Federated ICAM Endpoint Cryptographic Requirements, v1.0

The cryptographic requirements for system endpoints deployed for use by NIEF trusted partners.

Assessment Steps (2)

1
Proper Use of TLS (ProperUseofTLS)
Is the system configured to use TLS and SSL correctly, as specified in the conformance criterion, to protect all of its protocol endpoints? Specifically, does the system first attempt to use TLS 1.2 or higher, and then attempt to use TLS 1.1 if necessary? Note that use of TLS 1.0 or SSL 3 is acceptable but not recommended, and use of SSL 2 is prohibited.
Artifact
TLS Scanner Report
Provide a TLS Scanner Report from Qualys Scanner or equivalent. See https://www.ssllabs.com/ssltest/index.html.
2
Proper Use of Hashing Algorithms (ProperUseofHashingAlgorithms)
Does the system use only SHA-256, SHA-384, and/or SHA-512 hashes for digital signatures?
Artifact
Hash Algorithm Artifact
Provide evidence (policies, procedures, samples, etc.) that the system uses only SHA-256, SHA-384, and/or SHA-512 hashes for digital signatures.

Conformance Criteria (2)

Proper Use of TLS
The system MUST conform to the following rules regarding negotiation and handling of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.
  1. The system MUST support TLS version 1.2 or higher, and MUST attempt to use TLS version 1.2 or higher before negotiating down to an older version of TLS.
  2. The system SHOULD support TLS version 1.1 and MUST attempt to use TLS version 1.1 before negotiating down to an older version of TLS or SSL in the event that TLS 1.2 or higher cannot be used.
  3. The system SHOULD NOT allow the use of TLS version 1.0 or SSL version 3.
  4. The system MUST NOT allow the use of SSL version 2.
Citation
NIEF
Discussion/Review
Proper Use of Hashing Algorithms
The system MUST use SHA-256, SHA-384, or SHA-512 for all hashes used with digital signatures. No other hash functions are permitted.
Citation
NIEF
Discussion/Review