SC-23 Session Authenticity

Baselines

Guidance

Protecting session authenticity addresses communications protection at the session level, not at the packet level. Such protection establishes grounds for confidence at both ends of communications sessions in the ongoing identities of other parties and the validity of transmitted information. Authenticity protection includes protecting against "man-in-the-middle" attacks, session hijacking, and the insertion of false information into sessions.

References 4

• SP 800-52 McKay KA, Cooper DA (2019) Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-52, Rev. 2.
• SP 800-77 Barker EB, Dang QH, Frankel SE, Scarfone KA, Wouters P (2020) Guide to IPsec VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-77, Rev. 1.
• SP 800-95 Singhal A, Winograd T, Scarfone KA (2007) Guide to Secure Web Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-95.
• SP 800-113 Frankel SE, Hoffman P, Orebaugh AD, Park R (2008) Guide to SSL VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-113.

Control Enhancements 5

• SC-23(01) Invalidate Session Identifiers at Logout L M H P
• SC-23(02) User-initiated Logouts and Message Displays
• SC-23(03) Unique System-generated Session Identifiers L M H P
• SC-23(04) Unique Session Identifiers with Randomization
• SC-23(05) Allowed Certificate Authorities L M H P

Related controls 4

• AU-10 Non-repudiation L M H P
• SC-08 Transmission Confidentiality and Integrity L M H P
• SC-10 Network Disconnect L M H P
• SC-11 Trusted Path L M H P