1. Purpose
Define the acceptable cryptographic algorithms, key lengths, and protocols approved for use at [ORGANIZATION] to ensure consistent and adequate data protection.
2. Scope
This policy applies to all cryptographic implementations used to protect [ORGANIZATION]'s data, whether developed in-house, acquired commercially, or provided by third-party services.
3. Policy
3.1 Approved Algorithms
The following cryptographic algorithms and minimum key lengths are approved for use:
| Purpose | Approved Algorithms | Minimum Key Length | Notes |
|---|---|---|---|
| Symmetric Encryption | AES | 256 bits | AES-128 acceptable for non-sensitive data. CBC, GCM, or CCM modes. |
| Asymmetric Encryption | RSA, ECDSA, Ed25519 | RSA-2048, ECDSA P-256, Ed25519 | RSA-4096 recommended for long-term keys |
| Key Exchange | ECDH, DH | ECDH P-256, DH 2048-bit | Prefer ECDH for performance |
| Hashing | SHA-256, SHA-384, SHA-512, SHA-3 | 256 bits | SHA-1 prohibited for new implementations |
| Message Authentication | HMAC-SHA256, AES-CMAC | 256 bits | HMAC-MD5 prohibited |
| Password Hashing | bcrypt, scrypt, Argon2id, PBKDF2 | N/A | Argon2id preferred. PBKDF2 minimum 600,000 iterations with SHA-256 |
| TLS | TLS 1.2, TLS 1.3 | N/A | TLS 1.3 preferred. TLS 1.0 and 1.1 prohibited |
3.2 Prohibited Algorithms
The following algorithms are prohibited for all new implementations and shall be phased out of existing implementations within [CUSTOMIZE: 6/12] months: DES, 3DES (except for legacy PCI environments with documented exception), RC4, MD5 (for any security purpose), SHA-1 (for digital signatures or certificate validation), SSL 2.0 and 3.0, TLS 1.0 and 1.1, RSA key lengths below 2048 bits, and any proprietary or non-standard cryptographic algorithms.
3.3 Implementation Standards
Cryptographic implementations shall use established, reviewed libraries (OpenSSL, BoringSSL, libsodium, platform-native crypto libraries). Custom cryptographic implementations are prohibited.
Random number generation shall use cryptographically secure pseudo-random number generators (CSPRNG) provided by the operating system or approved libraries.
Certificate validation shall enforce: certificate chain verification, hostname verification, certificate expiration checking, and revocation checking (OCSP or CRL).
4. Compliance
Compliance with this policy is mandatory for all personnel within its scope. Compliance will be monitored through periodic audits, automated controls, and management review.
Exceptions to this policy must be documented with a business justification, approved by [CUSTOMIZE: CISO/Security Team], and reviewed at least annually.
5. Enforcement
Violations of this policy may result in disciplinary action up to and including termination of employment or contract, and may result in civil or criminal penalties where applicable law has been violated.
[ORGANIZATION] reserves the right to audit compliance with this policy at any time, with or without notice.
6. Review and Revision
This policy shall be reviewed at least annually by [CUSTOMIZE: CISO/Policy Owner] and updated as necessary to reflect changes in the threat landscape, regulatory requirements, or organizational structure.
All revisions shall be documented with version number, date, author, and description of changes.
Policy Approval
Approved By
Title
Date
Document Control