Draft NIST SP 800-177 Revision 1, Trustworthy Email

Draft NIST SP 800-177 Revision 1, Trustworthy Email

1 DRAFT NIST Special Publication 800-177 2 Revision 1 3 Trustworthy Email 4 5 6 Ramaswamy Chandramouli 7 Simson Garfinkel 8 Stephen Nightingale 9 Scott Rose 10 11 12 13 14 15 16 17 18 19 C O M P U T E R S E C U R I T Y 20 21 22 DRAFT NIST Special Publication 800-177 23 Revision 1 24 Trustworthy Email 25 26 Scott Rose 27 Stephen Nightingale 28 Information Technology Laboratory 29 Advanced Network Technology Division 30 31 Simson L. Garfinkel 32 US Census Bureau 33 34 Ramaswamy Chandramouli 35 Information Technology Laboratory 36 Computer Security Division 37 38 39 40 41 42 43 44 September 2017 45 46 47 48 49 U.S. Department of Commerce 50 Wilbur L. Ross, Jr., Secretary 51 52 National Institute of Standards and Technology 53 Kent Rochford, Acting NIST Director and Under Secretary of Commerce for Standards and Technology 54 55 Authority 56 This publication has been developed by NIST in accordance with its statutory responsibilities under the 57 Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law 58 (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including 59 minimum requirements for federal information systems, but such standards and guidelines shall not apply 60 to national security systems without the express approval of appropriate federal officials exercising policy 61 authority over such systems. This guideline is consistent with the requirements of the Office of Management 62 and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency Information Systems, as analyzed in 63 Circular A-130, Appendix IV: Analysis of Key Sections. Supplemental information is provided in Circular 64 A-130, Appendix III, Security of Federal Automated Information Resources. 65 Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and 66 binding on federal agencies by the Secretary of Commerce under statutory authority. Nor should these 67 guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, 68 Director of the OMB, or any other federal official. This publication may be used by nongovernmental 69 organizations on a voluntary basis and is not subject to copyright in the United States. Attribution would, 70 however, be appreciated by NIST. 71 National Institute of Standards and Technology Special Publication 800-177 Revision 1 72 Natl. Inst. Stand. Technol. Spec. Publ. 800-177 Revision 1, 120 pages (September 2017) 73 CODEN: NSPUE2 74 75 Certain commercial entities, equipment, or materials may be identified in this document in order to describe an 76 experimental procedure or concept adequately. Such identification is not intended to imply recommendation or 77 endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best 78 available for the purpose. 79 There may be references in this publication to other publications currently under development by NIST in accordance 80 with its assigned statutory responsibilities. The information in this publication, including concepts and methodologies, 81 may be used by federal agencies even before the completion of such companion publications. Thus, until each 82 publication is completed, current requirements, guidelines, and procedures, where they exist, remain operative. For 83 planning and transition purposes, federal agencies may wish to closely follow the development of these new 84 publications by NIST. 85 Organizations are encouraged to review all draft publications during public comment periods and provide feedback to 86 NIST. All NIST Computer Security Division publications, other than the ones noted above, are available at 87 http://csrc.nist.gov/publications. 88 89 Public comment period: September 13, 2017 through October 13, 2017 90 National Institute of Standards and Technology 91 Attn: Advanced Network Technologies Division, Information Technology Laboratory 92 100 Bureau Drive (Mail Stop 8920) Gaithersburg, MD 20899-8920 93 Email: [email protected] 94 95 Reports on Computer Systems Technology 96 The Information Technology Laboratory (ITL) at the National Institute of Standards and 97 Technology (NIST) promotes the U.S. economy and public welfare by providing technical 98 leadership for the Nation’s measurement and standards infrastructure. ITL develops tests, test 99 methods, reference data, proof of concept implementations, and technical analyses to advance the 100 development and productive use of information technology. ITL’s responsibilities include the 101 development of management, administrative, technical, and physical standards and guidelines for 102 the cost-effective security and privacy of other than national security-related information in federal 103 information systems. The Special Publication 800-series reports on ITL’s research, guidelines, and 104 outreach efforts in information system security, and its collaborative activities with industry, 105 government, and academic organizations. 106 Abstract 107 This document gives recommendations and guidelines for enhancing trust in email. The primary 108 audience includes enterprise email administrators, information security specialists and network 109 managers. This guideline applies to federal IT systems and will also be useful for small or 110 medium sized organizations. Technologies recommended in support of core Simple Mail 111 Transfer Protocol (SMTP) and the Domain Name System (DNS) include mechanisms for 112 authenticating a sending domain: Sender Policy Framework (SPF), Domain Keys Identified Mail 113 (DKIM) and Domain based Message Authentication, Reporting and Conformance (DMARC). 114 Recommendations for email transmission security include Transport Layer Security (TLS) and 115 associated certificate authentication protocols. Recommendations for email content security 116 include the encryption and authentication of message content using S/MIME 117 (Secure/Multipurpose Internet Mail Extensions) and associated certificate and key distribution 118 protocols. 119 120 Keywords 121 Email; Simple Mail Transfer Protocol (SMTP); Transport Layer Security (TLS); Sender Policy 122 Framework (SPF); Domain Keys Identified Mail (DKIM); Domain based Message 123 Authentication, Reporting and Conformance (DMARC); Domain Name System (DNS) 124 Authentication of Named Entities (DANE); S/MIME; OpenPGP. iii 125 Audience 126 This document gives recommendations and guidelines for enhancing trust in email. The primary 127 audience for these recommendations is enterprise email administrators, information security 128 specialists and network managers. While some of the guidelines in this document pertain to 129 federal IT systems and network policy, most of the document will be more general in nature and 130 could apply to any organization. 131 For most of this document, it will be assumed that the organization has some or all responsibility 132 for email and can configure or manage its own email and Domain Name System (DNS) systems. 133 Even if this is not the case, the guidelines and recommendations in this document may help in 134 education about email security and can be used to produce a set of requirements for a contracted 135 service. 136 Trademark Information 137 All registered trademarks belong to their respective organizations. iv NIST SP 800-177 REV. 1 (DRAFT) TRUSTWORTHY EMAIL 138 Executive Summary 139 This document gives recommendations and guidelines for enhancing trust in email. The primary 140 audience includes enterprise email administrators, information security specialists and network 141 managers. This guideline applies to federal IT systems and will also be useful for small or 142 medium sized organizations. 143 Email is a core application of computer networking and has been such since the early days of 144 Internet development. In those early days, networking was a collegial, research-oriented 145 enterprise. Security was not a consideration. The past forty years have seen diversity in 146 applications deployed on the Internet, and worldwide adoption of email by research 147 organizations, governments, militaries, businesses and individuals. At the same time there has 148 been an associated increase in (Internet-based) criminal and nuisance threats. 149 The Internet’s underlying core email protocol, Simple Mail Transport Protocol (SMTP), was 150 adopted in 1982 and is still deployed and operated today. However, this protocol is susceptible to 151 a wide range of attacks including man-in-the-middle content modification and content 152 surveillance. The basic standards have been modified and augmented over the years with 153 adaptations that mitigate some of these threats. With spoofing protection, integrity protection, 154 encryption and authentication, properly implemented email systems can be regarded as 155 sufficiently secure for government, financial and medical communications. 156 NIST has been active in the development of email security guidelines for many years. The most 157 recent NIST guideline on secure email is NIST SP 800-45, Version 2 of February 2007, 158 Guidelines on Electronic Mail Security. The purpose of that document is: 159 “To recommend security practices for designing, implementing and operating email 160 systems on public and private networks,” 161 Those recommendations include practices for securing the environments around enterprise mail 162 servers and mail clients, and efforts to eliminate server and workstation compromise. This guide 163

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    120 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us