Hooepage Cybersecuritv Cyberpace Menschen
Nachrichtendienste kybernetische Waffen Bildung
Fachberichte BSI / Deutschland NIST / USA NIST / DRAFTNIST - WeissbuchJuornal - ArtikelSP 800... NIST
Original

Deutsch

Nov 02, 2016

SP 1800-6

DRAFT Domain Name Systems-Based Electronic Mail Security

NIST announces the release of draft Special Publication 1800-6, Domain Name Systems-Based Electronic Mail Security. NIST welcomes your comments and feedback (see links below for clinks to all supporting documentation for this draft).

Both public and private sector business operations are heavily reliant on email exchanges, leading to concerns about email security and the use of email as an attack vector. Organizations are motivated by the need to protect the integrity of transactions containing financial and other proprietary information, and to protect the privacy of employees and clients. Cryptographic functions are usually employed to perform services such as authentication of the source of an email message, assurance that the message has not been altered by an unauthorized party, and to ensure message confidentiality. Most organizations rely on mail servers to provide security at an enterprise level in order to provide scalability and uniformity. However, many server-based email security mechanisms are vulnerable to attacks involving faked or fraudulent digital certificates, otherwise invalid certificates, and failure to actually invoke a security process as a result of connection to (or through) a fraudulent server. Even if there are protections in place, some attacks have been able to subvert email communication by attacking the underlying support protocols such as Domain Name Systems (DNS). Attackers can spoof DNS responses to redirect email servers and alter email delivery. DNS Security Extensions (DNSSEC) was developed to prevent this. DNSSEC protects against unauthorized modifications to network management information and host IP addresses. DNSSEC can also be used to provide an alternative publication and trust infrastructure for service certificates using the DNS-based Authentication of Named Entities (DANE) resource records.

SP 1800-6 describes several demonstrated security platforms using DNS, DNSSEC, and DANE for trustworthy email exchanges across organizational boundaries. The security platforms described provide reliable authentication of mail servers, digital signature and encryption of email, and reliable binding of cryptographic key certificates to sources and servers. The example solutions and architectures presented are based upon standards-based open-source and commercially available products.

Email comments to: dns-email-nccoe@nist.gov(Subject: "Comments on Draft SP 1800-6")
Comments due by: December 19, 2016

Draft SP 1800-6 (single file)
Draft SP 1800-6a: Executive Summary
Draft SP 1800-6b: Approach, Architecture, and Security Characteristics
Draft SP 1800-6c: How-To Guides
Submit Comments
Project Homepage (with links to HTML version)
Press Release

 

 

a