Desktop

Encryption at RIT

Encryption at RIT

Several RIT Security Standards refer to ISO-approved encryption. ISO-approved encryption is divided into two categories: Preferred and Acceptable. Preferred encryption methods were chosen based on standard industry usage and their ability to support RIT business processes. RIT's current product is McAfee FDE.

Preferred Encryption

Purpose

Encryption Algorithms

RIT Security Standard

Comments

Network Connections (including web browsers)

Currently only SSL 3.0 and TLS 1.0 are supported at 128-bit and above.

Web, Network

 

Laptop/Desktop Encryption

AES 256-bit is recommended, although AES 128-bit or higher is adequate. 3DES has also been approved.

Desktop and Portable Computer

Centrally-managed whole disk encryption is required to meet the 2009 Desktop and Portable Computer standard.

Server

AES is recommended only at 256-bit. RC4 is currently supported until June 2009.

Server

 

Portable Media

AES 128-bit and above, 256-bit is recommended. 3DES and Twofish are adequate.

Portable Media

 

Public/Private Key Encryption and Signing

PGP 2048-bit or greater and RSA 1024-bit or greater.

   

Cryptographic Hashes/Checksums

SHA-2, RIPEMD-320, and the Tiger hash are all adequate for hash comparison.

 

SHA-1 and RIPEMD 128 & 160 are considered strong algorithms, but there is reason to suspect that they may be susceptible to frequency collisions (hash duplications) and their use is not recommended in situations where collision resistance is required. In such cases, SHA-2 or RIPEMD-320 is recommended.

Acceptable Encryption

Use of non-preferred encryption methods is discouraged. However, we recognize that there may be times when business or other requirements may be better served with an alternative algorithm. In those cases, developers should reference the Educause Encryption Strength Support Matrix. (This matrix and accompanying explanatory text was developed by Jim Moore, RIT Information Security Office.) Algorithms with a strength rating of High are acceptable for use at RIT. Use of algorithms with a strength rating of Low or Medium are not permitted.

Encryption Strength

Encryption strength is a relative concept. Both the algorithm used and the length of the key used to encrypt data determines the strength of encryption. Encryption services also perform various cryptographic functions beyond data encryption.

Key Management Requirements

Security of the key management process for encryption keys is especially important. Security of encrypted content (ciphertext) may be compared to a physical lock and key. The algorithm provides the lock. The encryption key unlocks the ciphertext. If the key is weak or compromised, the encryption can be broken. Key revocation provides a means to disallow or change a compromised key and "re-key" the lock.

Many encryption algorithms have the potential to lock access to data permanently if the key is lost. Key escrow provides a "copy" of the key to enable access to the data.

Centralized encryption/key management ensures that data will remain both encrypted and accessible. Non centralized or individual encryption without key escrow may disallow access to the encrypted RIT information if the key is lost. Use of non-centralized or individual encryption of RIT information assets would be allowed only through a granted exception and would require an ISO-reviewed key escrow and revocation process.

Keeping Safe

Keeping Safe: Guidelines and Best Practices

Not sure how to keep yourself, your information, and your devices safe? Click on the headings below for best practices, resources, and more; also be sure to check out our blog for more specific content, answers to your information security questions, and best practices guides!

Subject Area

Comments

Securing your Computer

Free downloads and instructions to support the Desktop and Portable Computer Standard.

Mobile Devices

Learn how to safely use mobile devices when dealing with Private Information or everyday use.

Phishing

Learn how to recognize these common online scams.

Safe Blogging and Social Networking

Is a potential employer reading? Learn how much information is too much and how to protect yourself on social networking sites.

Wireless Networking

Learn about wireless networking at RIT, at home, and on public networks; and the potential dangers you face.

Web Browsing Safely

Learn about the different web browsers available, add-ons that can improve security, and how to browse using limited account privileges.

Identity Theft

Did you know that people aged 18-29 are five times more likely to be victims of identity theft than those 60 or older?

Instant Messaging

Tips on how to avoid malware and scams through instant messaging.

Safe Online Shopping and Banking

How to use these popular online services securely.

Digital Copyright

Are you aware that the Recording Industry Association of America (RIAA) and MPAA (Motion Picture Association of America) files copyright violations and has sued students at RIT? Visit the ITS Digital Copyright page to learn more about copyright violations at RIT and how they are handled.
Browser Security Configuration Outlines how to configure various security settings for common browsers.
Cloud Computing Information on secure cloud service use.

 

Desktop and Portable Computer Security Standard

Desktop and Portable Computer Standard

To protect the RIT community and the Institute network from computer-borne threats, RIT has created minimum security requirements for desktop and laptop computers.

Desktop and Portable Computer Standard

What does it apply to?

  • All RIT-owned or leased computers.
  • Any computer (physical or virtual) connecting to the RIT network through a physical, wireless, dial-up, or VPN connection.

The standard is not required for:

The following devices should employ these controls to the extent possible commensurate with the risk of the information that is accessed or stored on them.  

  • Computers used only to access RIT web pages, Webmail, etc. from off campus. (RIT strongly recommends that users follow the requirements of the standard on all computers.)
  • Mobile devices (tablets, cell phones), pagers, PDAs, copiers and other special purpose devices that connect to the Institute network solely through Web, portal, or application access.
     

Storage of Private information is prohibited on these devices. 

What do I need to do?

 

Pages

Subscribe to RSS - Desktop