home || catalog: SP800-53rev3 / class: Technical / family: (SC) System and Communications Protection ||
search controls:
search nistpubs:

AC
AT
AU
CA
CM
CP
IA
IR
MA
MP
PE
PL
PM
PS
RA
SA
SC

SC-01
SC-02
SC-03
SC-04
SC-05
SC-06
SC-07
SC-08
SC-09
SC-10
SC-11
SC-12
SC-13
SC-14
SC-15
SC-16
SC-17
SC-18
SC-19
SC-20
SC-21
SC-22
SC-23 *
SC-24
SC-25
SC-26
SC-27
SC-28
SC-29
SC-30
SC-31
SC-32
SC-33

SI
MMMMM

  SC-23: Session Authenticity  

base control objective:
The information system provides mechanisms to protect the authenticity of communications sessions.

supplemental objective information:
This control focuses on communications protection at the session, versus packet, level. The intent of this control is to establish grounds for confidence at each end of a communications session in the on-going identity of the other party and in the validity of the information being transmitted. For example, this control addresses man-in-the-middle attacks including session hijacking or insertion of false information into a session. This control is only implemented where deemed necessary by the organization (e.g., sessions in service-oriented architectures providing web-based services).

enhancements to the base objective:

(1) The information system invalidates session identifiers upon user logout or other session termination.

(2) The information system provides a readily observable logout capability whenever authentication is used to gain access to web pages.

(3) The information system generates a unique session identifier for each session and recognizes only session identifiers that are system-generated.

(4) The information system generates unique session identifiers with [Assignment: organization-defined randomness requirements].
Enhancement Supplemental Guidance: Employing the concept of randomness in the generation of unique session identifiers helps to protect against brute-force attacks to determine future session identifiers.

mapping to FIPS199 baseline:

  LOW: null     MOD: base     HIGH: base  

related (regimented) controls:

None.

documents referenced in SP800-53rev3 for SC-23:

Document Date Status Title
NIST SP800-113 July, 2008 current   Guide to SSL VPNs
NIST SP800-52 June, 2005 current   Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations
NIST SP800-54 September, 2006 DRAFT   Border Gateway Protocol Security
NIST SP800-77 December, 2005 current   Guide to IPsec VPNs
NIST SP800-95 August, 2006 DRAFT   Guide to Secure Web Services

Search SP800-53rev3 catalog: