Device Class 1: Session Authenticity

Control ID: SC-23 Session Authenticity Family: System and Communications Protection Source: NIST 800-53r4
Control: The information system protects the authenticity of communications sessions.
Supplemental Guidance:
This control addresses communications protection at the session, versus packet level (e.g.,sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Authenticity protection includes, for example, protecting against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions.

Related Controls: SC-8, SC-10, SC-11
Control Enhancements: N/A
References: N/A
Mechanisms:

  • Approved mechanisms for session authenticity are TLS and IPSec with the following parameters:
    • TLS: ECDSA and ECDHE over curves of length at least 256-bits and either ChaCha or AES with at least 128-bit keys in an authenticated encryption mode as the symmetric algorithm.
    • IPSec: DES for packet encryption. Triple-DES optional.
    The device shall support at least one of these mechanisms.

Protocol Implementation Conformance Statements:
ID Statement Status Reference Notes
SC-23/1-1 Supports signing messages according to IEEE 1609.2 SC-23/1-1:M IEEE 1609.2
SC-23/1-2 Verifies messages signed with IEEE 1609.2 SC-23/1-2:M IEEE 1609.2
SC-23/1-3 Supports session end with invalid 1609.2 signature SC-23/1-3:M IEEE 1609.2
SC-23/2-1 Supports signing messages according to TLS SC-23/2-1:O
SC-23/2-2 Verifies messages signed in TLS session SC-23/2-2:C
SC-23/2-3 Supports TLS session end with invalid signature SC-23/2-3:C
SC-23/3 Supports signing messages according to DTLS SC-23/3-1:O
SC-23/3-2 Verifies messages signed in DTLS session SC-23/3-2:C
SC-23/3-3 Supports DTLS session end with invalid signature SC-23/3-3:C
SC-23/4-1 Supports IPSec SC-24/4-1:M RFC 2410, RFC 2401, RFC 2402
SC-23/4-2 Supports DES SC-24/4-2:O1 RFC 2410, RFC 2401, RFC 2402
SC-23/4-3 Supports Triple-DES SC-24/4-3:O1 RFC 2410, RFC 2401, RFC 2402