Search CSRC

Abstract: This document provides the organizational codes for federal agencies to establish the Federal Agency Smart Credential Number (FASC-N) that is required to be included in the FIPS 201 Card Holder Unique Identifier. SP 800-87 is a companion document to FIPS 201.

Journal: IT Professional Abstract: This two-part series focuses on defining the problem of questionable metrics conceptually and revealing a path forward for improving both security metrics and how people use them.

Abstract: This publication describes a voluntary risk management framework (“the Framework”) that consists of standards, guidelines, and best practices to manage cybersecurity-related risk.  The Framework’s prioritized, flexible, and cost-effective approach helps to promote the protection and resilience...

Abstract: This Recommendation specifies key-establishment schemes based on the discrete logarithm problem over finite fields and elliptic curves, including several variations of Diffie-Hellman and Menezes-Qu-Vanstone (MQV) key establishment schemes.

Journal: Journal of Research of the National Institute of Standards and Technology Abstract: The Software Assurance Reference Dataset (SARD) is a growing collection of over 170 000 programs with precisely located bugs. The programs are in C, C++, Java, PHP, and C# and cover more than 150 classes of weaknesses, such as SQL injection, cross-site scripting (XSS), buffer overflow, and use of a...

Conference: Hot Topics in the Science of Security Abstract: Combinatorial methods have attracted attention as a means of providing strong assurance at reduced cost, but when are these methods practical and cost-effective? This tutorial comprises two parts. The first introductory part will briefly explain the background, process, and tools available for combi...

Conference: Hot Topics in the Science of Security Abstract: The analysis reported in this poster developed from questions that arose in discussions of the Reducing Software Vulnerabilities working group, sponsored by the White House Office of Science and Technology Policy in 2016 [1]. The key question we sought to address is the degree to which vulnerabiliti...

Abstract: In the modern world, where complex systems and systems-of-systems are integral to the functioning of society and businesses, it is increasingly important to be able to understand and manage risks that these systems and components may present to the missions that they support. However, in the world o...

Conference: 9th International Conference on Post-Quantum Cryptography (PQCrypto 2018) Abstract: In 2016, Yasuda et al. presented a new multivariate encryption technique based on the Square and Rainbow primitives and utilizing the plus modifier that they called SRP. The scheme achieved a smaller blow-up factor between the plaintext space and ciphertext space than most recent multivariate e...

Conference: 9th International Conference on Post-Quantum Cryptography (PQCrypto 2018) Abstract: The HFEv- signature scheme is one of the most studied multivariate schemes and one of the major candidates for the upcoming standardization of post-quantum digital signature schemes. In this paper, we propose three new attack strategies against HFEv-, each of them using the idea of projection. Espec...

Journal: Cryptography and Communications Abstract: The multiplicative complexity of a Boolean function is the minimum number of two-input AND gates that are necessary and sufficient to implement the function over the basis (AND, XOR, NOT). Finding the multiplicative complexity of a given function is computationally intractable, even for functions wi...

Abstract: This bulletin summarizes the information found in NIST SP 800-125A: Security Recommendations for Hypervisor Deployment on Servers, which provides technical guidelines regarding the secure execution of baseline functions of the hypervisor and are therefore agnostic to the hypervisor architecture.

Conference: 2018 IEEE Symposium on Service-Oriented System Engineering (SOSE) Abstract: This article presents challenges and solutions to testing systems based on the underlying products and services commonly referred to as the Internet of ‘things’ (IoT).

Journal: Cryptography and Communications Abstract: We present techniques to obtain small circuits which also have low depth. The techniques apply to typical cryptographic functions, as these are often specified over the field G F(2), and they produce circuits containing only AND, XOR and XNOR gates. The emphasis is on the linear components...

Journal: Journal of Computer Security Abstract: The administrators of a mission critical network usually have to worry about non-traditional threats, e.g., how to live with known, but unpatchable vulnerabilities, and how to improve the network’s resilience against potentially unknown vulnerabilities. To this end, network hardening is a well-known...

Abstract: With the continuing frequency, intensity, and adverse consequences of cyber-attacks, disruptions, hazards, and other threats to federal, state, and local governments, the military, businesses, and the critical infrastructure, the need for trustworthy secure systems has never been more important to t...

Conference: Third ACM Workshop on Attribute-Based Access Control (ABAC'18) Abstract: We describe a method that centrally manages Attribute-Based Access Control (ABAC) policies and locally computes and enforces decisions regarding those policies for protection of resource repositories in host systems using their native Access Control List (ACL) mechanisms. The method is founded on th...

Journal: Physical Review A Abstract: When two players achieve a superclassical score at a nonlocal game, their outputs must contain intrinsic randomness. This fact has many useful implications for quantum cryptography. Recently it has been observed [C. Miller and Y. Shi, Quantum Inf. Computat. 17, 0595 (2017)] that such scores also imp...

Abstract: Managing the data generated by Internet of Things (IoT) sensors and actuators is one of the biggest challenges faced when deploying an IoT system.  Traditional cloud-based IoT systems are challenged by the large scale, heterogeneity, and high latency witnessed in some cloud ecosystems. One solu...

Abstract: Industrial control systems (ICS) comprise a core part of our nation’s critical infrastructure. Energy sector companies rely on ICS to generate, transmit, and distribute power and to drill, produce, refine, and transport oil and natural gas. There are a wide variety of ICS assets, such as supervisory...

Abstract: In recent years, there has been a substantial amount of research on quantum computers - machines that exploit quantum mechanical phenomena to solve mathematical problems that are difficult or intractable for conventional computers. If large-scale quantum computers are ever built, they will compromis...

Journal: Online Journal of Nursing Informatics Abstract: The Internet of Things (IoT) promises to create many opportunities for enhancing human lives, particularly, in healthcare. In this paper we illustrate how an IoT enabled tracking system can help in a special kind of healthcare setting, that is, in the case of a disaster. We briefly describe the disa...

Conference: Workshop on Usable Security (USEC) 2018 Abstract: Extensive research has been performed to examine the effectiveness of phishing defenses, but much of this research was performed in laboratory settings. In contrast, this work presents 4.5 years of workplace-situated, embedded phishing email training exercise data, focusing on the last three phishin...

Abstract: A security configuration checklist is a document that contains instructions or procedures for configuring an information technology (IT) product to an operational environment, for verifying that the product has been configured properly, and/or for identifying unauthorized changes to the product. Usi...

Journal: IT Professional Abstract: Six senior computer science educators answer questions about the current state of computer science education, software engineering, and licensing software engineers.