Search CSRC

2013 [04-05-2013] -- The First International Cryptographic Module Conference Bringing experts together from around the world to confer on the topic of cryptographic modules. Discussion on technical topics underlying the implementation of a cryptographic module including physical security, key management, side-channel analysis, key management, cryptographic algorithm implementation testing, standardization (FIPS 140-2, ISO/IEC 19790), validation programs and more. September 24-26, 2013 in Gaithersburg, MD. Registration February through August 2013. Details at: ICMC 2013 2012...

2007 [11-30-2007] -- Non-Compliance update to Certificate #733 RNG (Cert. #216) changed to non-compliant. This RNG shall not be used for any services requiring the use of random bits. [10-12-2007] -- Federal Register Notice DEPARTMENT OF COMMERCE National Institute of Standards and Technology Docket No. 070321067–7068–01 Public Draft of Federal Information Processing Standard (FIPS) 140-3, a revision of FIPS 140-2, Security Requirements for Cryptographic Modules AGENCY: National Institute of Standards and Technology (NIST), Department of Commerce. ACTION: Public comment period...

2018-2017 Announcements Archive 2018 [11-30-2018] Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module Validation Program has been updated. Updated Guidance: General: changed all references of Communications Security Establishment (CSE) to Canadian Centre for Cyber Security (CCCS). IG G.2 - Completion of a test report: Information that must be provided to NIST and CCCS – Added acceptance of draft certificate submissions from the CST lab to the CMVP in the RTF format (but still recommending DOC or DOCX formatting). IG G.13 - Instructions for Validation...

POSTED December 13, 2013 -- Draft NIST Interagency Report 7863, Cardholder Authentication for the PIV Digital Signature Key is available for public comment. NIST is pleased to announce that Draft NIST Interagency Report 7863, Cardholder Authentication for the PIV Digital Signature Key, is available for public comment. NISTIR 7863 provides clarification for the requirement in FIPS 201-2 that a PIV cardholder perform an explicit user action prior to each use of the digital signature key stored on the card. NIST requests comments on NISTIR 7863 by 5:00pm EST on January 17, 2014. Please submit...

POSTED November 30, 2007: NIST Interagency Report 7452: Secure Biometric Match-on-Card Feasibility Report (NIST IR 7452) NIST is pleased to announce the release of NIST Interagency Report 7452, Secure Biometric Match-on-Card Feasibility Report. NIST conducted the feasibility study to understand the effects of combining asymmetric cryptography with Biometric Match-on-Card. The report describes the tests that were conducted to obtain timing metrics for the SBMOC transaction and provides a summary of the test results. POSTED October 4, 2007: Draft Special Publication 800-73-2, Interfaces...

NIST SP 800-116 been updated to Revision 1 to align with FIPS 201-2. High-level changes include: Update to section 4.4 (previously section 7.1) to reflect the FIPS 201-2 requirements for credential validation. Reflection of the FIPS 201-2 deprecation of CHUID authentication mechanism throughout the document. Reflection of the downgrade of VIS authentication mechanism to LITTLE or NO” confidence in cardholder’s identity. Removal of the CHUID +VIS authentication mechanism from the list of recommended authentication mechanisms. Addition of a new appendix titled “Improving Authentication...

DISCLAIMER: The pre-validation list is provided for information purposes only. Participation on the list is voluntary and is a joint decision by the vendor and the NPIVP test facility. Products are listed alphabetically by vendor name. Posting on the list does not imply guarantee of final validation. The following phases describe the pre-validation process. The status of each product in the process is identified in the list.   PIV Card Application Testing in Progress There exists a viable contract between a vendor and a NPIVP testing facility for the testing of the vendor’s PIV card...

DISCLAIMER: The pre-validation list is provided for information purposes only. Participation on the list is voluntary and is a joint decision by the vendor and the NPIVP test facility. Products are listed alphabetically by name. Posting on the list does not imply guarantee of final validation. The following phases describe the pre-validation process. The status of each product in the process is identified in the list.   PIV Middleware Testing in Progress There exists a viable contract between a vendor and a NPIVP testing facility for the testing of the vendor’s PIV Middleware. The PIV...

The NIST maintains a validation list of all validated PIV Card Application (past and present). The list is maintained in descending order of certificate numbers and is updated as new PIV Card Applications receive validation certificates from the NPIVP. All questions regarding the implementation and/or use of any PIV Card Application located on the validation list should first be directed to the vendor. Cert # Product Name Vendor Issue Date/Update Date FIPS 140-2 validation certificate # and date Product Details...

All questions regarding the implementation and/or use of any PIV Middleware included in the validation list should first be directed to the vendor.  SP 800-73-4 PIV Middleware Validation List Certificate # Product Name Vendor Validation Date 23 90meter PIV Middleware, Version 1.4 90meter, Inc. 03/13/2018 22  ID-One PIV Client API SP800-73-4 version 2.1.0.0 Oberthur Technologies 06/13/2017   SP 800-73-3 PIV Middleware Validation List Certificate # Product Name Vendor...

09/05/2014 The NIST PIV Validation Program (NPIVP) has updated its PIV Middleware and PIV Card Application Validation lists to reflect the FIPS 201-2 implementation schedule. This schedule requires that beginning 09/05/14, new and replacement cards issued by Department and Agencies have to conform to FIPS 201-2 when on-boarding or when replacing PIV Cards as they expire over the next 5 years. The impact for the NPIVP Validation Program is that some cards with FIPS 201-1 conformant PIV Card Applications have to be removed from the validation list. Only a few cards on the validated list are...

The Assessment Cases available for download correspond with NIST Special Publication 800-53, Revision 3. The assessment cases were developed by an interagency working group that has disbanded. Assessment cases for consistency with SP 800-53A Rev 4 or newer will not be developed but the existing assessment cases may continue to be applied and also may be used as a model to extrapolate assessment cases for controls added or changed in NIST SP 800-53 Revision 4 or newer. Cautionary Note: The assessment cases developed for this project are not the only acceptable assessment cases; rather, the...

The Assessment Cases available for download correspond with NIST Special Publication 800-53, Revision 3. The assessment cases were developed by an interagency working group that has disbanded. Assessment cases for consistency with SP 800-53A Rev 4 or newer will not be developed but the existing assessment cases may continue to be applied and also may be used as a model to extrapolate assessment cases for controls added or changed in NIST SP 800-53 Revision 4 or newer. Cautionary Note: The assessment cases developed for this project are not the only acceptable assessment cases; rather, the...

Resources for Implementers   NIST SP 800-53 Controls Public Comment Site     Comment on Controls & Baselines Suggest ideas for new controls and enhancements Submit comments on existing controls and baselines  Track the status of your feedback Participate in comment periods Preview changes to future SP 800-53 releases  See More: Infographic and Announcement Download the Control System Cybersecurity Tips & Tactics Infographic -->   View/Search Controls & Baselines     SP 800-53 Release Search View controls & baselines in browser Search controls & baselines...

Fundamental background papers: Empirical justification for combinatorial testing:  D.R. Kuhn, D.R. Wallace, A.M. Gallo, Jr., Software Fault Interactions and Implications for Software Testing, IEEE Transactions on Software Engineering, vol. 30, no. 6, June 2004, pp. 418-421.Abstract; DOI: 10.1109/TSE.2004.24  Preprint.  Comment: Investigates interaction level required to trigger faults in a large distributed database system. IPOG algorithm used in construction of covering arrays:  Y.Lei, R. Kacker, D.R. Kuhn, V. Okun and J. Lawrence, IPOG: a General Strategy for T-way Software Testing, 14th...

Although most combinatorial testing problems have varying numbers of values per variable, in some cases all variables have the same number of values and a pre-computed array can be found.    NIST library of pre-computed covering arrays   Arrays are available for t=2 to t=5, with 2 to 6 values per variable, and for t=6 with 2 to 5 values per variable.    Large collection of covering arrays available for download  (Jose Torres-Jimenez)   Data on the smallest uniform covering array sizes  for up to 20,000 variables for t=2, and up to 10,000 for t=3 through t=6. (Note that this database...

Quick introductions to Combinatorial Testing: Practical Applications of Combinatorial Testing, East Carolina University, March 22, 2012. Combinatorial Testing and Design of Experiments, TU Berlin, June 28, 2011. Combinatorial Testing, Institute for Defense Analyses, April 6, 2011. (approx. 2 hours) Combinatorial Testing Seminar, US Army Test & Evaluation Command, Aberdeen Proving Ground, May 17, 2010. (approx. 3 hours). Combinatorial Testing, Carnegie-Mellon University Jan 26, 2010. (approx. 60 min.) Combinatorial Testing Tutorial, National Defense Industrial Association, Reston, VA,...

D.R. Kuhn, R. Kacker and Y.Lei, Random vs. Combinatorial Methods for Discrete Event Simulation of a Grid Computer Network, MODSIM World 2009, Virginia Beach, Virginia, October 14-16, 2009. In Selected Papers Presented at MODSIM World 2009 Conference and Expo, edited by T.E. Pinelli, NASA/CP-2010-216205, National Aeronautics and Space Administration, pp. 83-88. R. Kessel and R. Kacker, A Test of Linearity Using Covering Arrays for Evaluating Uncertainty in Measurement, Advanced Mathematical and Computational Tools in Metrology and Testing (AMCTM VIII), Paris, France, June 23-25, 2008, Series...

In 2012, we co-founded the International Workshop on Combinatorial Testing, focused on theory and application of CT.  Papers from previous workshops are listed below.    IWCT 2022 A C++ implementation of the IPO algorithm Ken'Ya Takemura A Combinatorial Approach to Fairness Testing of Machine Learning Models Ankita Ramjibhai Patel, Jaganmohan Chandrasekaran, Jeff Yu Lei, Raghu Kacker, Rick Kuhn A Constrained Covering Array Generator using Adaptive Penalty based Parallel Tabu Search Yan Wang, Huayao Wu, Changhai Nie, Xintao Niu, Jiaxi Xu Applying Combinatorial Testing to High-Speed...

DON'T assume that 2-way combinations (pairwise testing) will be enough. Empirical data, documented in papers on this site, show that 2-way combinations are important, but a large proportion of faults involve more than two parameters.  but DO consider the appropriate level of t-way combinations to be used.   It is reasonable to expect that 30% or more of the faults that need to be found in testing may require three factors for detection.   DON’T try to develop the input model (the parameters and test values) only from use cases.  Considering only use cases is likely to lead to missing some...

NIST includes here a list of events which may be of interest to those involved with post-quantum cryptography.  In particular, this list is intended to include events which will promote research in the main areas involved with our post-quantum cryptography standardization project.  For example, workshops devoted to the families comprising the Round 2 candidates (lattices, codes, isogenies, multivariate, etc).  It should be noted that NIST is not affiliated with or involved with the organizing of these workshops, and is providing this list as a source of information for the community.  Any...

Authority:  This work is being initiated pursuant to NIST’s responsibilities under the Federal Information Security Management Act (FISMA) of 2002, Public Law 107–347. The submission deadline of November 30, 2017 has passed.  Please see the Round 1 Submission page for a list of complete and proper submsisions. The Call for Proposals is available for historical reference.   Background In recent years, there has been a substantial amount of research on quantum computers – machines that exploit quantum mechanical phenomena to solve mathematical problems that are difficult or intractable for...

Post-quantum candidate algorithm nominations are due November 30, 2017. Call for Proposals   Submission packages must be received by NIST by November 30, 2017. Submission packages received before September 30, 2017 will be reviewed for completeness by NIST; the submitters will be notified of any deficiencies by October 31, 2017, allowing time for deficient packages to be amended by the submission deadline. No amendments to packages will be permitted after the submission deadline, except at specified times during the evaluation phase (see Section 5). Due to the specific requirements of the...

Post-quantum candidate algorithm nominations are due November 30, 2017. Call for Proposals Those submission packages that are deemed by NIST to be “complete” will be evaluated for the inclusion of a “proper” post-quantum public-key cryptosystem. To be considered as a “proper” post-quantum public-key cryptosystem (and continue further in the standardization process), the scheme shall meet the following minimum acceptability requirements: The algorithms shall be publicly disclosed and made available for public review and the evaluation process, and for standardization if selected, freely...

Post-quantum candidate algorithm nominations are due November 30, 2017. Call for Proposals NIST will form an internal selection panel composed of NIST employees to analyze the submitted algorithms; the evaluation process will be discussed in Section 5. All of NIST’s analysis results will be made publicly available. Although NIST will be performing its own analyses of the submitted algorithms, NIST strongly encourages public evaluation and publication of the results. NIST will take into account its own analysis, as well as the public comments that are received in response to the posting of...