Minimum Encryption Requirements
In any situation where the University requires encryption or a cryptographic hash be employed, the following are the minimum standards for such:
- industry standard encryption mechanisms that have not been shown to be vulnerable “in the real world” for a given purpose, e.g. MD5 hashes can be compromised on a desktop at a rate of hundreds per second and are completely deprecated.
- implemented through widely used and tested libraries.
- utilizing at least 128 bits of complexity for symmetric encryption.
- 2048 bits for asymmetric key based encryption.
In certain cases due legal or regulatory requirements or based on risk assessments, IT Services may require that specific encryption algorithms be employed or excluded depending upon the particular IT resource being protected.
Exceptions for Export Controlled Uses
If the intended use is in scope for government mandated export controls, the applicable regulations may supersede this statement. Refer to export control procedures for additional guidance regarding the applicability of export controls.
Since previous versions of this policy allowed for use of 1024 bit keys for asymmetric encryption, systems currently using 1024 bit keys may continue to operate with existing keys until such time as the keys need to be refreshed or re-implemented. At that time, system owners or administrators should implement 2048 bit keys. However, in no case should 1024 bit keys be employed after January 1, 2015.
The following are a few examples of how encryption can be used to meet the University requirements. This is not an exhaustive list as there are many acceptable ways to meet the encryption requirements.
- ssh version 2 (version 1 does not meet the requirements as there are demonstrated vulnerabilities in the protocol) for communication between two machines across a network.
- the University of Chicago Virtual Private Network (VPN) for working with data on University servers while at home or traveling.
- SSL certificates, using a key of a minimum of 2048 bits, to encrypt data being transmitted to websites.