Longwood University     Chief Information, Technology, and Facilities Officer:     Information and Instructional Technology Services   201 High Street, Coyner 107, Farmville, VA  23909    Phone: 434.395.2034         Fax: 434.395.2035

 Policy 6103
ACCEPTABLE ENCRYPTION POLICY

I.    PURPOSE

The purpose of this policy is to provide guidance that specifies when encryption can be used and limits the use of encryption to those algorithms that have received substantial public review and have been proven to work effectively.  Additionally, this policy provides direction to ensure that Federal regulations are followed, and legal authority is granted for the dissemination and use of encryption technologies outside of the United States.

II.   DEFINITIONS

Proprietary Encryption:     An algorithm that has not been made public and/or has not withstood public scrutiny. The developer of the algorithm could be a vendor, an individual, or the government. 

Symmetric Cryptosystem:         A method of encryption in which the same key is used for both encryption and decryption of the data. 

Asymmetric Cryptosystem:       A method of encryption in which two different keys are used: one for encrypting and one for decrypting the data (e.g., public-key encryption).

One-way Hash Function:  An algorithm that does not require a key and produces an irreversibly encrypted cipher-text.  Other names for this are message digest, fingerprint, digital signature, and compression function.

III.   POLICY

University faculty and staff are authorized to encrypt files, documents, and messages data for protection against unauthorized disclosure while in storage or in transit. Web-enabled transactions that involve the transfer of sensitive data or the transfer of funds must use encryption. However, any encryption performed on University systems must meet the minimum encryption standards and such encryption must permit properly designated University officials, when required and authorized,  (see Acceptable Use of Technology Resources and Systems Policy #6104, Section III., D., "Responsibility to Investigate Possible Misuse") to obtain and use the encryption key(s) to decrypt the information.

Proven, standard algorithms such as DES, Blowfish, RSA, RC5 and IDEA should be used as the basis for encryption technologies. These algorithms represent the actual cipher used for an approved application. For example, Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hillman, while Secure Socket Layer (SSL) uses RSA encryption.

The use of proprietary encryption algorithms is not allowed for any purpose, unless reviewed by qualified experts outside of the vendor in question and approved by the Information Security Office.  Be aware that the export of encryption technologies is restricted by the U.S. Government. Residents of countries other than the United States should make themselves aware of the encryption technology laws of the country in which they reside.

 

Approved by the Board of Visitors, March 20, 2004.

Revised, April 1, 2005.

Back to the Table of Contents                                                                               Next Policy