Guidelines for the Selection and Use of
Transport Layer Security (TLS) Implementations
Executive Summary
Office of Management and Budget (OMB) Circular A-130, Management of Federal
Information Resources, requires managers of publicly accessible information repositories
or dissemination systems that contain sensitive but unclassified data to ensure sensitive
data is protected commensurate with the risk and magnitude of the harm that would result
from the loss, misuse, or unauthorized access to or modification of such data. Given the
nature of interconnected networks and the use of the Internet to share information,
protection of this sensitive data can become difficult if proper mechanisms are not
employed to protect the data. Transport layer security (TLS) provides such a mechanism
to protect sensitive data during electronic dissemination across the Internet.
TLS is a protocol created to provide authentication, confidentiality and data integrity
between two communicating applications. TLS is based on a precursor protocol called
“The Secure Sockets Layer Version 3.0” (SSL 3.0) and is considered to be an
improvement to SSL 3.0. SSL is specified in an expired Internet Draft working
document of the Internet Engineering Task Force. Transport Layer Security Version 1
(TLS 1.0) specification is an Internet Request for Comments [RFC2246]. Each document
specifies a similar protocol that provides security services over the Internet. While TLS
1.0 is based on SSL 3.0, and the differences are not dramatic; they are significant enough
that TLS 1.0 and SSL 3.0 do not interoperate. This Special Publication provides
guidance to the selection and implementation of the TLS protocol while making effective
use of Federal Information Processing Standards (FIPS) approved cryptographic
algorithms, and suggests that TLS 1.0 configured with FIPS based cipher suites is the
appropriate secure transport protocol.
1
Use of the recommendations provided in this
Special Publication would promote:
• More consistent use of authentication, confidentiality and integrity mechanisms
for the protection of information transport across the Internet;
• Consistent use of recommended cipher suites that encompass FIPS algorithms and
open source technology; and
• Informed decisions by system administrators and managers in the integration of
transport layer security implementations.
While these Guidelines are primarily designed for Federal users and system
administrators to adequately protect sensitive but unclassified Federal Government data
against serious threats on the Internet, they may also be used within closed network
environments to segregate data. (The client-server model and security services discussed
also apply in these situations). This Special Publication does not supercede any existing
NIST publication and should be used in conjunction with existing policies and
procedures.
1
While SSL 3.0 is the most secure of the SSL protocol versions, it is not approved for use in the protection of Federal
information because it relies in part on the use of cryptographic algorithms that are not FIPS-Approved. TLS
when properly configured is approved for the protection of Federal information.
1
