
Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) at the National Institute of Standards and
Technology (NIST) promotes the U.S. economy and public welfare by providing
technical leadership for the Nation’s measurement and standards infrastructure. ITL
develops tests, test methods, reference data, proof of concept implementations, and
technical analyses to advance the development and productive use of information
technology. ITL’s responsibilities include the development of management,
administrative, technical, and physical standards and guidelines for the cost-effective
security and privacy of other than national security-related information in Federal
information systems. The Special Publication 800-series reports on ITL’s research,
guidelines, and outreach efforts in information system security, and its collaborative
activities with industry, government, and academic organizations.
Abstract
Transport Layer Security (TLS) provides mechanisms to protect sensitive data during
electronic dissemination across the Internet. This Special Publication provides guidance
to the selection and configuration of TLS protocol implementations while making
effective use of Federal Information Processing Standards (FIPS) and NIST-
recommended cryptographic algorithms, and requires that TLS 1.1 configured with FIPS-
based cipher suites as the minimum appropriate secure transport protocol and
recommends that agencies develop migration plans to TLS 1.2 by January 1, 2015. This
Special Publication also identifies TLS extensions for which mandatory support must be
provided and other recommended extensions.
Keywords
information security; network security; SSL; TLS; Transport Layer Security
Acknowledgements
The authors, Tim Polk and Kerry McKay of NIST, and Santosh Chokhani of CygnaCom
Solutions would like to thank the many people who assisted with the development of this
document. In particular we would like to acknowledge Matthew J. Fanto and C. Michael
Chernick of NIST and Charles Edington III and Rob Rosenthal of Booz Allen and Hamilton who
wrote the initial published version of this document.
iv
Table of Contents
EXECUTIVE SUMMARY ......................................................................................................... VI
1 INTRODUCTION ................................................................................................................ 1
1.1 B
ACKGROUND ................................................................................................................ 1
1.2 H
ISTORY OF TLS ............................................................................................................ 1
1.3 S
COPE ............................................................................................................................. 2
1.4 D
OCUMENT CONVENTIONS ............................................................................................ 3
2 TLS OVERVIEW ................................................................................................................. 4
2.1 H
ANDSHAKE PROTOCOL ................................................................................................ 4
2.2 S
HARED SECRET NEGOTIATION ..................................................................................... 5
2.3 C
ONFIDENTIALITY .......................................................................................................... 6
2.4 I
NTEGRITY ...................................................................................................................... 6
2.5 A
UTHENTICATION .......................................................................................................... 7
2.6 A
NTI-REPLAY ................................................................................................................. 7
2.7 K
EY MANAGEMENT ....................................................................................................... 7
3 MINIMUM REQUIREMENTS FOR TLS SERVERS ..................................................... 9
3.1 P
ROTOCOL VERSION SUPPORT ....................................................................................... 9
3.2 S
ERVER KEYS AND CERTIFICATES ................................................................................. 9
3.2.1 Server Certificate Profile ......................................................................................... 10
3.2.2 Obtaining Revocation Status Information for the Client Certificate ....................... 13
3.2.3 Server Public Key Certificate Assurance................................................................. 13
3.3 C
RYPTOGRAPHIC SUPPORT .......................................................................................... 14
3.3.1 Cipher Suites ............................................................................................................ 14
3.3.2 Validated Cryptography .......................................................................................... 19
3.4 TLS
EXTENSION SUPPORT ........................................................................................... 20
3.4.1 Mandatory TLS Extensions ...................................................................................... 20
3.4.2 Conditional TLS Extensions .................................................................................... 21
3.4.3 Discouraged TLS Extensions ................................................................................... 22
3.5 C
LIENT AUTHENTICATION ........................................................................................... 23
3.5.1 Path Validation ........................................................................................................ 23
3.5.2 Trust Anchor Store ................................................................................................... 24
3.5.3 Checking the Client Key Size ................................................................................... 25
3.5.4 Server Hints List ...................................................................................................... 25
3.6 S
ESSION RESUMPTION .................................................................................................. 26
3.7 C
OMPRESSION METHODS ............................................................................................. 26
3.8 O
PERATIONAL CONSIDERATIONS ................................................................................. 26
3.9 S
ERVER RECOMMENDATIONS ...................................................................................... 27
3.9.1 Recommendations for Server Selection ................................................................... 27
3.9.2 Recommendations for Server Installation and Configuration ................................. 27
3.9.3 Recommendations for Server System Administrators .............................................. 31
4 MINIMUM REQUIREMENTS FOR TLS CLIENTS .................................................... 33
4.1 P
ROTOCOL VERSION SUPPORT ..................................................................................... 33
4.2 C
LIENT KEYS AND CERTIFICATES ................................................................................ 33
4.2.1 Client Certificate Profile ......................................................................................... 33
4.2.2 Obtaining Revocation Status Information for the Server Certificate ...................... 35
4.2.3 Client Public Key Certificate Assurance ................................................................. 36
剩余66页未读,继续阅读
资源评论
vR搬砖人
- 粉丝: 0
- 资源: 3
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功