The following encryption algorithms are acceptable for protecting Restricted Data at the University of Florida, based upon NIST SP800-131A, R2.
Symmetric Block Ciphers
NIST 800-131A,R2, Chap 1, Table 1, pg. 7
- AES-128, AES-192, AES-256
- Three-Key Triple DES (TDEA) – disallowed after 2023 for encryption
Digital Signature Generation
NIST 800-131A,R2, Chap 2, Table 2, pg. 9
- DSA: |L,N| = (2048, 224), (2048, 256), or (3072, 256)
- RSA: |n| ≥ 2048
- ECDSA/EdDSA: |n| ≥ 224
NIST 800-131A,R2, Chap 9, Table 9, pg. 18
- SHA-2 (includes SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224 and SHA-512/256)
- SHA-3 (includes SHA3-224, SHA3-256, SHA3-384, and SHA3-512)
One-way functions should be used for storage of passwords. It is not appropriate to store passwords with a symmetric or block cipher or a message hash algorithm (such as MD5). PBKDF2 (NIST SP800-132) is preferred, bcrypt is acceptable.
Transport Layer Security (TLS)
Servers shall be configured to accept only approved cipher suites. All unapproved ciphers should be removed from the configuration to prevent their use. For further information, consult NIST SP 800-52,R2.
The minimum acceptable version is TLS 1.2, and TLS 1.3 is highly recommended. All previous SSL and TLS versions must be removed from the configuration to prevent their use. Specific use cases (compatibility with a required but outdated browser version) that require TLS 1.0 or TLS 1.0 may be used, but TLS 1.2 and 1.3 must be configured to be preferred over 1.0 or 1.1 to disallow the use of the legacy TLS versions.
It is highly recommended that UF servers use public key certificates issued by the InCommon Certificate Authority, for which UF has a license allowing unlimited use at no additional cost.
Mandatory suites (for TLS compliance):
- TLS_RSA_WITH_AES_128_GCM_SHA256 (TLS 1.2)
Recommended suites (for greater compatibility):
- TLS_RSA_WITH_AES_256_GCM_SHA384 (TLS 1.2)
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (TLS 1.2)
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (TLS 1.2)
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (TLS 1.2)
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (TLS 1.2)
- TLS_ECHDE_RSA_WITH_AES_128_GCM_SHA256 (TLS 1.2)
Algorithms that should no longer be used
The following algorithms have been found by NIST to no longer offer sufficient resistance to attack or collision (in the case of hash algorithms), and should not be used except in certain cases as approved by NIST (such as the TLS 1.1 pseudo-random function which uses a combination of MD5 and SHA-1):
- triple-DES with one or two keys