Question:
Are SSL Certificates NIST compliant?
Short Answer:
Yes.
Actually, NIST was responsible for Certificate Authorities (CA) such as Digicert, Entrust, Comodo to start implementing the 2048 key pair bit length standard with SSL/TLS Certificates.
More Information:
Within the realm of Website and Network Security there are many institutions that “Set the Standard” to the way people and organizations conduct their infrastructure. Without standards there would be no consistency among product developers, manufactures, cyber security, healthcare, information technology, etc..
These standards are usually created by a consortium of people & organizations that seek out a global census on how things within their industry need to be maintained. Offering security advice, and guidance to manufacturers, and network infrastructure operators. These standards are freely available on-line and depending on what sector your organization falls in may have one or more advisory institutions keeping a watchful eye on compliance.
- Advisory institutions create standard guidelines, programs and educational resources for organizations to uphold proper practices with their services or products to maintain a proper secure ecosystem.
- A lack of upholding those standards will put organizations out of compliance. The result can be sanctions or lack of business.
NIST the National Institute of Standards and Technology is one of many standard advisory institutions that sets compliance standards for information technology. NIST a unit of the U.S. Commerce Department. Formerly known as the National Bureau of Standards promotes and maintains the measurement of standards for the government sector and those who do business with them.
There are a lot of standards to follow with NIST, with SSL/TLS Certificate being a small portion. Here are the current standards that NIST sets for Public Key Infrastructure (PKI) SSL/TLS Certificates and its management.
Algorithms and key strengths that are not allowed for strict NIST 800-131a compliance include::
- RSA keySize < 2048
- DSA keySize < 2048
- ECC keySize < 224
- SHA1/SHA-1
- MD5
- RC2
- RC4
- DES
Algorithms such as SHA1 or SHA-2/SHA256 are signatures that certificate authorities use to code SSL Certificate when they are issued to the certificates requestor. ALL Certificates by default are now issued as SHA-2/SHA256 by default.
KeySize, also known as bit-length pertains to the actual size of the key pair that performs encryption. When an SSL Certificate requestor goes to a certificate authority to get an SSL certificate that requestor is responsible for generating a key pair (public-Private key) KeySize of at least 2048 bits. A certificate authority will not accept a key side of anything smaller than 2048 bits.
Note: Although this does not pertain to SSL certificates currently in strict NIST 800-131a compliance mode, only TLS 1.2 can be used for SSL and TLS. TLS1.2 is a protocol configuration on server systems that perform the actual encryption between server and browser. It is just a configuration that needs to be turned on a server system. Unrelated to certificates.
Another standard is that all government websites need to be in https. Next time you are on a web browser like Firefox or Edge pay attention to the URL bar. If it states http:// or shows a little padlock then you are in a secure sessions. This means that all the information you put into the browser will be encrypted. Beware, if you do not see a padlock or http:// then it means you are not in an encrypted session and any information you enter into the browser on the website can possibly be retrieved from hackers.
Certificate Authorities will only issue certificates that meet with the standards of the industry.
Posted by:
Dominic Rafael
Senior Lead IT Engineer
Be sure to Subscribe!!