Presentation is loading. Please wait.

Presentation is loading. Please wait.

TLS Security Profiles Rob Horn WG-14: Security.

Published byDorothy Fleming Modified over 6 years ago

Similar presentations

Presentation on theme: "TLS Security Profiles Rob Horn WG-14: Security."— Presentation transcript:

1 TLS Security Profiles Rob Horn WG-14: Security

2 TLS Profile Changes Two new TLS profiles defined
Best Practices Non-downgrading Best Practices Two existing (old) TLS profiles retired Motivation for profile changes Changes to security threat environment Changes to cryptographic methods Known flaws in older TLS versions IETF new best practices guidance Device documentation. It is easier to state compliance with a profile than to document all the RFC’s and options involved.

3 Motivation and IETF actions
Flaws have been found in TLS Cryptographic technology has changed Old methods are becoming vulnerable New methods have been invented IETF Action Best Practices Recommendations issued in 2015 Shorthand summary: “Use TLS 1.2” Connection negotiation starts with best strength options, then accepts several downgrades if needed. IETF’s goal is to have gradual upgrades everywhere without sacrificing interoperability (within limits). The lowest downgrade is still considered “good enough”.

4 New Profiles Best Practices TLS Profile
Complies with BCP-195, the IETF’s best current practice guidance. No other changes to use of TLS for DICOM. Non Downgrading Best Practices TLS Profile Complies with the BCP-195 recommendation for initial TLS versions, cryptography, etc. Does not permit downgrading to lower strength. Customers can determine and choose whether to accept negotiated downgrades. Downgraded connections still provide good protection in most situations. Customers can make their own decision about accepting risks.

5 Old Profiles Basic TLS Secure Transport Connection Profile is retired
Use of Basic TLS does not meet BCP Devices that only support this profile will not be able to connect to devices that comply with either of the new profiles. Basic TLS may still be useful in some situations. AES TLS Secure Transport Connection profile is retired. BCP-195 permits connections using the AES setting as a downgrade only. It is acceptable but not preferred. The new Best Practices TLS profile will negotiate a downgrade to devices that only support the AES profile. The new Non Downgrade Best Practices TLS profile will not negotiate a downgrade. They will not connect with devices that only support the AES profile.

Download ppt "TLS Security Profiles Rob Horn WG-14: Security."

Similar presentations

A Comprehensive Study for RFID Malwares on Mobile Devices TBD.

A Comprehensive Study for RFID Malwares on Mobile Devices TBD.
Information. Insight. Influence. securityindustry.org

Information. Insight. Influence. securityindustry.org
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.

Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.
Russ Housley IETF Chair Founder, Vigil Security, LLC 8 June 2009 NIST Key Management Workshop Key Management in Internet Security Protocols.

Russ Housley IETF Chair Founder, Vigil Security, LLC 8 June 2009 NIST Key Management Workshop Key Management in Internet Security Protocols.
HL7 hData Security Elements. Security Considerations hData can be used in a broad variety of situations – EHR systems, line of business applications –

HL7 hData Security Elements. Security Considerations hData can be used in a broad variety of situations – EHR systems, line of business applications –
IPR Issues: What ’ s New (and a little of what ’ s old) Scott Brim IETF 61.

IPR Issues: What ’ s New (and a little of what ’ s old) Scott Brim IETF 61.
Cryptography and Network Security (SSL)

Cryptography and Network Security (SSL)
Submission February 2014 Slide 1 IEEE 802 Response to FDIS comments on IEEE 802.1AR 20 March 2014 Authors: NameCompanyPhoneemail.

Submission February 2014 Slide 1 IEEE 802 Response to FDIS comments on IEEE 802.1AR 20 March 2014 Authors: NameCompanyPhone .
Submission February 2014 Slide 1 IEEE 802 Response to FDIS comments on IEEE 802.1AR 19 February 2014 Authors: NameCompanyPhoneemail.

Submission February 2014 Slide 1 IEEE 802 Response to FDIS comments on IEEE 802.1AR 19 February 2014 Authors: NameCompanyPhone .
Slide 1 IEEE 802 Response to FDIS comments on IEEE 802.1AS 20 March 2014 Authors: NameCompanyPhoneemail.

Slide 1 IEEE 802 Response to FDIS comments on IEEE 802.1AS 20 March 2014 Authors: NameCompanyPhone .
DICOM Security Andrei Leontiev, M.S. Dynamic Imaging.

DICOM Security Andrei Leontiev, M.S. Dynamic Imaging.
Doc.: Linksec CipherSuites Submission August. 2003 David Johnston, IntelSlide 1 LinkSec CipherSuites? David Johnston

Doc.: Linksec CipherSuites Submission August David Johnston, IntelSlide 1 LinkSec CipherSuites? David Johnston
N1102 ISO/IEC JTC1/SC25 WG1 Chitose Outline of Revised Security Services for Networked Appliances Part II: Secure Communication Middleware Protocol Yasuyuki.

N1102 ISO/IEC JTC1/SC25 WG1 Chitose Outline of Revised Security Services for Networked Appliances Part II: Secure Communication Middleware Protocol Yasuyuki.
7/11/2006IETF-66 MSEC IPsec composite groups page 1 George Gross IdentAware ™ Multicast Security IETF-66, Montreal, Canada July.

7/11/2006IETF-66 MSEC IPsec composite groups page 1 George Gross IdentAware ™ Multicast Security IETF-66, Montreal, Canada July.
Peering: A Minimalist Approach Rohan Mahy IETF 66 — Speermint WG.

Peering: A Minimalist Approach Rohan Mahy IETF 66 — Speermint WG.
Slide 1 IEEE 802 Response to FDIS comments on IEEE 802.1AS 18 March 2014 Authors: NameCompanyPhoneemail.

Slide 1 IEEE 802 Response to FDIS comments on IEEE 802.1AS 18 March 2014 Authors: NameCompanyPhone .
1 CCSDS Security Working Group Spring Meeting Colorado Springs Security Architecture January 19 th 2007.

1 CCSDS Security Working Group Spring Meeting Colorado Springs Security Architecture January 19 th 2007.
Guidelines for Cryptographic Algorithm Agility Russ Housley IETF 89 - SAAG Session.

Guidelines for Cryptographic Algorithm Agility Russ Housley IETF 89 - SAAG Session.
1 Requirements for Internet Routers (Gateways) and Hosts Relates to Lab 3. (Supplement) Covers the compliance requirements of Internet routers and hosts.

1 Requirements for Internet Routers (Gateways) and Hosts Relates to Lab 3. (Supplement) Covers the compliance requirements of Internet routers and hosts.
Refurbished Apple Products

Refurbished Apple Products

Similar presentations

Ads by Google