Encryption Standard
About
The following is a list of standards for encryption technology. These standards are intended to supplement the official Network Encryption Policy 5.25
Protocols and Ciphers
Solutions using any of the following algorithms, ciphers, or protocols are specifically not sufficient to satisfy the terms of Emory's Network Encryption Policy 5.25. The following list is intentionally not comprehensive. Technologies not listed are still insufficient if they are obsolete, deprecated, or proprietary.
- SSLv2
- SSLv3
- TLSv1.0
- TLSv1.1
- RC4
- DES
- 3DES
- MD5
- "Export" ciphers
- NULL ciphers
- Anonymous ciphers
Solutions requiring compatibility with older devices may use a small number of specific technologies that would otherwise be unacceptable. For these purposes, the following protocols and ciphers may be considered acceptable:
- TLSv1.0
- TLSv1.1
OIT Security maintains a document with recommended configurations for specific web servers that may be helpful in meeting these standards.
Key Sizes
For the following encryption algorithms, services must use cryptographic keys of at least the specified size.
- Symmetric encryption algorithms (e.g. AES): 128 bits or higher
- Asymmetric encryption algorithms (e.g. RSA): 2048 bits or higher
- Encryption algorithms based on elliptic curves: 256 bits or higher
Digital Certificates
Only the following Certificate Authorities are approved to provide digital certificates for Emory sites and services.
- InCommon / Comodo
- DigiCert (Emory Healthcare only)
- AWS Certificate Manager (AWS-hosted sites and services only)