...
Version 2.0 (review in progress): October 2015
Encryption 101: Getting Started
...
Encryption Strength Support Matrix
C = Encrypt/Decrypt
S = Sign (digital signature)
H = Cryptographic Hash
D = Message Digest
Figure 1
Algorithm | Algorithm Type | Algorithm Use | Strength |
Weak | Medium | Strong | |||
AES (Rijndael) | Symmetric Key - Block Cipher | C |
X | ||
RC6 | Symmetric Key - Block Cipher | C |
X | ||
Twofish | Symmetric Key - Block Cipher | C |
X | ||
MARS-(128-1248) | Symmetric Key - Block Cipher | C |
X | ||
Serpent | Symmetric Key - Block Cipher | C |
X | |||
3DES | Symmetric Key - Block Cipher | C |
X | ||
SEAL | Symmetric Key - Stream Cipher | C |
X | ||
RC5 | Symmetric Key - Block Cipher | C |
X* | ||
IDEA | Symmetric Key - Block Cipher | C |
X | |||||
Blowfish | Symmetric Key - Block Cipher | C | 32 bit | 256 bit | 448 bit |
Helix | Symmetric Key - Stream Cipher | C and Authentication | TBD |
Phelix | Symmetric Key - Stream Cipher | C and Authentication | TBD |
CAST | Symmetric Key - Block Cipher | C |
64-Bit | 128 and above | |||
RC4 | Symmetric Key - Stream Cipher | C | 40 bit | 128-bit |
DESX | Symmetric Key - Block Cipher | C |
X |
UNIX Crypt | Enigma | C | X |
ORYX | Symmetric Key - Stream Cipher | C | X |
DES | Symmetric Key - Block Cipher | C | X |
PGP | Public/Private Key | C |
1024 bit | 2048 bit or greater | ||
RSA | Public/Private Key | C, S |
1024 bit or greater | |||
XOR | Bitwise Operation | H | X |
SHA-2 | Cryptographic Hash | H, D |
X | ||
SHA-1 | Cryptographic Hash | H, D |
X* | ||
MD5 | Cryptographic Hash | H, D |
X* | ||
RIPEMD - 128, 160, 256, 320 | Cryptographic Hash | H, D |
X* | |||
RIPEMD | Cryptographic Hash | H, D | X |
Tiger | Cryptographic Hash | H, D |
X | ||
Elliptic Curve Digital Signature Algorithm (ANSI X9.62) | Public/Private Key | S |
160 bit | ||
DSA | Public/Private Key | S |
| ||
Elliptic Curve | Public/Private Key | C |
TBD | |||
SSL* | Public/Private Key | C, S | 40 bit |
128 bit and above |
*RC5 is considered a strong algorithm (there are no known attacks or vulnerabilities), but there is reason to suspect that it may be vulnerable and its use is not recommended for highly sensitive information or information with an indeterminate lifespan.
*MD5, SHA-1, and RIPEMD - 128 & 160 are considered strong algorithms, but there is reason to suspect that they may be susceptible to frequency collisions (hash duplications) and their use is not recommended in situations where collision resistance is required. In such cases, SHA-2 or RIPEMD-320 is recommended.
*SSL is classified as "weak", "medium", and "strong" depending upon key length. SSL (40-bit) is "weak"; SSL (128-bit and up) is "strong".
Key Management
Just like physical security, the strongest lock is useless if the keys are left under the doormat. Security of the key management process for encryption keys is especially important. Together with the review of the encryption method, key management methods must also be reviewed in conjunction with the Information Security Office.
...
The use of encryption methods for data at rest by individuals, where there is a risk that information would not be available, should be done according to institutional policy, normally only with informed consent. If an approved service exists for key management, it is recommended that individuals utilize that means, or file an exception.
Policies
Encryption controls are increasingly mandated by legislation and/or regulations that govern university operations. Sensitive information elements should be identified, with appropriate policy in place to protect those elements. If encryption of data at rest is mandated, data recovery needs to be addressed. Enterprise encryption solutions typically include processes for key escrow and/or data recovery. If a departmental or individual encryption solution is used, management should be made aware that encryption is in use, its purpose, and should possess information on how to recover the encrypted data should the individual who holds the encryption key be unavailable. Links to institutional policies related to encryption are provided below.
- RIT Security Exception Process
- Encryption at the University of California: Overview and Recommendations
- University of Florida Guidelines for IT Workers Regarding Encryption of Stored Data
Disk Encryption
Whole Disk definition - Whole disk encryption software encrypts the entire hard drive. The master boot record is altered at authentication boot loader is placed prior to the start of the operating system. The boot loader is not encrypted. Once authenticated to the boot loader the operating system is unaware that the volume is encrypted.
...
Campus Case Study: Implementing Whole Disk Encryption with Microsoft Windows Vista Bitlocker at the McIntire School of Commerce - UVA
Campus Case Study: Whole Disk Encryption Evaluation and Deployment - Baylor University
Public Key Infrastructure
...
A few institutions have created their own Public Key Infrastructure (PKI) to support large scale use of encryption. Solutions can be developed entirely in-house or as a mix of commercial and freeware solutions. The decision to build or buy is based upon the needs and goals of the institution and the resources available to provide the infrastructure. Campus Case Study: Developing a Certification Authority for PKI at Virginia Tech
For institutions that have a Windows domain infrastructure, it is relatively inexpensive to create a basic PKI using Microsoft Certificate Server. Using this solution, you can create SSL certificates for Web servers, IPSec certificates for all machines in the domain, and S/MIME certificates for all users. However, these certificates have somewhat limited usefulness because they are only trusted within the institution. Additional planning and effort is required to make internally generated certificates trusted outside of your institution and create a flexible PKI that can persist as the underlying technology changes as described in the following sections.
...
To expand their trust hierarchy beyond higher education, some institutions outsource portions of their PKI to a globally recognized certificate authority. Starting in 2010, higher education institutions can take part in the InCommon Certificate Services to obtain certificates that are trusted outside the institution.
Bibliography
- RIT Security Exception Process
- Encryption at the University of California: Overview and Recommendations
- University of Florida Guidelines for IT Workers Regarding Encryption of Stored Data
...