Encryption policy

Encryption offers a means of protecting data in transit or stored on devices–but organizations must follow proven methods and adhere to current standards for it to be effective. This policy outlines tested and recommended encryption technologies to help secure your corporate data.

From the policy:

Ciphers that are proven, standard, highly tested, and free of patent encumbrances must be used as the basis for encrypting devices and communications. They must meet the requirements delineated in the National Institute of Standards and Technology (NIST) publication FIPS 140-2. While AES is highly recommended, the AES-compatible ciphers ARIA, CAST-256, Camellia, Serpent, and Twofish are also acceptable for use. The use of proprietary ciphers is not allowed for any purpose.

Hash function requirements
SHA-3 should be preferred for any application that uses secure hash algorithms.
SHA-2 may be used for any application that uses secure hash algorithms. Refer to NIST SP 800-57 Part 1 Rev. 4, section 5.6, “Guidance for Cryptographic Algorithm and Key-Size Selection,” and NIST SP 800-131A Rev. 1 for specific technical guidance on the use of SHA-2.

SHA-1 should be considered insecure. It should not be used for generating digital signatures, timestamps, or other applications that require resistance to collision. Refer to NIST SP 800-131A Rev. 1 for specific technical guidance on the legacy use of SHA-1.

Key agreement and authentication

Key exchange must use one of the following protocols: Diffie-Hellman (including ECDH), or Internet Key Exchange (IKE), version 2.

Public keys used to establish trust must be verified (either manually or through a cryptographically signed message) prior to use.

Any server used for authentication must have a valid certificate signed by a trusted provider. All applications or servers using SSL or TLS must have a valid certificate signed by a trusted provider. Use of ephemeral keys is not adequate for this purpose.

Resource Details

or

* Sign up for a TechRepublic Premium subscription for $299.99/year, and download this content as well as any other content in our library. Cancel anytime. Details here.

Provided by:
TechRepublic Premium
Published:
January 7, 2018
Topic:
TechRepublic Premium
Format:
PDF
or

* Sign up for a TechRepublic Premium subscription for $299.99/year, and download this content as well as any other content in our library. Cancel anytime. Details here.