{"id":13006,"date":"2021-04-06T10:03:23","date_gmt":"2021-04-06T15:03:23","guid":{"rendered":"https:\/\/www.mcneese.edu\/policy\/?post_type=ie_policy&#038;p=13006"},"modified":"2022-10-17T10:04:00","modified_gmt":"2022-10-17T15:04:00","slug":"acceptable-encryption-policy","status":"publish","type":"ie_policy","link":"https:\/\/www.mcneese.edu\/policy\/acceptable-encryption-policy\/","title":{"rendered":"Acceptable Encryption Policy"},"content":{"rendered":"\n<h2 class=\"display-3 wp-block-heading\">Purpose&nbsp;<\/h2>\n\n\n\n<p>The purpose of this policy is to provide guidance that limits the use of encryption to those algorithms that have received substantial public review and have been proven to work effectively. Additionally, this policy provides direction to ensure that federal regulations are followed and legal authority is granted for the dissemination and use of encryption technologies outside of the United States.&nbsp;<\/p>\n\n\n\n<h2 class=\"display-3 wp-block-heading\">Scope&nbsp;<\/h2>\n\n\n\n<p>This policy applies to all McNeese State University employees and affiliates.&nbsp;<\/p>\n\n\n\n<h2 class=\"display-3 wp-block-heading\">Policy&nbsp;<\/h2>\n\n\n\n<h3 class=\"display-4 heavy wp-block-heading\">Algorithm Requirements&nbsp;<\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li>Ciphers in use must meet or exceed the set defined as \u201cAES-compatible\u201d or \u201cpartially AES-compatible\u201d according to the <a rel=\"noreferrer noopener\" href=\"http:\/\/tools.ietf.org\/html\/draft-irtf-cfrg-cipher-catalog-01#section-3.1\" target=\"_blank\">IETF\/IRTF Cipher Catalog<\/a>, or the set defined for use in the United States <a rel=\"noreferrer noopener\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/fips\/140\/2\/final\" target=\"_blank\">National Institute of Standards and Technology (NIST) publication FIPS 140-2<\/a>, or any superseding documents according to the date of implementation. The use of the Advanced Encryption Standard (AES) is strongly recommended for symmetric encryption.&nbsp;<\/li><li>Algorithms in use must meet the standards defined for use in NIST publication <a rel=\"noreferrer noopener\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/fips\/140\/2\/final\" target=\"_blank\">FIPS 140-2<\/a> or any superseding document, according to date of implementation. The use of the RSA and Elliptic Curve Cryptography (ECC) algorithms is strongly recommended for asymmetric encryption.<\/li><li>Signature Algorithms&nbsp;<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><strong>Algorithm<\/strong>&nbsp;<\/td><td><strong>Key Length<\/strong> <strong>(min)<\/strong>&nbsp;<\/td><td><strong>Additional Comment<\/strong>&nbsp;<\/td><\/tr><tr><td>ECDSA&nbsp;<\/td><td>P-256&nbsp;<\/td><td>Consider <a href=\"https:\/\/tools.ietf.org\/html\/rfc6090\" target=\"_blank\" rel=\"noreferrer noopener\">RFC6090<\/a> to avoid patent infringement.&nbsp;&nbsp;<\/td><\/tr><tr><td>RSA&nbsp;<\/td><td>2048&nbsp;<\/td><td>Must use a secure padding scheme. <a href=\"http:\/\/tools.ietf.org\/html\/rfc3852#section-6.3\" target=\"_blank\" rel=\"noreferrer noopener\">PKCS#7 padding scheme<\/a> is recommended. Message hashing required.&nbsp;<\/td><\/tr><tr><td>LDWM&nbsp;<\/td><td>SHA256&nbsp;<\/td><td>Refer to <a href=\"http:\/\/tools.ietf.org\/html\/draft-mcgrew-hash-sigs-00\" target=\"_blank\" rel=\"noreferrer noopener\">LDWM Hash-based Signatures Draft<\/a>&nbsp;<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"display-4 heavy wp-block-heading\">Hash Function Requirements&nbsp;<\/h3>\n\n\n\n<p>In general, McNeese State University adheres to the <a href=\"http:\/\/csrc.nist.gov\/groups\/ST\/hash\/policy.html\" target=\"_blank\" rel=\"noreferrer noopener\">NIST Policy on Hash Functions<\/a>.&nbsp;<\/p>\n\n\n\n<h3 class=\"display-4 heavy wp-block-heading\">Key Agreement and Authentication&nbsp;<\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li>Key exchanges must use one of the following cryptographic protocols: Diffie-Hellman, IKE, or Elliptic curve Diffie-Hellman (ECDH).<\/li><li>End points must be authenticated prior to the exchange or derivation of session keys.<\/li><li>Public keys used to establish trust must be authenticated prior to use.&nbsp; Examples of authentication include transmission via cryptographically signed message or manual verification of the public key hash.<\/li><li>All servers used for authentication (for example, RADIUS or TACACS) must have installed a valid certificate signed by a known trusted provider.<\/li><li>All servers and applications using SSL or TLS must have the certificates signed by a known, trusted provider.&nbsp;<\/li><\/ul>\n\n\n\n<h3 class=\"display-4 heavy wp-block-heading\">Key Generation&nbsp;<\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li>Cryptographic keys must be generated and stored in a secure manner that prevents loss, theft, or compromise.<\/li><li>Key generation must be seeded from an industry standard random number generator (RNG). For examples, see <a rel=\"noreferrer noopener\" href=\"http:\/\/csrc.nist.gov\/publications\/fips\/fips140-2\/fips1402annexc.pdf\" target=\"_blank\">NIST Annex C: Approved Random Number Generators for FIPS PUB 140-2<\/a>.&nbsp;&nbsp;<\/li><\/ul>\n\n\n\n<h2 class=\"display-3 wp-block-heading\">Policy Compliance&nbsp;<\/h2>\n\n\n\n<h3 class=\"display-4 heavy wp-block-heading\">Compliance Measurement&nbsp;<\/h3>\n\n\n\n<p>The Office of Information Technology will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.&nbsp;<\/p>\n\n\n\n<h3 class=\"display-4 heavy wp-block-heading\">Exceptions&nbsp;<\/h3>\n\n\n\n<p>Any exception to the policy must be approved by the Office of Information Technology in advance.&nbsp;<\/p>\n\n\n\n<h3 class=\"display-4 heavy wp-block-heading\">Non-Compliance&nbsp;<\/h3>\n\n\n\n<p>An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.&nbsp;<\/p>\n\n\n\n<h2 class=\"display-3 wp-block-heading\">Communication&nbsp;<\/h2>\n\n\n\n<p>This policy is distributed via Senior Staff and the University Policies webpage.<\/p>\n","protected":false},"parent":0,"template":"","policy_types":[19],"class_list":["post-13006","ie_policy","type-ie_policy","status-publish","hentry","policy_types-institutional"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.mcneese.edu\/policy\/wp-json\/wp\/v2\/ie_policy\/13006","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcneese.edu\/policy\/wp-json\/wp\/v2\/ie_policy"}],"about":[{"href":"https:\/\/www.mcneese.edu\/policy\/wp-json\/wp\/v2\/types\/ie_policy"}],"version-history":[{"count":20,"href":"https:\/\/www.mcneese.edu\/policy\/wp-json\/wp\/v2\/ie_policy\/13006\/revisions"}],"predecessor-version":[{"id":14428,"href":"https:\/\/www.mcneese.edu\/policy\/wp-json\/wp\/v2\/ie_policy\/13006\/revisions\/14428"}],"wp:attachment":[{"href":"https:\/\/www.mcneese.edu\/policy\/wp-json\/wp\/v2\/media?parent=13006"}],"wp:term":[{"taxonomy":"policy_types","embeddable":true,"href":"https:\/\/www.mcneese.edu\/policy\/wp-json\/wp\/v2\/policy_types?post=13006"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}