Draft NIST Special Publication 800-177, Trustworthy Email
Total Page:16
File Type:pdf, Size:1020Kb
1 DRAFT NIST Special Publication 800-177 2 Trustworthy Email 3 4 5 Ramaswamy Chandramouli 6 Simson Garfinkel 7 Stephen Nightingale 8 Scott Rose 9 10 11 12 13 14 15 16 17 18 19 C O M P U T E R S E C U R I T Y 20 21 22 DRAFT NIST Special Publication 800-177 23 Trustworthy Email 24 25 Scott Rose, Stephen Nightingale 26 Information Technology Laboratory 27 Advanced Network Technology Division 28 29 Simson L. Garfinkel 30 Information Technology Laboratory 31 Information Access Division 32 33 Ramaswamy Chandramouli 34 Information Technology Laboratory 35 Computer Security Division 36 37 38 39 40 41 42 43 September 2015 44 45 46 47 48 49 U.S. Department of Commerce 50 Penny Pritzker, Secretary 51 52 National Institute of Standards and Technology 53 Willie May, Under Secretary of Commerce for Standards and Technology and Director 54 Authority 55 This publication has been developed by NIST in accordance with its statutory responsibilities under the 56 Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3541 et seq., Public Law 57 (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, 58 including minimum requirements for federal information systems, but such standards and guidelines shall 59 not apply to national security systems without the express approval of appropriate federal officials 60 exercising policy authority over such systems. This guideline is consistent with the requirements of the 61 Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency Information 62 Systems, as analyzed in Circular A-130, Appendix IV: Analysis of Key Sections. Supplemental 63 information is provided in Circular A-130, Appendix III, Security of Federal Automated Information 64 Resources. 65 Nothing in this publication should be taken to contradict the standards and guidelines made mandatory 66 and binding on federal agencies by the Secretary of Commerce under statutory authority. Nor should 67 these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of 68 Commerce, Director of the OMB, or any other federal official. This publication may be used by 69 nongovernmental organizations on a voluntary basis and is not subject to copyright in the United States. 70 Attribution would, however, be appreciated by NIST. 71 National Institute of Standards and Technology Special Publication 800-177 72 Natl. Inst. Stand. Technol. Spec. Publ. 800-177, 87 pages (September 2015) 73 CODEN: NSPUE2 74 This publication is available free of charge 75 76 Certain commercial entities, equipment, or materials may be identified in this document in order to describe an 77 experimental procedure or concept adequately. Such identification is not intended to imply recommendation or 78 endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best 79 available for the purpose. 80 There may be references in this publication to other publications currently under development by NIST in 81 accordance with its assigned statutory responsibilities. The information in this publication, including concepts and 82 methodologies, may be used by federal agencies even before the completion of such companion publications. Thus, 83 until each publication is completed, current requirements, guidelines, and procedures, where they exist, remain 84 operative. For planning and transition purposes, federal agencies may wish to closely follow the development of 85 these new publications by NIST. 86 Organizations are encouraged to review all draft publications during public comment periods and provide feedback 87 to NIST. All NIST Computer Security Division publications, other than the ones noted above, are available at 88 http://csrc.nist.gov/publications. 89 Comments on this publication may be submitted to [email protected] 90 Public comment period: through November 30, 2015 91 National Institute of Standards and Technology 92 Attn: Advanced network Technologies Division, Information Technology Laboratory 93 100 Bureau Drive (Mail Stop 8920) Gaithersburg, MD 20899-8920 94 Email: [email protected] 95 ii 96 Reports on Computer Systems Technology 97 The Information Technology Laboratory (ITL) at the National Institute of Standards and 98 Technology (NIST) promotes the U.S. economy and public welfare by providing technical 99 leadership for the Nation’s measurement and standards infrastructure. ITL develops tests, test 100 methods, reference data, proof of concept implementations, and technical analyses to advance 101 the development and productive use of information technology. ITL’s responsibilities include the 102 development of management, administrative, technical, and physical standards and guidelines for 103 the cost-effective security and privacy of other than national security-related information in 104 federal information systems. The Special Publication 800-series reports on ITL’s research, 105 guidelines, and outreach efforts in information system security, and its collaborative activities 106 with industry, government, and academic organizations. 107 Abstract 108 This document gives recommendations and guidelines for enhancing trust in email. The primary 109 audience includes enterprise email administrators, information security specialists and network 110 managers. This guideline applies to federal IT systems and will also be useful for any small or 111 medium sized organizations. Technologies recommended in support of core Simple Mail 112 Transfer Protocol (SMTP) and the Domain Name System (DNS) include mechanisms for 113 authenticating a sending domain (Sender Policy Framework (SPF), Domain Keys Identified Mail 114 (DKIM) and Domain based Message Authentication, Reporting and Conformance (DMARC). 115 Recommendations for email transmission security include Transport Layer Security (TLS) and 116 associated certificate authentication protocols. Email content security is facilitated through 117 encryption and authentication of message content using S/MIME and OpenPGP, and associated 118 certificate and key distribution protocols. 119 120 Keywords 121 Email; Simple Mail Transfer Protocol (SMTP); Transport Layer Security (TLS); Sender Policy 122 Framework (SPF); Domain Keys Identified Mail (DKIM); Domain based Message 123 Authentication, Reporting and Conformance (DMARC); Domain Name System (DNS) 124 Authentication of Named Entities (DANE); S/MIME; OpenPGP. iii 125 126 Acknowledgements 127 Audience 128 This document gives recommendations and guidelines for enhancing trust in email. The primary 129 audience for these recommendations is enterprise email administrators, information security 130 specialists and network managers. While some of the guidelines in this document pertain to 131 federal IT systems and network policy, most of the document will be more general in nature and 132 could apply to any small-mid sized organization. 133 For most of this document, it will be assumed that the organization has some or all responsibility 134 for email and can configure or manage its own email and Domain Name System (DNS) systems. 135 Even if this is not the case, the guidelines and recommendations in this document may help in 136 education about email security and can be used to produce a set of requirements for a contracted 137 service. 138 Note to Reviewers 139 This document is considered a DRAFT publication. Reviews and comments are welcome and 140 should be sent via email to [email protected]. The public comment period runs from 141 MM/DD/YYYY to MM/DD/YYYY. 142 Trademark Information 143 All registered trademarks belong to their respective organizations. iv NIST SP 800-177 Trustworthy Email 144 Executive Summary 145 This document gives recommendations and guidelines for enhancing trust in email. The primary 146 audience includes enterprise email administrators, information security specialists and network 147 managers. This guideline applies to federal IT systems and will also be useful for any small or 148 medium sized organizations. 149 Email is a core application of large-scale computer networking and has been such since the early 150 days of Internet development. In those early days, networking was a collegial, research-oriented 151 enterprise. Security was not a consideration. The past forty years have seen diversity in 152 applications operated over the Internet, and worldwide adoption of email by research 153 organizations, governments, militaries, businesses and individuals. At the same time there has 154 been and associated increase in criminal and nuisance threats. 155 The Internet’s underlying email protocol was adopted in 1982 and can still be deployed and 156 operated today. However, this protocol is susceptible to a wide range of attacks including man- 157 in-the-middle content modification and content surveillance. The basic standards have been 158 modified and augmented over the years with adaptations that mitigate these threats. With 159 spoofing protection, content modification protection, encryption and authentication, properly 160 implemented email can be regarded as sufficiently secure for government, financial and medical 161 communications. 162 NIST has been active in the development of email security guidelines for many years. The most 163 recent NIST guideline on secure email includes NIST SP 800-45, Version 2 of February 2007, 164 Guidelines on Electronic Mail Security. The purpose of that document is: 165 “To recommend security practices for designing, implementing and operating