Skip to main content

Acceptable Encryption Policy

The purpose of this policy is to provide guidance that limits the use of encryption to those algorithms that have received substantial public review and have been proven to work effectively. Additionally, this policy provides direction to ensure that Federal regulations are followed, and legal authority is granted for the dissemination and use of encryption technologies outside of the United States.

 

This policy applies to all <Company Name> employees and affiliates.

Algorithm Requirements

Ciphers in use must meet or exceed the set defined as "AES-compatible" or "partially AES-compatible" according to the IETF/IRTF Cipher Catalog, or the set defined for use in the United States National Institute of Standards and Technology (NIST) publication FIPS 140-2, or any superseding documents according to the date of implementation. The use of the Advanced Encryption Standard (AES) is strongly recommended for symmetric encryption.

Algorithms in use must meet the standards defined for use in NIST publication FIPS 140-2 or any superseding document, according to date of implementation. The use of the RSA and Elliptic Curve Cryptography (ECC) algorithms is strongly recommended for asymmetric encryption.

Signature Algorithms

 

Algorithm

Key Length

(min)

Additional Comment

ECDSA

P-256

Consider RFC6090 to avoid patent infringement. 

RSA

2048

Must use a secure padding scheme. PKCS#7 padding scheme is recommended. Message hashing required.

LDWM

SHA256

Refer to LDWM Hash-based Signatures Draft

 

In general, <Company Name> adheres to the NIST Policy on Hash Functions.

 

 

Compliance Measurement

The Precision Computer team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.

Any exception to the policy must be approved by the Precision Computer team in advance.

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

National Institute of Standards and Technology (NIST) publication FIPS 140-2,

NIST Policy on Hash Functions

The following definition and terms can be found in the SANS Glossary located at:

https://www.sans.org/security-resources/glossary-of-terms/

Proprietary Encryption

Back to top