2.3 Encryption and Decryption Policy

Video Activity

Join over 3 million cybersecurity professionals advancing their career

Required fields are marked with an *

View all SSO options

Already have an account? Sign In »

Introduction to IT Security Policy

Course

Time

2 hours 23 minutes

Difficulty

Beginner

Video Transcription

00:02

Hello and welcome to I t. Security Policy Training on sire Eri. This is part of macho to the encryption and decryption policy with myself. Troy Lemaire

00:12

Learning objective for this policy would be to define algorithm requirements,

00:17

ash function requirements,

00:19

agreement and authentication requirements

00:22

and key generation requirements.

00:26

Now, if we look into the actual body of the policy and what it entails, we're gonna use another Sands template, this templates called except the encryption policy that covers everything you need for encryption and decryption.

00:39

So I'm looking at the purpose. It's provide guidance that limits the use of encryption of those algorithms that received substantial public review and have been proven to work effectively.

00:48

Now, whenever you're talking about encryption algorithms, these things change over time, stronger policies or stronger algorithms will come out.

00:57

And then, of course, weaker algorithms will get cracked and are no longer acceptable to use inside of an encryption policy.

01:07

Scope of this policy applies to all employees and affiliates.

01:11

We look at the body of it. The policy algorithm requirements

01:15

talks about the use in meeting or exceeding

01:19

as the set defined in A s compatible or partially A s compatible, according to I t f

01:25

flash I r T F cipher catalog are defined

01:27

Bye

01:29

nous, which is the National Institute of Standards and Technologies

01:34

Algorithms must meet the standards to find in for use in this publication F I. P s 1 40-2 are any so proceeding documents again. This updates their publications with the latest information in regards to algorithms.

01:51

Signature algorithms that you can use and are acceptable are listed here, and these again can be updated as you need

02:00

regards the hash function requirements. The company is gonna adhere to this policy on hash functions, which again is something that gets updated

02:07

by the NIST organization.

02:10

Your key agreements and authentication. Key exchange must use one of the following cryptographic protocols

02:17

and the ones listed here or again, items that can be updated. So you want to check with the Knicks? Policies for key agreements

02:25

in point must be authenticated product of exchange, our deprivation of session keys

02:30

and public. He's used to solace. Trust must be authenticated prior to use examples all authentication clue transmission being cryptic. Graphically sign messages are manual verification of the public key hash

02:43

all servers used for authentication such as radius or tax must have installed a valid certificate signed by known trusted provider

02:51

All service an application using S S L R T L s must have the ship get signed by known trusted provider.

02:58

Now again, SSL is something that has been outdated. U T l s has surgeons that are outdated, such as T. L s 1.1 and

03:07

things like that. So you want to make sure that you're using the latest SSL

03:12

RTL s, which again you shouldn't be using SSL at this point. But if you are, you'd want to make sure that you're using the latest version of SSL two. You can upgrade to T l s or whatever. It's gonna be the

03:22

latest technology that is available

03:25

Degeneration Cryptographic keys must be generated in store in secure manager that presents lost

03:30

deaf or compromise.

03:34

Key generation must be seated about industry standard random number, generator

03:38

and again list the example A mist

03:40

appendix here that approved random number generators

03:46

looking at policy compliance. The compliance measurement, if we'll see, is gonna verify compliance to this policy to various methods

03:53

looting but not limited to business to reports internal external audits and feedback to the policy owner.

04:00

Exceptions and exceptions can be approved by the Info SEC team, but they need to be done in advance

04:05

and then it's always not compliance.

04:08

Employees found that violated this policy may be subject to disciplinary action up to including termination of employment.

04:17

So in some rain, today's reflector recovered how to define algorithm requirements, the hash function requirements, key agreements and authentication requirements and key generation requirements.

04:28

All of the things that we listed from this policy would want to work in conjunction with your system administrators who are handling the different types of certificates and encryption, as well as any D b. A's for your databases or development team that does any type of development. They will be able to give you good input on all of these items to make sure that

04:46

you have the right information inside your policy

04:49

that matches up with what you're actually doing in the organization.

04:56

So as a recap question, What are two organizations where you can find ciphers that defined that you need to meet or exceed

05:02

and that is the i e t f slash I or TF cipher catalog

05:08

or the NIST encryption publications

05:13

and cryptographic keys must be generating stored in a secure manner to present prevent what three things from a curry