The Department is requiring that Bureaus remove TLS 1.0 and 1.1 from their environments in favor of TLS 1.2. The USGS ISO is managing the transition. The current deadline imposed by ISO is October 24th, 2018. We will be communicating the TLS removal plan during the August ISSO meeting. The first step in the plan is to engage ISSOs to have any USGS internal or external service (at a minimum) within their system or subsystem configured to support TLS 1.2 no later than August 29th.
What is a Cipher suite
A cipher suite is a set of algorithms that help secure network connections using Transport Layer Security (TLS) or Secure Socket Layer (SSL).Algorithms cipher suites usually include are a key exchange algorithm, a bulk encryption algorithm, and a message authentication code (MAC) algorithm.[1]
SSL and TLS 1.0 are no longer considered a secure algorithms and, as of June 30, 2018, have been deprecated. USGS sites should be using the current standard of TLS 1.2.
The key exchange algorithm is used to exchange a key between two devices. This key is then used to encrypt and decrypt the messages being sent to and from the machines. The bulk encryption algorithm is used to encrypt the data being sent. The MAC algorithm provides data integrity checks to ensure that the data sent does not change in transit. Cipher suites can also include signatures and an authentication algorithms to help authenticate the server and/or client.
The structure and use of the cipher suite concept is defined in the TLS standard document.[3] TLS 1.2 is the current version of TLS. The current draft for the next version of TLS (TLS 1.3) adds additional requirements to cipher suites. However, TLS 1.3 is not standardized so it is currently not widely used and may change. Cipher suites defined for TLS 1.2 cannot be used in TLS 1.3, and vice versa, unless otherwise stated in their definition.
Review current dependencies which can be found using the following links:
USGS RC4 Dependencies
USGS 3DES Dependencies
USGS Policy and Best Practices
The current USGS standard is TLS 1.2. All USGS sites should use a minimum TLS 1.2.
Dependencies on TLS 1.0 and 1.1 which require an exception should be recorded here: