Use of Cryptography

PS-08-024 Use of Cryptography

Issue Date: 3/20/2008

Effective Date: 3/20/2008

Review Date: 7/1/2018

PURPOSE

Cryptography is a discipline that embodies principles, means and methods for providing several security services: confidentiality, data integrity, authentication and non-repudiation.

This policy establishes the requirement to use cryptographic controls on State information systems as necessary.

POLICY

Agencies shall use cryptographic controls where the confidentiality, authenticity, non-repudiation or integrity of data is categorized MODERATE or higher or when the risk of compromise or exposure is higher than acceptable or when required by policy, law, or regulation, and other compensating controls are insufficient to meet the required security levels.

RELATED ENTERPRISE POLICIES, STANDARDS, GUIDELINES

Cryptographic Controls (SS-08-040)

REFERENCES

NIST SP 800-12 (chapter 19) Introduction to Computer Security NIST Handbook

NIST SP 800-21 Guideline for Implementing Cryptography in the Federal Government

NIST Cryptographic Key Tool Kit http://csrc.nist.gov/CryptoToolkit/tkkeymgmt.html

FIPS 140-2 Security Requirements for Cryptographic Modules

TERMS and DEFINITIONS

Cryptography is a branch of applied mathematics concerned with encrypting and decrypting data such that the sender’s identity (authentication and non-repudiation), data confidentiality or integrity can be assured.

  • Encryption is the process of converting ordinary information (plaintext) into unintelligible character strings (i.e., ciphertext).
  • Decryption is the reverse, moving from unintelligible ciphertext to plaintext.
  • cipher (or cypher) is a pair of algorithms which perform this encryption and the reversing decryption.

Non-Repudiation is a service that is used to provide proof of the integrity and origin of data in such a way that the integrity and origin can be verified by a third party.

Authentication is a process that establishes origin of information or determines an entity’s identity.