Encryption Policy
1. Purpose
This policy provides guidance so that encryption efforts will use only those algorithms that have received substantial public review and have proven to work effectively. The policy also provides direction to ensure that federal regulations are followed regarding the dissemination and use of encryption technologies outside of the United States.
2. Scope
This policy applies to all YOUR COMPANY employees and affiliates.
3. Policy
Use proven, standard algorithms such as DES, Blowfish, RSA, RC5, AES, and IDEA as the basis for encryption technologies. These algorithms represent the actual cipher used for an approved application. For example, Network Associate’s Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hillman, while Secure Socket Layer (SSL) uses RSA encryption. Symmetric cryptosystem key lengths must be at least 56 bits. Asymmetric cryptosystem keys must be of a length that yields equivalent strength. YOUR COMPANY’s key length requirements will be reviewed annually and upgraded as technology allows.
Using proprietary encryption algorithms is not allowed for any purpose, unless reviewed by qualified experts outside of the vendor in question and approved by YOUR COMPANY. Be aware that the export of encryption technologies is restricted by the U.S. Government. Residents of countries other than the United States should learn the encryption technology laws of their countries.
4. Enforcement
Any employee violating this policy may be subject to disciplinary action, up to and including termination of employment.
5. Definitions
Proprietary Encryption - An algorithm that has not been made public and/or has not withstood public scrutiny. The developer of the algorithm could be a vendor, an individual, or the government.
Symmetric Cryptosystem - A method of encryption in which the same key is used for both encryption and decryption of the data.
Asymmetric Cryptosystem - A method of encryption that uses two different keys: one for encrypting and one for decrypting the data (e.g., public-key encryption).
See also