TLS Detect Compliance Scoring

TLS Detect Compliance Scoring

TrustFour and TLSCompliance.com use the following numeric scoring framework to rate how well a given domain is configured against NIST Special Publication 800-52 Revision (800-52-R2).

NIST 800-52-R2 provides guidelines for the implementation of the Transport Layer Security (TLS) protocol to ensure data confidentiality, integrity, and authenticity.

Using a numeric scoring of TLS compliance against NIST 800-52-R2 provides a structured approach to evaluating the security of your data transmissions.

Achieving and maintaining a high compliance score is an ongoing process that requires continuous monitoring and adaptation to evolving security threats. TrustFour has solutions ranging from detection with continuous compliance monitoring through control and auto-protect capabilities TrustFour Control Plane Solutions.

T4

Scoring Strategy

As with ITEF and NIST standards, TrustFour follows the convention in other normative documents for the verbs “shall”, “shall not”, “should”, “should not” and “may” which are a subset of the IETF Request for Comments (RFC) 2119 key words (RFC 2119).

Server & Domain Rating

Rating score Red Amber Green (RAG) Status
A + 99 – 100 Green
A 95 – 98 Green
A- 90 – 94 Green
B 80 – 89 Amber
C 70 – 79 Amber
D 60 – 69 Amber
E 50 – 59 Amber
F 0 – 49 Red

If critical vulnerabilities are detected, the score is downgraded to F.

 

Interpretation of the verbs is as below

verb Implies score
shall must do

compliance → 1

non compliance → 0

shall not must not do

compliance → 1

non compliance → 0

should recommended

compliance → 1

non compliance → 0

should not not recommended

compliance → 1

non compliance → 0

may optional

compliance → no scoring

non compliance → 0

If implemented and non-compliant, scored as a 0.  

If not implemented, not included in the overall score. 

 

There are two categories: Server Certificate and TLS Handshake. The Server Certificate is common for all TLS Versions while TLS Handshake parameters will differ from one TLS Version to another.

Server Certificate Compliance

Server Certificate Param Mandatory Verb
1 Public Cert Auth Info yes Should
2 Public Cert Auth Key Identifier yes Should
3 Public Cert Expiry Date yes Should
4 Public Cert Extended Key Usage yes Should
5 Public Cert Issuer DN yes Should
6 Public Cert Issuer Signature Algorithm yes Shall
7 Public Cert Key Length yes Shall
8 Public Cert Key Usage yes Should
9 Public Cert SAN Entries yes Should
10 Public Cert Signature Algorithm yes Should
11 Public Cert Sub Key Identifier yes Should
12 Public Cert Subject DN yes Should
13 Public Cert Subject DN CN yes Shall
14 Public Cert Type yes Shall
15 Public Cert Version (X509 Version) yes Shall
16 ECDSA Public Key Curve yes ( only for ECDSA cert type ) Should

TLS 1.3 Handshake Compliance

TLS Handshake Param Mandatory Verb
1 Supported Cipher Suites yes Shall
2 Server Name Indication Extension Support yes Shall
3 Signature Algorithms Extension Support yes Shall
4 Certificate Status Request Extension Support yes Shall
5 Supported Groups Extension Support yes Shall
6 Key Share Extension Support yes Shall
7 Supported Versions Extension Support yes Shall
8 Signed Certificate Timestamps Extension Support yes Should
9 Early Data Indication Extension Support yes Should Not
10 Cookie Extension Support no May (Scored if implemented)

 

TLS 1.2

TLS Handshake Param Mandatory Verb
1 Renegotiation Indication Extension Support yes Shall
2 Supported Cipher Suites yes Shall
3 Server Name Indication Extension Support yes Shall
4 Extended Master Secret Extension Support yes Shall
5 Signature Algorithms Extension Support yes Shall
6 Certificate Status Request Extension Support yes Shall
7 Fallback Signaling Cipher Suite Value Support yes Shall
8 Supported Groups Extension Support yes Shall
9 Supported Point Formats Extension Support yes Shall
10 Encrypt-then-MAC Extension Support yes Shall
11 Signed Certificate Timestamps Extension Support yes Should

 

TLS 1.1 & TLS 1.0

TLS Handshake Param Mandatory Verb
1 Renegotiation Indication Extension Support yes Shall
2 Server Name Indication Extension Support yes Shall
3 Extended Master Secret Extension Support yes Shall
4 Certificate Status Request Extension Support yes Shall
5 Fallback Signaling Cipher Suite Value Support yes Shall
6 Supported Groups Extension Support yes Shall
7 Supported Point Formats Extension Support yes Shall
8 Encrypt-then-MAC Extension Support yes Shall
9 Signed Certificate Timestamps Extension Support yes Should
10 Supported Cipher Suites yes Shall

T4

Calculation of Key Strength

Key exchange aspect Score
Weak key (Debian OpenSSL flaw) 0%
Anonymous key exchange (no authentication) 0%
Key or DH parameter strength < 512 bits 20%
Exportable key exchange (limited to 512 bits) 40%
Key or DH parameter strength < 1024 bits (e.g., 512) 40%
Key or DH parameter strength < 2048 bits (e.g., 1024) 80%
Key or DH parameter strength < 4096 bits (e.g., 2048) 90%
Key or DH parameter strength >= 4096 bits (e.g., 4096) 100%

Calculation of Cipher Strength

Cipher strength Score
0 bits (no encryption) 0%
< 128 bits (e.g., 40, 56) 20%
< 256 bits (e.g., 128, 168) 80%
>= 256 bits (e.g., 256) 100%

Scoring Notes

  1. If Server supports TLS 1.1 – reduce 1 point in TLS Handshake score of the server
  2. If Server supports TLS 1.0 – reduce 1 point in TLS Handshake score of the server
  3.  If cipher suite of type TLS_AKE_WITH* is encountered (e.g. TLS_AKE_WITH_AES_128_GCM_SHA256) analyze as if  TLS_AES_128_GCM_SHA256. Some implementations define these cipher suites with a non-standard naming convention.

T4

Scoring Example

This example is a domain that has only one server supporting TLS 1.3 and TLS 1.2.  The score is calculated for each TLS version and then averaged for an overall score.

TLS 1.3

Category Score Total Score Score %
TLS Handshake 7 9 77.78 %
Certificate 13 15 86.67 %
Cipher Strength 90%
Key Strength 90%

TLS 1.3 Score : Avg of all 4 scores = (77.78 + 86.67+ 90 + 90)/4 = 86.11 %

 

TLS 1.2

Category

Score

Total Score

Score %

TLS Handshake

9

11

81.81 %

Certificate

13

15

86.67 %

Cipher Strength

90 %

Key Strength

90 %

TLS 1.2 Score : Avg of all 4 scores = (81.81+ 86.67 + 90 + 90)/4 = 87.12 %

For the overall domain score, we combine scores of all versions of TLS found.  In this case only TLS 1.3 and TLS 1.2 were found.

Overall Domain Score

Category Score
TLS Handshake 16/21 (76.19 %)
Certificate 26/30 ( 86.67 %)
Cipher Strength 90%
Key Strength 90%

Overall score  = Average of the 4 sub-scores = ( 76.19 + 86.67 + 90 + 90 )/4 = 85.71 %, Rating B

Our Products

T4 - Detect

Workload Attack Surface Hygiene and Visibility

Read More +

T4 - Protect

Workload Attack Surface Advanced Protection

Read More +