Addressing Visibility Challenges with TLS 1.3

Recent enhancements to cryptographic security protocols, such as Transport Layer Security (TLS) 1.3, disrupt current approaches to achieving visibility into internal network communications within enterprise data centers. These protocols were not designed to accommodate decryption of internal network traffic by passive monitoring devices, creating potential compliance, security, and operational impacts in enterprises that currently rely on such devices.

Approaches for maintaining network visibility to help all enterprises adopt TLS 1.3 and other modern protocols

The project will demonstrate practical and implementable approaches to help organizations adopt TLS 1.3 in their private data centers and hybrid cloud environments while maintaining their regulatory compliance, cybersecurity, and operations.
Status: Seeking Collaborators

Industry participants and other interested parties are invited to participate in the Addressing Visibility Challenges with TLS 1.3 project. Please review the requirements identified in the Federal Register Notice. Anyone interested in becoming a collaborator should request and complete a Letter of Interest. The NCCoE considers participants who have submitted a completed Letter of Interest on a first-come, first-served basis.

Project Abstract

To improve communications security on the internet, modern protocol designers have changed protocols to implement stronger security properties that protect the secrecy of historical traffic even if the servers’ long-term secret keys are compromised—known as forward secrecy. These changes have created significant challenges for enterprises’ network visibility strategies. Consequently, enterprises have raised questions about how to meet enterprise security, operational, and regulatory requirements for critical services while using modern protocols such as Transport Layer Security (TLS) 1.3.

The NCCoE is currently planning a project focusing on the security implications of TLS 1.3 protocol implementations that provide system and application administrators and users with the necessary visibility into the content of information being exchanged. Approaches that restore visibility into encrypted data in transit are of initial interest. Other approaches, such as analysis of encrypted data, enhanced auditing, and novel network architectures, will also be considered.

Through its research, the NCCoE has already identified a broad set of possible options for maintaining visibility into network traffic. This project will demonstrate a range of approaches based on these options.

Join the Community of Interest

The NCCoE has an Addressing Visibility Challenges with TLS 1.3 Community of Interest. It is a group of professionals and advisors that share business insights, technical expertise, challenges, and perspectives to guide NCCoE projects. 

Request to Join
Employee speaking on video call with colleagues on online briefing with laptop at home