🚴 NIST Cybersecurity Practice Guide, Special Publication 1800-6: “Domain Name Systems-Based Electronic Mail Security”

NIST Announcement: "The NCCoE released a draft of the NIST Cybersecurity Practice Guide, “Domain Name Systems-Based Electronic Mail Security.”  The draft guide is now open for public comments and the public comment period will remain open until December 19, 2016. 

"For ease of use, the guide is available in volumes:

• SP 1800-6a: Executive Summary (PDF) (web page)
• SP 1800-6b: Approach, Architecture, and Security Characteristics (PDF) (web page)
• SP 1800-6c: How-To Guides (PDF) (web page)

"Or download the complete guide (PDF).

Read the press release about the draft guide and project.

"Or see the two-page fact sheet or draft and final DNS-Based Secured Email Project Descriptions (PDF)for additional information.

If you have questions or would like to email the project team, contact us at dns-email-nccoe@nist.gov

Business Challenge

"Email has become the dominant method of electronic communication for both private and public sector organizations, fueled by low costs and fast delivery.  Securing these transactions has been less of a priority, which is one reason why email attacks have increased.

"Whether the goal is authentication of the source of an email message or assurance that the message has not been altered by or disclosed to an unauthorized party, organizations must employ some cryptographic protection mechanism. Economies of scale and a need for uniform security implementation drive most enterprises to rely on mail servers and/or Internet service providers (ISPs) to provide security to all members of an enterprise. Many current server-based email security mechanisms are vulnerable to, and have been defeated by, attacks on the integrity of the cryptographic implementations on which they depend. The consequences of these vulnerabilities frequently involve unauthorized parties being able to read or modify supposedly secure information, or introduce malware to gain access to enterprise systems or information. Protocols exist that are capable of providing needed email security and privacy, but impediments such as unavailability of easily implemented software libraries and operational issues stemming from some software applications have limited adoption of existing security and privacy protocols.

Solution

"This project has resulted in NIST Special Publication 1800-6, “Domain Name Systems-Based Electronic Mail Security,” which illustrates how commercially available technologies can meet an organization’s needs to improve email security and defend against email-based attacks such as phishing and man-in-the-middle types of attacks.

"This draft practice guide describes a proof of concept security platform that demonstrates trustworthy email exchanges across organizational boundaries and includes authentication of mail servers, signing and encryption of email, and binding cryptographic key certificates to the servers.

The goal of this project is to help organizations:

• Encrypt emails between mail servers
• Allow individual email users to digitally sign and/or encrypt email messages
• Allow email users to identify valid email senders as well as send digitally signed messages and validate signatures of received messages

"The example solution uses Domain Name System Security Extension (DNSSEC) protocol to authenticate server addresses and certificates used for Transport Layer Security (TLS) to DNS names.

The project's demonstrated security platform can provide organizations with improved privacy and security protection for users' operations and improved support for implementation and use of the protection technologies. The platform also improves the usability of available DNS security applications and encourages wider implementation of DNSSEC, TLS and S/MIME to protect electronic communications.

NIST SP 1800-6 is in draft form and open for public comment until December 19, 2016. Please share your comments and feedback on this project and its example solution.