| Control ID: SC-23 Session Authenticity |
Family: System and Communications Protection |
Source: NIST 800-53r4 |
| Control: The information system protects the authenticity of communications sessions.
|
Supplemental Guidance:
This control addresses communications protection at the session, versus packet level (e.g.,sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Authenticity protection includes, for example, protecting against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions.
Related Controls:
SC-8,
SC-10,
SC-11
|
| Control Enhancements:
N/A
|
| References: N/A |
| Mechanisms:
- Approved mechanisms for session authenticity are TLS and IPSec with the following parameters:
- TLS: ECDSA and ECDHE over curves of length at least 256-bits and either ChaCha or AES with at least 128-bit keys in an authenticated encryption mode as the symmetric algorithm.
- IPSec: DES for packet encryption. Triple-DES optional.
The device shall support at least one of these mechanisms.
|
Protocol Implementation Conformance Statements:
| ID |
Statement |
Status |
Reference |
Notes |
| SC-23/1-1
|
Supports signing messages according to IEEE 1609.2
|
SC-23/1-1:M
|
IEEE 1609.2
|
|
| SC-23/1-2
|
Verifies messages signed with IEEE 1609.2
|
SC-23/1-2:M
|
IEEE 1609.2
|
|
| SC-23/1-3
|
Supports session end with invalid 1609.2 signature
|
SC-23/1-3:M
|
IEEE 1609.2
|
|
| SC-23/2-1
|
Supports signing messages according to TLS
|
SC-23/2-1:O
|
|
|
| SC-23/2-2
|
Verifies messages signed in TLS session
|
SC-23/2-2:C
|
|
|
| SC-23/2-3
|
Supports TLS session end with invalid signature
|
SC-23/2-3:C
|
|
|
| SC-23/3
|
Supports signing messages according to DTLS
|
SC-23/3-1:O
|
|
|
| SC-23/3-2
|
Verifies messages signed in DTLS session
|
SC-23/3-2:C
|
|
|
| SC-23/3-3
|
Supports DTLS session end with invalid signature
|
SC-23/3-3:C
|
|
|
| SC-23/4-1
|
Supports IPSec
|
SC-24/4-1:M
|
RFC 2410, RFC 2401, RFC 2402
|
|
| SC-23/4-2
|
Supports DES
|
SC-24/4-2:O1
|
RFC 2410, RFC 2401, RFC 2402
|
|
| SC-23/4-3
|
Supports Triple-DES
|
SC-24/4-3:O1
|
RFC 2410, RFC 2401, RFC 2402
|
|
|
