New NIST encryption guidelines may force fed agencies to replace old websites

Next month the National Institute of Standards and Technology (NIST) plans to put out for public review its draft for a new government encryption standard that, when finalized, is going to compel federal agencies with older websites to replace them.

NIST's current standard calls for federal agencies to support Transport Layer Security 1.0 encryption, but the updated version is going to require TLS 1.1 and 1.2, says Tim Polk, computer scientist and group manager for NIST's cryptology technology group. Since websites and browsers support secure communications through TLS, government agencies that haven't already moved to TLS 1.1 and 1.2 need to be aware that they are going to have to in the future, Polk advises.

NEWS: Startup envisions CISO collective to share cyberattack information

The new federal government standard, when finalized -- this typically occurs within six months of the release of a draft for public review -- will make it clear there's a time frame that websites and browsers should be up to date. On new requirements.

"Older Web servers probably don't support TLS 1.1 and 1.2," says Polk. He adds that there are probably some agencies that will need to have to acquire new Web server products to support up-to-date TLS. NIST's document expected to be published in September on all this is tentatively entitled "Guidelines for Selection, Configuration and Use of Transport Layer Security Implementations."

The phrase "SSL" technology rather than "TLS" is still often heard, although SSL is a misnomer harking back to the old tech days of Netscape's SSL invention. TLS implementations in older Web servers and browsers are more subject to certain cyberattacks, and that's one main reason to support up-to-date TLS, Polk says.

Other guidance is anticipated in the NIST proposed encryption standard. For instance, "We will require support for certain TLS extensions," including the Extended Validation Certificate guidelines, says Polk.

EV certificates issued by certificate authorities (CAs) are preferred over digital certificates issued otherwise because EV certificates require far more extensive verification of the organization receiving them, and the issuer issuing them that other types of certificates.

The EV certificate standard was devised by the industry group CA/Browser Forum. The CAB Forum is undergoing some turbulent change as its members, including Microsoft, Google, PayPal, Symantec and Apple, among others, make organizational changes, including hashing out decisions related to intellectual-property rights each own pertaining to public-key infrastructure.

"EV certificates have higher levels of assurance associated with them, that they're issued to the right people." says Polk. "We support efforts to move the state-of-the-art forward. We believe for some applications that are important, there is value in it."

NIST also wants the federal government to move forward with what is called "mutually authenticated TLS" in which the server presents you with a way to log in via the user's certificate. "It's not done much today," says Polk. "It's not because most users don't have crypto keys of their own." The federal government has the potential to take advantage of this higher security because of the Personal Identity Validation (PIV) cards that are issued to government employees.

There have been numerous compromises of CAs during the past year or so and NIST is also looking at how federal agencies should be responding to news of a data breach or other type of compromise impacting certificates.

NIST, in a bulletin entitled "Preparing for and Responding to Certification Authority Compromise and Fraudulent Certificate Issuance," explains how the complex world of CAs, registration authorities and relying parties works in the certificate-issuance process. The NIST document, written with some help from Venafi, addresses how things can go wrong, how fraud can occur and what to do and expect from the standpoint of an organization making use of certificates. Many of these ideas are also likely to be incorporated into the upcoming NIST standards as guidelines, Polk suggests.

In spite of security breaches at CAs, does NIST still feel that digital certificates constitute good security for websites, browsers and other purposes?

"In the U.S. government, all of e-commerce is heavily invested in public-key infrastructure," says Polk. Public-key infrastructure based on digital certificates "has quietly become a core technology." Although there have been attacks on PKI, the underlying technology remains solid, he says. "We have confidence that this is a critical technology and one of the strongest tools in the toolkit. But it's not perfect."

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: @MessmerE. Email:

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts