The confidentiality and integrity of Sensitive and PHI/Restricted data and resources owned by the University of Alabama at Birmingham (UAB) are of paramount importance. Encryption provides the ability to protect those data and resources and is required by the UAB Data Protection Rule when Sensitive and PHI/Restricted data are involved.
2.0 Objective/Purpose
This document provides guidance for leveraging encryption with a variety of technologies and use cases to ensure that the confidentiality and integrity of UAB data and resources are protected, in accordance with the UAB Data Protection Rule and other policies, standards, rules, and security frameworks. As technology and standards evolve, this list of encryption guidelines will be updated to reflect such changes. Questions regarding these guidelines can be directed to AskIT via email at This email address is being protected from spambots. You need JavaScript enabled to view it., or by phone at (205) 996-5555.
3.0 Recommendations
The following guidance should be used when leveraging encryption to secure UAB data and workflows in which the associated levels of confidentiality and integrity must be protected.
3.1 Web communications
Requirement
Solution
Comment
Secure web HTTPS web communication
TLS 1.2
Use TLS 1.2 to secure web-based HTTPS communications. SSL and older versions of TLS have been deemed obsolete and/or vulnerable to attacks, and many vendors are moving away from these older versions.
3.5 Guidelines for symmetric encryption algorithms
Requirement
Solution
Comment
Evaluating the algorithm used in a symmetric encryption-related process
Use a public, well-validated, strong algorithm such as AES, Twofish, or Serpent. Avoid the use of products that rely on weak or proprietary encryption algorithms.
Public algorithms have been thoroughly vetted. Proprietary algorithms have not been open to public review, and are not as well tested or vetted as a result.
3.6 Guidelines for asymmetric key exchange/encryption algorithms
Requirement
Solution
Comment
Evaluating the algorithm used in an asymmetric key exchange- or encryption-related process
Use a public and well-validated, strong algorithm such as Diffie-Hellman, RSA, ECC, or El Gamal. Avoid the use of products that rely on weak or proprietary encryption algorithms.
Public algorithms have been thoroughly vetted. Proprietary algorithms have not been open to public review, and are not as well tested or vetted as a result.
3.7 Guidelines for using hashes
Requirement
Solution
Comment
Digitally signing or validating files
Use SHA-2 or higher hashing algorithms
MD-5/SHA-1 are considered weak and should be avoided
UAB is an Equal Opportunity/Affirmative Action Employer committed to fostering a diverse, equitable and family-friendly environment in which all faculty and staff can excel and achieve work/life balance irrespective of race, national origin, age, genetic or family medical history, gender, faith, gender identity and expression as well as sexual orientation. UAB also encourages applications from individuals with disabilities and veterans.
