Transmission encryption technologies
All Budget Unit networks and security protocols shall deploy and support, at a minimum, either Triple DES (TDES) or Advanced Encryption Standard (AES) for the transmission of confidential data/information. Budget Units with deployments other than TDES or AES, are grand-fathered for a period of three years from an effective date of April 2, 2008. This requirement will aid in providing a trusted computing-base for encryption services that is essential for maintaining confidentiality, integrity, and non-repudiation of confidential information across state networks. Protection methods1 listed below shall also be considered and used for additional protection of state networks:IPSEC – a suite of authentication and encryption protocols suitable for all types of Internet Protocol (IP) traffic that is used to create virtual private networks (VPN). IPSEC allows confidential information to be sent securely between two end-stations or networks over an un-trusted communications medium. This should be considered as a technology for securing Internet and other IP communications in connecting authorized external customers at defined locations;
Secure Shell (SSH) – may be deployed solely for the remote administration of confidential data/information and their systems;
Secure Sockets Layer (SSL) – the secure sockets layer specification may be deployed to provide secured access to confidential data/information on Web servers. When SSL is used to protect Budget Unit confidential information, the most current version shall be used with 128-bit encryption;
Virtual Private Networks (VPN) – should be deployed in environments where data-link-layer encryption is not a practical solution to maintain and operate. VPN technology using IPSEC encryption can be implemented independently from a particular link-layer communications technology (e.g., HDLC, Frame Relay, FDDI, Ethernet, Gigabit Ethernet, ATM, etc.) As such, this standard strongly encourages the use of VPN technology to secure confidential communications;
Data-Link (symmetrical) Encryption – may be used in environments where Virtual Private Network management would not be a reasonable encryption implementation to maintain and operate and where use and management of VPN technology would not be warranted;
Secure /Multipurpose Internet Email Extension (S/MIME) – like PGP, S/MIME is a standards-based security enhancement to secure email and message attachments that provides strong authentication through digital signatures, message confidentiality, integrity and non-repudiation.
Pretty Good Privacy (PGP) – may be used to protect sensitive information, transmitted via e-mail, using a minimum key-size of 2048 bits. Public key information may be maintained on public or internal PGP key servers. Please refer to Secretary of State’s PGP policy at http://www.azsos.gov/pa/PGP-CP.pdf
Public Key Infrastructure (PKI) – recommended PKI-based technical functionality is defined by Standard X.509 and its extensions, in the evolving definition developed by the Internet Engineering Task Force (IETF), through the PKIX Standards Development Task Group. This standard provides and defines certified identification of digital signatures having integrity, nonrepudiation, and authentication. Please refer to Secretary of State’s PKI policy and procedures at http://www.azsos.gov/pa/
All Budget Units shall coordinate PGP and PKI electronic signature-related projects and implementations with the Office of Secretary of State which has statutory and policy authority for electronic signatures (A.R.S. § 41-132 Electronic and Digital Signatures).
Encryption Technologies
STATE of ARIZONA, May 7, 2008
Comments: