Evolution of TLS Security Profiles and Best Practices

Slide Note
Embed
Share

TLS security profiles have evolved with the introduction of new profiles, retirement of old ones, and emphasis on non-downgrading best practices. Motivated by changes in security threats and cryptographic methods, the IETF has issued recommendations to ensure secure connections using TLS 1.2. The new TLS profiles comply with BCP-195, offering improved security measures while preventing downgrades to lower strength connections. However, devices relying on retired profiles may face connectivity issues with modern compliant systems. Overall, the transition to new profiles aims to enhance security and adapt to the changing threat landscape.


Uploaded on Oct 02, 2024 | 0 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. TLS Security Profiles Rob Horn WG-14: Security

  2. TLS Profile Changes Two new TLS profiles defined Best Practices Non-downgrading Best Practices Two existing (old) TLS profiles retired ISCL Secure Transport Connection Profile retired Motivation for profile changes Changes to security threat environment Changes to cryptographic methods Known flaws in older TLS versions IETF new best practices guidance Device documentation. It is easier to state compliance with a profile than to document all the RFC s and options involved. 2

  3. Motivation and IETF actions Motivation Flaws have been found in TLS Cryptographic technology has changed Old methods are becoming vulnerable New methods have been invented IETF Action Best Practices Recommendations issued in 2015 Shorthand summary: Use TLS 1.2 Connection negotiation starts with best strength options, then accepts several downgrades if needed. IETF s goal is to have gradual upgrades everywhere without sacrificing interoperability (within limits). The lowest downgrade is still considered good enough . 3

  4. New Profiles Best Practices TLS Profile Complies with BCP-195, the IETF s best current practice guidance. No other changes to use of TLS for DICOM. Non Downgrading Best Practices TLS Profile Complies with the BCP-195 recommendation for initial TLS versions, cryptography, etc. Does not permit downgrading to lower strength. Customers can determine and choose whether to accept negotiated downgrades. Downgraded connections still provide good protection in most situations. Customers can make their own decision about accepting risks. 4

  5. Old Profiles Basic TLS Secure Transport Connection Profile is retired Use of Basic TLS does not meet BCP-195. Devices that only support this profile will not be able to connect to devices that comply with either of the new profiles. Basic TLS may still be useful in other situations. AES TLS Secure Transport Connection profile is retired. BCP-195 permits connections using the AES setting as a downgrade only. It is acceptable but not preferred. The new Best Practices TLS profile will negotiate a downgrade to devices that only support the AES profile. The new Non Downgrade Best Practices TLS profile will not negotiate a downgrade. They will not connect with devices that only support the AES profile. ISCL Secure Transport Connection Profile is retired. 5

Related


More Related Content