Acceptable Encryption Guidelines
The purpose of these guidelines are to provide guidance that limits the use of encryption to those algorithms that have received substantial public review and have been proven to work effectively. Additionally, these guidelines provide direction to ensure that Federal regulations are followed, and legal authority is granted for the dissemination and use of encryption technologies outside of the United States.
The scope of these guidelines include all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any McNeese State University facility, has access to the McNeese State University network, or stores any non-public McNeese State University information.
Proven, standard algorithms such as AES, Blowfish, RSA, RC5 and IDEA should be used as the basis for encryption technologies. These algorithms represent the actual cipher used for an approved application. For example, Pretty Good Privacy (PGP) may use a combination of IDEA and RSA or Diffie- Hellman, while Secure Socket Layer (SSL) uses RSA encryption. Symmetric cryptosystem key lengths should be at least 128 bits. Asymmetric crypto-system keys should be of a length that yields equivalent strength. McNeese State University’s key length requirements will be reviewed annually and upgraded as technology allows.
The use of proprietary encryption algorithms is not allowed for any purpose, unless reviewed by qualified experts outside of the vendor in question and approved by the CITO. Be aware that the export of encryption technologies is restricted by the U.S. Government. Residents of countries other than the United States should make themselves aware of the encryption technology laws of the country in which they reside.
- Proprietary Encryption
- An algorithm that has not been made public and/or has not withstood public scrutiny. The developer of the algorithm could be a vendor, an individual, or the government.
- Symmetric Cryptosystem
- A method of encryption in which the same key is used for both encryption and decryption of the data.
- Asymmetric Cryptosystem
- A method of encryption in which two different keys are used: one for encrypting and one for decrypting the data (e.g., public-key encryption).
Fri Dec 20, 2013