Acceptable Encryption Policy
Revised: 06/30/2009
1. Purpose.
The purpose of this policy is to limit the use of Encryption by Authorized Users to methods that receive substantial public review and work effectively. Additionally, this policy provides direction to ensure compliance with Federal regulations, and to ensure legal authority is granted for the dissemination and use of Encryption technologies outside of the United States.
2. Scope.
This policy applies to all Authorized Users including TCCC-RYSS employees and affiliates.
3. Policy.
Proven, standard Encryption methods (e.g. DES, Blowfish, RSA, RC5, IDEA, etc.) must be used as the basis for Encryption technologies. These methods represent the actual Cipher used for an approved application. For example, Network Associate's Pretty Good Privacy (PGP) technology uses the IDEA method in combination with RSA or Diffie-Hellman methods, while Secure Socket Layer (SSL) technology uses RSA Encryption. Symmetric Cryptosystem key lengths must be at least 128 bits. Asymmetric Cryptosystem keys must be of a length that yields equivalent strength. Park TCCC-RYSS’s key length requirements are reviewed annually and upgraded as technology allows.
Authorized Users may not use Proprietary Encryption Algorithms for any purpose, unless reviewed by qualified experts outside of the vendor in question and approved by Information Security personnel. Be aware that the export of Encryption technologies is restricted by the U.S. Government. Residents of countries other than the United States need to be aware of the Encryption technology laws of the country in which they reside.
4. Enforcement.
Any Authorized User found to be in violation of this policy will be considered an Unauthorized User, and as such are subject to disciplinary action pursuant with the Enforcement section of the Unauthorized Use Policy.
