Comments on: Encryption by Law? If so, what strength or type?

By: sarahcortes

sarahcortes — Sat, 20 Jun 2009 12:21:03 +0000

Troy Tate, thanks, are you recommending the law should explicitly require 1024-bit minimum key length? I’m interested in what we feel the law should specify rather than how anyone recommends interpreting the law. Right now the law is totally vague.

JoeMellott seems to be saying the law should not attempt to require encryption because it is not feasible to come up with a reasonable standard.

Rklanke seems to agree that specifying encryption in the law is futile since its implementation has so many dependencies and these would also have to beexplicitly specified.

SbElectric seems to be unclear but suggesting using a NIST standard. An interesting idea, so I asked, which one? there seem to be hundreds and “encryption” is not a NIST cluster topic.

WIll be waiting to hear responses.

By: sarahcortes

sarahcortes — Sat, 20 Jun 2009 12:13:58 +0000

Thx, SbElectric, for your reply. My question regards your opinion of whether and how encryption should be included in legislaiton like the ones I noted in my question. Not exactly asking what the standards are. I can see what the laws say, they are totally vague. I am soliciting input from a broad range of people as to their opinions on this topic. NIST giudelines are great, by the way, which one or ones in particular would you highlight as "encryption" standards? Since tere are hundreds of standards on thet site and they don't have an "encryption" cluster. I'll be interested to know your answer, thx

By: rklanke

rklanke — Wed, 17 Jun 2009 04:10:07 +0000

Every encryption scheme, regardless of key length, assumes strong passwords. If users set the passwords, expect weak (easily remembered, easily entered, and easily guessed) passwords. Dictating encryption strength or mechanism without dictating password strength leads to false confidence.

By: joemellott

joemellott — Tue, 16 Jun 2009 18:32:48 +0000

I have been looking into the impacts of the MA law, and they specify encryption that uses “… an algorithmic process, or alternative method at least as secure, into a form in which meaning cannot be assigned without the use of a confidential process or key…”, which is pretty wide open as far as actual strengths and methods to meet compliance.

Further, only data that is transmitted across public networks, wirelessly or stored on laptops needs to be encrypted, so depending on how your organization works this could be a huge deal or trivial.

Having the government specify mimimum encryption strengths seems dangerous to me, as they will probably either be unreasonably hard on the little guy or hopelessly behind the times.

By: Troy Tate

Troy Tate — Mon, 15 Jun 2009 20:18:55 +0000

Implement encryption that people will use and that does not require a significant amount of management overhead (key management – creation, recovery, lifecycle). It should be cost effective for the population size and user education. Any modern system with a key length of 1024bits or better should be adequate.