Skip to main content

This section of the ISM provides guidance on Transport Layer Security.

Definitions

The terms Secure Sockets Layer (SSL) and TLS have traditionally been used interchangeably. However, as SSL 3.0 is no longer an AACP, instances of ‘SSL’ refer to SSL version 3.0 and below while ‘TLS’ refers to TLS 1.0 and beyond.

Using Transport Layer Security

The latest version of TLS is version 1.3, which was released in August 2018.

When using ICT equipment or software that implements TLS, security controls for using AACPs also need to be consulted in the ASD Approved Cryptographic Protocols section of these guidelines.

Security Control: 1139; Revision: 5; Updated: Oct-19; Applicability: O, P, S, TS
Only the latest version of TLS is used.

Security Control: 1369; Revision: 2; Updated: Oct-19; Applicability: O, P, S, TS
AES in Galois Counter Mode is used for symmetric encryption.

Security Control: 1370; Revision: 2; Updated: Oct-19; Applicability: O, P, S, TS
Only server-initiated secure renegotiation is used.

Security Control: 1372; Revision: 2; Updated: Sep-18; Applicability: O, P, S, TS
DH or ECDH is used for key establishment.

Security Control: 1448; Revision: 1; Updated: Sep-18; Applicability: O, P, S, TS
When using DH or ECDH for key establishment, the ephemeral variant is used.

Security Control: 1373; Revision: 1; Updated: Sep-18; Applicability: O, P, S, TS
Anonymous DH is not used.

Security Control: 1374; Revision: 2; Updated: Oct-19; Applicability: O, P, S, TS
SHA-2-based certificates are used.

Security Control: 1375; Revision: 3; Updated: Oct-19; Applicability: O, P, S, TS
Cipher suites are configured to use SHA-2 as part of the Message Authentication Code and Pseudo-Random Function.

Security Control: 1553; Revision: 0; Updated: Oct-19; Applicability: O, P, S, TS
TLS compression is disabled.

Perfect Forward Secrecy

Using Perfect Forward Secrecy (PFS) reduces the impact of the compromise of a TLS session.

Security Control: 1453; Revision: 1; Updated: Sep-18; Applicability: O, P, S, TS
PFS is used for TLS connections.

Further information

Further information on handling TLS traffic through gateways can be found in the web content filters section of the Guidelines for Gateways.

Further information on the implementation of TLS for websites can be found in in the ACSC’s Implementing Certificates, TLS and HTTPS publication at https://www.cyber.gov.au/acsc/view-all-content/publications/implementing-certificates-tls-and-https.

Further information on TLS can be found in IETF RFC 8446 and its related updates: