The Transport Layer Security (TLS) protocol is the primary means of protecting network communications over the Internet. It (and its predecessor, Secure Sockets Layer (SSL)) have been used for decades in many applications, but most notably in browsers when they visit HTTPS sites. TLS, like SSL before it, constantly evolves with the security industry, responding to new technology and business requirements. We expect this document to be reviewed two to three times per year to incorporate appropriate updates.
This volatility has motivated various standards organizations to publish guideline documents, so that a minimum baseline for TLS security could be established in a particular market, sector or service. Unfortunately, there are numerous such standards, with different sectors requiring compliance with different, applicable documents, while the standards themselves also evolve over time, accommodating changes in the sector they were designed to protect.
This document outlines a standard for NYU to serve as a unified, simplified source.
TLS Requirements Per Regulatory and Standards Bodies
- HIPAA
- Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a US regulation concerning the secure handling of Protected Health Information (PHI) and electronic Protected Health Information (ePHI) via the Privacy and Security Rules. This regulation applies to NYU’s Covered Components (College of Dentistry, Student Health Center, and School of Medicine) and NYU IT as a HIPAA Support Component.
- NIST
- National Institute of Standards and Technology (NIST) is a physical sciences laboratory and a non-regulatory agency of the United States Department of Commerce. It publishes many standards documents including Special Publication (SP) 800-52r2, describing the correct operational procedures to securely configure a TLS instance for government servers. NYU is not required to adhere to these standards although they are considered best practices.
- NCSC
- The Dutch National Cyber Security Centre (NCSC) produces various documents including a set of Transport Layer Security (TLS) protocol guidelines, which aim to improve TLS configuration security. NYU is not required to adhere to these standards although they can be considered best practices.
- PCI-DSS
- PCI-DSS refers to the Payment Card Industry Data Security Standard, the compliance standard maintained by the PCI Standards Security Council (SSC). The SSC establishes how cardholder data and payment transactions must be handled by “merchants” that accept card payments (e.g., Amex, Visa, MC, Discover). All merchants accepting payment cards (NYU is one) must comply with this standard.
- GLBA
- The GLBA (Gramm-Leach-Bliley Act, short form for the Financial Modernization Act of 1999) is a US regulation concerning of protection of customers’ non-public financial information. NYU IT supports many of GLBA affected departments and some of them contain CUI (controlled unclassified information). NIST 800-171 provides the framework to protect CUI.
- Apple, Google, Microsoft, and Mozilla
- Browser support for encryption protocols and cipher suites is an important consideration. In a rare display of solidarity, the major browsers have announced a unified plan to deprecate the use of TLS 1.0 and 1.1 early in 2020.
- https://webkit.org/blog/8462/deprecation-of-legacy-tls-1-0-and-1-1-versions/
- https://security.googleblog.com/2018/10/modernizing-transport-security.html
- https://blogs.windows.com/msedgedev/2018/10/15/modernizing-tls-edge-ie11/
- https://blog.mozilla.org/security/2018/10/15/removing-old-versions-of-tls/
- Browser support for encryption protocols and cipher suites is an important consideration. In a rare display of solidarity, the major browsers have announced a unified plan to deprecate the use of TLS 1.0 and 1.1 early in 2020.
NYU TLS Standard
The level of security that TLS provides is most affected by the protocol version (1.0, 1.1, etc.) and the allowed cipher suites. Ciphers are algorithms that perform encryption and decryption. However, a cipher suite is a set of algorithms, including a cipher, a key-exchange algorithm and a hashing algorithm, which are used together to establish a secure TLS connection. Most TLS clients and servers support multiple alternatives, so they have to negotiate when establishing a secure connection to select a common TLS version and cipher suite.
Target Date for Compliance
All major browsers have announced a unified plan to deprecate the use of TLS 1.0 and 1.1 early in 2020. Safari and Firefox have further specified March 2020 as their target and is thus our target date for compliance across NYU with the recommended protocol and cipher suites in this standard.
Protocol Version
TLS version 1.1 is required, at a minimum, in order to mitigate various attacks on version 1.0 of the TLS protocol. Support for TLS version 1.2 or greater is strongly recommended. TLS 1.0, SSL 2.0, and SSL 3.0 are not supported and shall not be used. If we have applications still using these protocols, aggressive migration plans should be built to bring them up to more current implementations of the protocol.
Cipher Suites
The following are the recommended and allowed cipher suites.
Recommended
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES128-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-ECDSA-AES256-SHA384
- ECDHE-ECDSA-CHACHA20-POLY1305
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-SHA256
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-SHA384
- ECDHE-RSA-CHACHA20-POLY1305
Allowed
- AES128-GCM-SHA256
- AES256-GCM-SHA384
- AES256-SHA
- AES128-SHA
- DH-DSS-AES128-GCM-SHA256
- DH-DSS-AES128-SHA
- DH-DSS-AES128-SHA256
- DH-DSS-AES256-GCM-SHA384
- DH-DSS-AES256-SHA
- DH-DSS-AES256-SHA256
- DHE-DSS-AES128-GCM-SHA256
- DHE-DSS-AES128-SHA
- DHE-DSS-AES128-SHA256
- DHE-DSS-AES256-GCM-SHA384
- DHE-DSS-AES256-SHA
- DHE-DSS-AES256-SHA256
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES128-SHA
- ECDHE-ECDSA-AES128-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-ECDSA-AES256-SHA
- ECDHE-ECDSA-AES256-SHA384
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-SHA
- ECDHE-RSA-AES128-SHA256
Appendix: Example TLS configurations
Apache HTTP server
…
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLCompression off
Nginx
…
ssl_protocols TLSv1.2;
ssl_ciphers ‘ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256’;
ssl_prefer_server_ciphers on;
AWS ELB
“Policies”: [{
“PolicyName”: “Mozilla-modern-2015-03”,
“PolicyType”: “SSLNegotiationPolicyType”,
“Attributes”: [
“Name”: “Protocol-TLSv1.2”,
“Value”: true
},
“Name”: “Server-Defined-Cipher-Order”,
“Value”: true
},
“Name”: “ECDHE-ECDSA-AES128-GCM-SHA256”,
“Value”: true
},
“Name”: “ECDHE-RSA-AES128-GCM-SHA256”,
“Value”: true
},
“Name”: “ECDHE-ECDSA-AES128-SHA256”,
“Value”: true
},
“Name”: “ECDHE-RSA-AES128-SHA256”,
“Value”: true
},
“Name”: “ECDHE-ECDSA-AES256-GCM-SHA384”,
“Value”: true
},
“Name”: “ECDHE-RSA-AES256-GCM-SHA384”,
“Value”: true
},
“Name”: “ECDHE-ECDSA-AES256-SHA384”,
“Value”: true
}]