Policy / Cryptography advice needed.

[James H Moore <jhmfa () RIT EDU>]

I need advice from cryptographer/policy makers on the list.  This is my
first draft.



I am working on wording for our server standard.  One thing to be aware of,
from an RIT standpoint is that we have affiliations and partnerships
overseas.  So for some things, the connection in can have 40-bit encryption
at best.  For those things, I have said that proxying is acceptable.  The
language that I am starting with to describe "strong encryption" follows



. strong encryption should be used, examples are RC4 at 128bits, 3DES, AES,
or PGP 1024 bits (should this be 2048?).

(What about Blowfish, TwoFish strengths?)



. what is not acceptable 40-bit RC4 or DES, unless used on a proxy server as
a gateway to international campuses, and then only for the individuals
located in or with frequent travel to export controlled countries.



Jim

- - - -
Jim Moore, CISSP, IAM
Information Security Officer
Rochester Institute of Technology
13 Lomb Memorial Drive
Rochester, NY 14623-5603
(585) 475-5406 (office)
(585) 475-4122 (lab)
(585) 475-7950 (fax)

""In the middle of difficulty lies opportunity." Albert Einstein

"The release of new internet threats have not created a new problem. It has
merely made more urgent the necessity of solving an existing one." Parallels
quote by Albert Einstein on atomic energy




  _____

From: UGA InfoSec Group [mailto:infosec () UGA EDU]
Sent: Saturday, July 30, 2005 8:41 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Do you remember?
Sensitivity: Confidential



Anyone remember the College and University Information Security Professional
(CUISP) group?  Is it still active?  Which school or who is chairing?





Anyone?







UGA Office of Information Security

"Old InfoSec paradigm is "Experience and React" -- the enlightened
way/strategy is "Anticipate and Adjust" "

Attachment: smime.p7s
Description: