| Policy ID No. | Policy | Policy Text | Policy Commentary |
|---|---|---|---|
| 90.0 | question??????????? Automated Encryption Key Management Systems Preferred | Whenever such facilities are commercially available, State of Alaska must employ automated rather than manual encryption key management processes. | The intention of this policy is to save State of Alaska money and time, as well as to obtain the most effective security system available. For some encryption systems (particularly those which are "home-grown"), there are no applicable commercially-available key management systems. But recent commercial offerings include a number of strong key management systems, such as those available from Information Resource Engineering of Baltimore, MD. Key management is very complex, and as such should be automated to reduce the probability of human error. Automation also reduces the probability of accidental key disclosure to unauthorized persons. Some organizations may wish to put the word "standard" into the policy to ensure interoperability with other key management systems. See the policies entitled "Explicit Assignment of Encryption Key Management Functions" and "Encryption Key Management Systems and Separation of Duties." A: T; E: MH. |
| 91.0 | Maximum Life of Encryption Keys | Whenever encryption is used to protect State of Alaska data, the keys must be changed at least every six months. | The intention of this policy is to force periodic changes in encryption keys. Changing the keys more rapidly will increase the security of an encryption system. If an adversary is able to derive a particular encryption key through cryptanalysis, they must start from the beginning whenever the key is changed. See the policy entitled "Stated Life for All Encryption Keys" |
| 92.0 | Encryption Keys Must Not Be Re-used. | When changing an encryption key a previous key must not be used. | This policy is intended to make it clear that the people handling keys generate a new key. This policy should not be confused with the policy "Maximum Life of Encryption Keys" which states how frequently keys should change. For related the policy entitled "Maximum Life of Encryption Keys" |
| 93.0 | Process for Generating Encryption Keys | Whenever encryption is used, the keys employed must be generated by means which are not practically replicateable by an adversary, and which will yield keys that are difficult-to-guess. An example of this key generation process is the use of a pseudo-random number generator which takes the low order bits of the computer clock as input. | The intention of this process is to ensure that encryption systems provide all the security they are meant to provide. If encryption keys are easily guessed, then the security provided by encryption systems may be easily compromised. For example, if users choose their own encryption keys, a guessibility-related screening process is recommended. This policy is a derivative of a policy regarding so-called "weak keys" for the Triple Data Encryption Standards (3DES); certain weak keys make 3DES cryptanalysis quite easy and these keys must accordingly be avoided. Often the key generation process is part of an automated key management process Also see the policies entitled "Minimum Length for User-Chosen Encryption Keys" |
| 94.0 | Minimum Length for User-Chosen Encryption Keys. | Whenever user-chosen encryption keys are employed, the encryption system must prevent users from employing keys made up of less than eight (8) characters. | Like the policy entitled "Process for Generating Encryption Keys," the intention of this policy is to make sure that an encryption system provides the security it was meant to provide. If encryption keys are easily guessed (because they are made up of too few characters), then an encryption system can be readily compromised. This policy is targeted at users who need to encrypt data on their computer system and does not apply to encryption of network traffic. For a related idea, see the policy entitled "Minimum Password Length." |
| 95.0 | Protection for Encryption Key Generation Materials | Whenever encryption is used, materials to develop encryption keys as well as hardcopy versions of keys must be kept locked when not in use. Protective measures to prevent these keying materials from falling into the wrong hands must be observed throughout the life cycle of the information protected by the keys. | The term "keying materials" is used to refer to data encryption keys, keys which encrypt other keys (master keys), initialization vectors (IVs), pseudo-random number generator seeds, and other parameters used to control or initialize encryption processes. The intention of this policy is to prevent the parameters used to construct encryption keys from falling into the wrong hands, and then being used to construct or intelligently-guess encryption keys. As soon as possible after their use, these keying materials should be destroyed according to approved procedures for most sensitive information (shredding, burning, etc.). For more on this, see the policy entitled "Destruction of Encryption Key Generation Materials." |
| 96.0 | Protection for Plaintext Encryption Master Keys | Only two approaches for protecting plaintext (readable) master keys are acceptable to the State of Alaska. Master keys may be manually handled via dual control with split knowledge. Alternatively, they may be stored in tamper-proof modules. In all other places, they must appear only in encrypted form. | This policy specifies the permissible ways to protect the keys at the top of a hierarchy of keys -- the most sensitive type of encryption keys. Master keys are used to encrypt all other keys, or at least encrypt keys which in turn encrypt other keys. If a master key is revealed, an entire encryption system can quickly be compromised. Accordingly, significant efforts are needed to prevent these keys from falling into the wrong hands. When in readable form, master keys must be chopped into segments (components), each of which does not reveal the original master key (also known as "split knowledge"). Alternatively, they may be stored in hardware modules which will automatically erase the keys if someone tampers with the module. For related ideas, see the policies entitled "Protection for Encryption Key Generation Materials" and "Encryption Key Management Systems and Separation of Duties." |
| 97.0 | Destruction of Encryption Key Generation Materials | All supplies used for the generation, distribution, and storage of keys must be protected from disclosure to unauthorized persons. When they are not longer needed, they must be destroyed by pulping, shredding, burning, or other methods approved by the Agency Computer Security Officer. | The intention of this policy is to prevent unauthorized parties from obtaining access to the information used to generate, distribute, or store encryption keys. This might allow these parties to obtain copies of the keys, which in turn would allow them to obtain the sensitive information protected with encryption. The policy also serves to make workers aware that these materials are sensitive and that they should be handled with care. See the policy entitled "Protection for Encryption Key Generation Materials ." |
| 98.0 | Time Frame for Destruction of Key Exchange Material | Custodians of key exchange material must destroy this material according to approved procedures within a reasonable time -- not to exceed ten business days -- following the successful verification of a key exchange process. | The intent of this policy is to clearly specify when custodians of keying materials (master keys, encryption key components, initialization vectors, random number generator seeds, etc.) must destroy the keying materials they have received. The smaller the amount of time that these materials exist outside the system, and the fewer the number of people that have them, the more secure the encryption process will be. While the key management process is increasingly being automated, there are still many encryption systems where manual key loaders and other technology requires human involvement. It is for those manual situations that this policy was intended. |
| 99.0 | Prevention of Unauthorized Disclosure of Encryption Keys | Encryption keys must be prevented from unauthorized disclosure via technical controls such as encryption under a separate key or use of tamper-resistant hardware. | The intention of this policy is to specify that measures must always be taken to prevent the unauthorized disclosure of encryption keys. If encryption keys are disclosed, the security of encryption systems is in most instances defeated (assuming the algorithm and implementation are public knowledge, which they are with the Triple Data Encryption Standard (3DES)). Tamper resistant hardware prevents people from opening it to recover the encryption keys stored inside. |
| 100.0 | Transmission of Cleartext Private Encryption Keys Prohibited | If private encryption keys are transmitted over communication lines, they must be sent in encrypted form. The Public key in a Public Key Encryption System must not be encrypted. The encryption of keys should be performed with a stronger algorithm than is used to encrypt other sensitive data protected by encryption. | The intention of this policy is to prevent users from inadvertently sending readable (cleartext) encryption keys over communication systems. If this is done, then the encryption process (depending on the type of system) may be easily circumvented. Note that the second sentence is a guideline and not a policy (the word "should" is used rather than "must"). For example, if the organization in question is using a standard "symmetric" encryption algorithm, such as the Triple Data Encryption Standard (3DES), implementation of the guideline in the second sentence would be straightforward. |
| 101.0 | Storing Encryption Keys on Same Media as Protected Data Prohibited | If encryption is used to protect sensitive data resident on computer storage media, the encryption keys and related encryption keying materials (initialization vectors, time-and-date stamps, salt parameters, etc.) used in the encryption process must not be stored anywhere on this storage media in unencrypted form. | The intention of this policy is to prevent an astute cryptanalyst from noticing that the keying materials are stored on the same data storage media as encrypted data. Surprising as it may seem, several commercial encryption packages use this approach, which of course may be quickly circumvented. Use of hidden files or hidden directories for the unencrypted storage of these keying materials is not acceptable. To put both the keying materials and the encrypted data on the same media is like using tape to affix a front door key to one's front door. |
| 102.0 | BIG QUESTION???? Stored File Encryption Systems Must Include Key Escrow | All encryption processes used to encrypt files stored on State of Alaska information systems must include key escrow functions. These special functions allow State of Alaska management to recover encrypted information should there be system errors, human errors, or other problems. | The intent of this policy is to require encryption systems used for regular business activities to employ a system with key escrow. This is targeted at encryption used for long term file storage and is not intended for transient encryption processes used in data communications. Basically key escrow allows management (or some other trusted party) to decrypt files when and if needed. A secure process (known as escrow) is needed to ensure that data can be decrypted under any circumstances. This may be required in the event of emergencies, staff unavailability, personnel disputes, or criminal investigations. Without key escrow features, management runs a significant risk that an encrypted file cannot be read should the holder of the key be unavailable. In the case of archived files, it is important to maintain the keys should the archived files be needed later. Note that the policy does not address encryption processes embedded in information systems, such as the encryption used in an SSL web browser session. It only deals with "general purpose encryption systems," not special purpose encryption systems like those which do digital signatures, password encryption, and the like. |
| 134.0 | ?????????????? Encryption Key Management Systems and Separation of Duties | [we are not sure how this can work in the SOA/ACS network or with modern tech] State of Alaska encryption systems must be designed such that no single person has full knowledge of any single encryption key. This must be achieved by separation of duties and dual control. Separation of duties refers to use of more than one individual to handle a certain important activity, while dual control means that two people must be simultaneously present for an important activity to be accomplished. | The intention of this policy is to prevent any one individual from gaining access to a full encryption key. If a full encryption key was held by any one individual, then this individual could (depending on how the encryption system was set-up) decrypt other keys and/or decrypt sensitive information. This could lead to fraud, sabotage, privacy invasion and other problems. By breaking keys into components such activities are then not possible without collusion. Breaking keys into components usually involves creating two bit strings, which when combined via an exclusive-OR operation yield a production encryption key. This entire process is often automated via hardware called "key loaders." The notions described in this policy can be also applied to passwords, initialization vectors, pseudo-random number generator seeds, and other parameters used in security-related processes. See the policies entitled "Separation of Duties and Control Over State of Alaska Assets" and "Protection of Password Generation Algorithms." A: T; E: MH. |
| 140.0 | Encryption of Network Traffic | All Network Traffic that Passes Between State of Alaska Local Area Networks and that Traverse Public Networks Must Employ Strong Encryption. | Portions of the State of Alaska Wide Area Network make use of public networks, such as a telephone utilities lines. The intent of this policy is to ensure that all traffic that could be observed by tools such as packet analyzers is encrypted. While the State can ensure that it’s employees respect the privacy and security of data transmissions, the same cannot be said for unknown Telco employees. Encryption is the only mechanism available to secure data transmitted over lines that the State does not control. Note that this policy specifically calls for encryption, which is not the same as hashing or encapsulating. |
| 143.0 | Restricted Access to Network Traffic Encryption Keys | Access to keys used to encrypt network traffic must be restricted on a need-to-know basis. The State Computer Security Officer must approve all parties who have access to encryption keys. | Encryption is the primary bastion against eavesdropping and wire tapping, particularly in a converged network that will carry both data and voice. The intent of this policy is to prevent the wide spread dissemination of the keys used to encrypt network traffic. It is crucial that only those with an absolutely critical need have access to the encryption keys used on State of Alaska network transport. The State Computer Security Officer must maintain the comprehensive list of those with the encryption keys and approve any change to the list. Any variation from this policy is a dangerous violation of the State of Alaska security policy. |