The purpose of this policy is to provide guidance on the use of encryption. Encryption algorithms are constantly put to test by cryptanalysts and from time to time these algorithms are proven insecure. This policy lays down the best practices for use of cryptographic controls for protection of confidentiality, integrity, authentication of the organizational assets. This policy also ensures that the use of encryption technologies conforms to Indian as well as other applicable laws.

2.0 SCOPE

This policy applies to all employees, students, consultants, licensees, lessees, franchisees, vendors, customers, agents, and affiliates of Asian School of Cyber Laws and to all electronic transactions wherein one or more parties are one or more of the above-mentioned.

3.0 POLICY

The following symmetric encryption algorithms may be used:

1. Triple DES

2. RC 5

3. Rijndael

4. IDEA

The following asymmetric encryption algorithms may be used:

1. RSA

The following hash functions may be used:

1. SHA-1

Recommended key size is 128 bits for symmetric keys and 4096 bits for asymmetric keys.

Use of digital signatures on all emails is a must. Each user shall be personally responsible for the secure use and protection of his private key. Repudiation of any signed records shall be not acceptable except in special circumstances.

Information assets labeled as 'Maximum Sensitivity' are to be maintained in an encrypted manner, with the use of the Asset owner's public key.

Exchange of passwords, credit card numbers or any such sensitive information shall be done only using high grade encryption as provide earlier in the policy.

4.0 ENFORCEMENT

Any person bound by this policy who intentionally and/or knowingly violates this policy shall be subject to action deemed fit by the Governing Board of Asian School of Cyber Laws and shall also be liable to pay adequate and prompt compensation. Such action shall not preclude adequate civil and / or criminal remedy as per the applicable law.

5.0 DEFINITIONS

Unless repugnant to the context, all undefined terms in this policy, with their grammatical variations and cognate expressions, have the meanings as assigned to them in RFC 2828.

6.0 REVISION HISTORY

This document is created on 12-04-2001 and has been last updated on 22-02-2003. Please note that this document is updated on a regular basis and the latest version can be obtained from: