Acceptable Encryption Products and Algorithms
The following encryption algorithms are acceptable for protecting Restricted Data at the University of Florida, based upon NIST SP800-131A r1.
Symmetric Block Ciphers
NIST 800-131Ar1 Chap 2, Table 1
- AES-128, AES-192, AES-256
- Three-Key Triple DES
Digital Signature Generation
800-131Ar1 Chap 3, Table 2
- DSA: |p| >= 2048 and |q| >= 224
- RSA: |n| >= 2048
- EC: |n| >+ 224
NIST 800-131Ar1 Chap 9, Table 9
- SHA-1 only for non-digital signature functions, such as file integrity checksums
- SHA-2 (includes SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224 and SHA-512/256)
- SHA-3 (includes SHA3-224, SHA3-256, SHA3-384, and SHA3-512)
One-way functions should be used for storage of passwords. It is not appropriate to store passwords with a symmetric or block cipher or a message hash algorithm (such as MD5). PBKDF2 (NIST SP800-132) is preferred, bcrypt is acceptable.
Transport Layer Security (TLS)
Servers shall be configured to accept only approved cipher suites. All unapproved ciphers should be removed from the configuration to prevent their use. For further information, consult NIST SP 800-52r1.
The minimum acceptable version is TLS 1.1, and TLS 1.2 is highly recommended. All previous SSL and TLS versions must be removed from the configuration to prevent their use. Specific use cases (compatibility with a required but outdated browser version) that require TLS 1.0 may be used, but TLS 1.1 and 1.2 must be configured to be preferred over 1.0 so that capable browsers will not use TLS 1.0.
It is highly recommended that UF servers use public key certificates issued by the InCommon Certificate Authority, for which UF has a license allowing unlimited use at no additional cost.
Mandatory suites (for TLS compliance):
- TLS_RSA_WITH_AES_128_GCM_SHA256 (TLS 1.2)
Recommended suites (for greater compatability):
- TLS_RSA_WITH_AES_256_GCM_SHA384 (TLS 1.2)
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (TLS 1.2)
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (TLS 1.2)
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (TLS 1.2)
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (TLS 1.2)
- TLS_ECHDE_RSA_WITH_AES_128_GCM_SHA256 (TLS 1.2)
Algorithms that should no longer be used
The following algorithms have been found by NIST to no longer offer sufficient resistance to attack or collision (in the case of hash algorithms), and should not be used except in certain cases as approved by NIST (such as the TLS 1.1 pseudo-random function which uses a combination of MD-5 and SHA-1):
- triple-DES with one or two keys