Evolution of TLS Security Profiles and Best Practices

Slide Note
Embed
Share

TLS security profiles have evolved with the introduction of new profiles, retirement of old ones, and emphasis on non-downgrading best practices. Motivated by changes in security threats and cryptographic methods, the IETF has issued recommendations to ensure secure connections using TLS 1.2. The new TLS profiles comply with BCP-195, offering improved security measures while preventing downgrades to lower strength connections. However, devices relying on retired profiles may face connectivity issues with modern compliant systems. Overall, the transition to new profiles aims to enhance security and adapt to the changing threat landscape.

antwine_m
antwine_m Follow

Uploaded on Oct 02, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. TLS Security Profiles Rob Horn WG-14: Security

  2. TLS Profile Changes Two new TLS profiles defined Best Practices Non-downgrading Best Practices Two existing (old) TLS profiles retired ISCL Secure Transport Connection Profile retired Motivation for profile changes Changes to security threat environment Changes to cryptographic methods Known flaws in older TLS versions IETF new best practices guidance Device documentation. It is easier to state compliance with a profile than to document all the RFC s and options involved. 2

  3. Motivation and IETF actions Motivation Flaws have been found in TLS Cryptographic technology has changed Old methods are becoming vulnerable New methods have been invented IETF Action Best Practices Recommendations issued in 2015 Shorthand summary: Use TLS 1.2 Connection negotiation starts with best strength options, then accepts several downgrades if needed. IETF s goal is to have gradual upgrades everywhere without sacrificing interoperability (within limits). The lowest downgrade is still considered good enough . 3

  4. New Profiles Best Practices TLS Profile Complies with BCP-195, the IETF s best current practice guidance. No other changes to use of TLS for DICOM. Non Downgrading Best Practices TLS Profile Complies with the BCP-195 recommendation for initial TLS versions, cryptography, etc. Does not permit downgrading to lower strength. Customers can determine and choose whether to accept negotiated downgrades. Downgraded connections still provide good protection in most situations. Customers can make their own decision about accepting risks. 4

  5. Old Profiles Basic TLS Secure Transport Connection Profile is retired Use of Basic TLS does not meet BCP-195. Devices that only support this profile will not be able to connect to devices that comply with either of the new profiles. Basic TLS may still be useful in other situations. AES TLS Secure Transport Connection profile is retired. BCP-195 permits connections using the AES setting as a downgrade only. It is acceptable but not preferred. The new Best Practices TLS profile will negotiate a downgrade to devices that only support the AES profile. The new Non Downgrade Best Practices TLS profile will not negotiate a downgrade. They will not connect with devices that only support the AES profile. ISCL Secure Transport Connection Profile is retired. 5

Related


Understanding TLS/SSL: Security, Attacks, and TLS 1.3

Understanding TLS/SSL: Security, Attacks, and TLS 1.3

otts_oel
A New Approach to TLS Inspection

A New Approach to TLS Inspection

aviend
Understanding TLS v1.3: Enhancing Round-Trip Times and SSL Configuration

Understanding TLS v1.3: Enhancing Round-Trip Times and SSL Configuration

mohammed
Understanding Transport Layer Security (TLS) and Secure Sockets Layer (SSL)

Understanding Transport Layer Security (TLS) and Secure Sockets Layer (SSL)

ambell
Enhancing Security with Hardware Attestation in TLS

Enhancing Security with Hardware Attestation in TLS

alissa
Exploring DANE, DNSSEC, and TLS in Go6Lab

Exploring DANE, DNSSEC, and TLS in Go6Lab

kasz640
Understanding Transport Layer Security (TLS)

Understanding Transport Layer Security (TLS)

amabel
TLS Freight Forwarding Pvt Ltd: Your Business Partner for Complete Logistics & Supply Chain Solutions

TLS Freight Forwarding Pvt Ltd: Your Business Partner for Complete Logistics & Supply Chain Solutions

rayl_9
Enhancing Eduroam Security with New Standards and Practices

Enhancing Eduroam Security with New Standards and Practices

pippa
Modernizing Network Security with nQUIC Noise-Based Packet Protection

Modernizing Network Security with nQUIC Noise-Based Packet Protection

katarina
EPA Oil and Gas VOC Speciation Improvement Efforts

EPA Oil and Gas VOC Speciation Improvement Efforts

cannella_j
Understanding Soil Profiles in Agricultural Science

Understanding Soil Profiles in Agricultural Science

adine
Comparison of Security Profiles in OpenHIE Registries

Comparison of Security Profiles in OpenHIE Registries

simba
Understanding Wind Profiles and Aerodynamic Roughness Length

Understanding Wind Profiles and Aerodynamic Roughness Length

casiano_t
Comprehensive Overview of EAL Profiles and Strategies for Language Skills Assessment

Comprehensive Overview of EAL Profiles and Strategies for Language Skills Assessment

kallie
Understanding Traffic Light Profiles for Special Educational Provision

Understanding Traffic Light Profiles for Special Educational Provision

tshet
Colorado State Epidemiological Profiles - Substance Abuse Trends & Response Task Force

Colorado State Epidemiological Profiles - Substance Abuse Trends & Response Task Force

bronte
Evolution of Collisionless Plasma Bounded by Absorbing Walls

Evolution of Collisionless Plasma Bounded by Absorbing Walls

zmira
Improving DNS Security with KINDNS Best Practices

Improving DNS Security with KINDNS Best Practices

ceis
Understanding PeopleSoft Security: A Comprehensive Guide

Understanding PeopleSoft Security: A Comprehensive Guide

kylen
Evolving Security Practices in DevOps: A Holistic Approach

Evolving Security Practices in DevOps: A Holistic Approach

madisyn
Managing Application Security in Large Organizations: Insights and Best Practices

Managing Application Security in Large Organizations: Insights and Best Practices

joli_38
Network Security Course Overview - INFSCI 1075 by Amir Masoumzadeh

Network Security Course Overview - INFSCI 1075 by Amir Masoumzadeh

caer131
Understanding the Role of Security Champions in Organizations

Understanding the Role of Security Champions in Organizations

irvin

More Related Content

Understanding the Roles of a Security Partner
Understanding the Roles of a Security Partner
Understanding Epidemiological Profiles in Public Health Practice
Understanding Epidemiological Profiles in Public Health Practice
Efficient Staffing Strategies for Nursing Units
Efficient Staffing Strategies for Nursing Units
Efficient User Management System for Health Facilities
Efficient User Management System for Health Facilities
Learn about Rainforest Animals and Create Animal Profiles
Learn about Rainforest Animals and Create Animal Profiles
Inspection Profiles of Largest Children's Homes Providers - August 2018
Inspection Profiles of Largest Children's Homes Providers - August 2018
Matrimonial Profiles - Seeking Companionship in Diverse Backgrounds
Matrimonial Profiles - Seeking Companionship in Diverse Backgrounds
Rules and Practices for Software Evolution Support
Rules and Practices for Software Evolution Support
Best Practices for Accessible PowerPoint Presentations
Best Practices for Accessible PowerPoint Presentations
Practical Aspects of Modern Cryptography: November 2016
Practical Aspects of Modern Cryptography: November 2016
Enhancing SWIFT Security Measures for ReBIT: March 2018 Update
Enhancing SWIFT Security Measures for ReBIT: March 2018 Update
BCA 601(N): Computer Network Security
BCA 601(N): Computer Network Security
Roughtime: Securing time for IoT devices
Roughtime: Securing time for IoT devices
UIC Security Division Overview and International Activities
UIC Security Division Overview and International Activities
Understanding Security in World Politics
Understanding Security in World Politics
Comprehensive Course Review: Security Research Cornerstones at Carnegie Mellon University
Comprehensive Course Review: Security Research Cornerstones at Carnegie Mellon University
Automating Security Operations Using Phantom
Automating Security Operations Using Phantom
Network Monitoring Workshop - Incident Response Overview
Network Monitoring Workshop - Incident Response Overview
Understanding Computer Security Principles and Practices
Understanding Computer Security Principles and Practices
AEP Enterprise Security Program Overview - June 2021 Update
AEP Enterprise Security Program Overview - June 2021 Update
Understanding Security Categorization of Information Systems
Understanding Security Categorization of Information Systems
Agile Security Practices and Collaboration Insights
Agile Security Practices and Collaboration Insights
Understanding Wireless Security Audits and Best Practices
Understanding Wireless Security Audits and Best Practices
Data Storage, Backup, and Security Essentials
Data Storage, Backup, and Security Essentials