Date Published: September 2025
Author(s)
William Newhouse (NIST), Murugiah Souppaya (NIST), David Cooper (NIST), W. Polk (NIST), William Barker (Strativia), Karen Scarfone (Scarfone Cybersecurity), John Kent (MITRE), Julian Sexton (MITRE), Michael Dimond (MITRE), Joshua Klosterman (MITRE), Ryan Williams (MITRE), David Wells (Mira Security), Johann Tonsing (Mira Security), Sean Turner (sn3rd), Patrick Kelsey (Not for Radio), Russ Housley (Vigil Security), Tim Cahill (JP Morgan Chase), Murali Palamisamy (AppViewX), Dung Lam (F5), Paul Barrett (NETSCOUT), Ray Jones (NETSCOUT), Sandeep Jha (NETSCOUT), Steven Fenter (US Bank), Jake Wills (US Bank), Jane Gilbert (Thales Trusted Cyber Technologies), D'Nan Godfrey (Thales Trusted Cyber Technologies), Dean Coclin (DigiCert), Avesta Hojjati (DigiCert)
The Transport Layer Security (TLS) protocol is widely deployed to secure network traffic. TLS 1.3 protects the contents of its previous TLS communications even if a TLS-enabled server is compromised. This is known as forward secrecy. The approach used to achieve forward secrecy in TLS 1.3 may interfere with passive decryption techniques that enterprises rely on to have visibility into their TLS 1.2 traffic. Enterprises’ authorized network security staff rely on that visibility to protect its data and systems with critical cybersecurity controls to meet operational needs and legal requirements. Adoption of the TLS 1.3 protocol can disrupt current approaches to observing and monitoring internal network communications within an enterprise.
The NCCoE, in collaboration with technology providers and enterprise customers, initiated a project to demonstrate options for maintaining visibility within the TLS 1.3 protocol using several standards-compliant builds that enterprises can use for real-time and post-facto systems monitoring and analytics capabilities.
This publication contains demonstrated proofs of concept along with links to detailed technical information online on NIST pages. This publication also includes links to mappings of TLS 1.3 visibility principles to commonly used security standards and guidelines.
The Transport Layer Security (TLS) protocol is widely deployed to secure network traffic. TLS 1.3 protects the contents of its previous TLS communications even if a TLS-enabled server is compromised. This is known as forward secrecy. The approach used to achieve forward secrecy in TLS 1.3 may...
See full abstract
The Transport Layer Security (TLS) protocol is widely deployed to secure network traffic. TLS 1.3 protects the contents of its previous TLS communications even if a TLS-enabled server is compromised. This is known as forward secrecy. The approach used to achieve forward secrecy in TLS 1.3 may interfere with passive decryption techniques that enterprises rely on to have visibility into their TLS 1.2 traffic. Enterprises’ authorized network security staff rely on that visibility to protect its data and systems with critical cybersecurity controls to meet operational needs and legal requirements. Adoption of the TLS 1.3 protocol can disrupt current approaches to observing and monitoring internal network communications within an enterprise.
The NCCoE, in collaboration with technology providers and enterprise customers, initiated a project to demonstrate options for maintaining visibility within the TLS 1.3 protocol using several standards-compliant builds that enterprises can use for real-time and post-facto systems monitoring and analytics capabilities.
This publication contains demonstrated proofs of concept along with links to detailed technical information online on NIST pages. This publication also includes links to mappings of TLS 1.3 visibility principles to commonly used security standards and guidelines.
Hide full abstract
Keywords
bounded lifetime; break and inspect; ephemeral; key management; middlebox; passive decryp-tion; passive inspection; protocol; Transport Layer Security (TLS); visibility
Control Families
None selected
