Search CSRC

Abstract: This bulletin summarizes the information found in the white paper Security Considerations for Code Signing, which describes features and architectural relationships of typical code signing solutions that are widely deployed today. The paper also defines use cases and identifies security problems tha...

Abstract: This guide provides procedures for documenting and populating various data elements typically found within the contents of a mobile device, e.g., mobile phone, tablet, etc. The guide discusses techniques and considerations for preparing the internal memory of a mobile device for use in testing a mob...

Abstract: This document provides technical guidelines and recommendations supporting resiliency of platform firmware and data against potentially destructive attacks.  The platform is a collection of fundamental hardware and firmware components needed to boot and operate a system. A successful attack on...

Abstract: This bulletin summarizes the information found in NIST SP 1800-6: Domain Name System-Based Electronic Mail Security, which describes a security platform for trustworthy email exchanges across organizational boundaries.

Abstract: This report defines the requirements and associated test procedures necessary for products or modules to achieve one or more Security Content Automation Protocol (SCAP) validations.  Validation is awarded based on a defined set of SCAP capabilities by independent laboratories that have been acc...

Abstract: This document provides the organizational codes for federal agencies to establish the Federal Agency Smart Credential Number (FASC-N) that is required to be included in the FIPS 201 Card Holder Unique Identifier. SP 800-87 is a companion document to FIPS 201.

Journal: IT Professional Abstract: This two-part series focuses on defining the problem of questionable metrics conceptually and revealing a path forward for improving both security metrics and how people use them.

Abstract: This publication describes a voluntary risk management framework (“the Framework”) that consists of standards, guidelines, and best practices to manage cybersecurity-related risk.  The Framework’s prioritized, flexible, and cost-effective approach helps to promote the protection and resilience...

Abstract: This Recommendation specifies key-establishment schemes based on the discrete logarithm problem over finite fields and elliptic curves, including several variations of Diffie-Hellman and Menezes-Qu-Vanstone (MQV) key establishment schemes.

Journal: Journal of Research of the National Institute of Standards and Technology Abstract: The Software Assurance Reference Dataset (SARD) is a growing collection of over 170 000 programs with precisely located bugs. The programs are in C, C++, Java, PHP, and C# and cover more than 150 classes of weaknesses, such as SQL injection, cross-site scripting (XSS), buffer overflow, and use of a...

Conference: Hot Topics in the Science of Security Abstract: Combinatorial methods have attracted attention as a means of providing strong assurance at reduced cost, but when are these methods practical and cost-effective? This tutorial comprises two parts. The first introductory part will briefly explain the background, process, and tools available for combi...

Conference: Hot Topics in the Science of Security Abstract: The analysis reported in this poster developed from questions that arose in discussions of the Reducing Software Vulnerabilities working group, sponsored by the White House Office of Science and Technology Policy in 2016 [1]. The key question we sought to address is the degree to which vulnerabiliti...

Abstract: In the modern world, where complex systems and systems-of-systems are integral to the functioning of society and businesses, it is increasingly important to be able to understand and manage risks that these systems and components may present to the missions that they support. However, in the world o...

Conference: 9th International Conference on Post-Quantum Cryptography (PQCrypto 2018) Abstract: In 2016, Yasuda et al. presented a new multivariate encryption technique based on the Square and Rainbow primitives and utilizing the plus modifier that they called SRP. The scheme achieved a smaller blow-up factor between the plaintext space and ciphertext space than most recent multivariate e...

Conference: 9th International Conference on Post-Quantum Cryptography (PQCrypto 2018) Abstract: The HFEv- signature scheme is one of the most studied multivariate schemes and one of the major candidates for the upcoming standardization of post-quantum digital signature schemes. In this paper, we propose three new attack strategies against HFEv-, each of them using the idea of projection. Espec...

Journal: Cryptography and Communications Abstract: The multiplicative complexity of a Boolean function is the minimum number of two-input AND gates that are necessary and sufficient to implement the function over the basis (AND, XOR, NOT). Finding the multiplicative complexity of a given function is computationally intractable, even for functions wi...

Abstract: This bulletin summarizes the information found in NIST SP 800-125A: Security Recommendations for Hypervisor Deployment on Servers, which provides technical guidelines regarding the secure execution of baseline functions of the hypervisor and are therefore agnostic to the hypervisor architecture.

Conference: 2018 IEEE Symposium on Service-Oriented System Engineering (SOSE) Abstract: This article presents challenges and solutions to testing systems based on the underlying products and services commonly referred to as the Internet of ‘things’ (IoT).

Journal: Cryptography and Communications Abstract: We present techniques to obtain small circuits which also have low depth. The techniques apply to typical cryptographic functions, as these are often specified over the field G F(2), and they produce circuits containing only AND, XOR and XNOR gates. The emphasis is on the linear components...

Journal: Journal of Computer Security Abstract: The administrators of a mission critical network usually have to worry about non-traditional threats, e.g., how to live with known, but unpatchable vulnerabilities, and how to improve the network’s resilience against potentially unknown vulnerabilities. To this end, network hardening is a well-known...

Conference: Third ACM Workshop on Attribute-Based Access Control (ABAC'18) Abstract: We describe a method that centrally manages Attribute-Based Access Control (ABAC) policies and locally computes and enforces decisions regarding those policies for protection of resource repositories in host systems using their native Access Control List (ACL) mechanisms. The method is founded on th...

Journal: Physical Review A Abstract: When two players achieve a superclassical score at a nonlocal game, their outputs must contain intrinsic randomness. This fact has many useful implications for quantum cryptography. Recently it has been observed [C. Miller and Y. Shi, Quantum Inf. Computat. 17, 0595 (2017)] that such scores also imp...

Abstract: Managing the data generated by Internet of Things (IoT) sensors and actuators is one of the biggest challenges faced when deploying an IoT system.  Traditional cloud-based IoT systems are challenged by the large scale, heterogeneity, and high latency witnessed in some cloud ecosystems. One solu...

Abstract: Industrial control systems (ICS) comprise a core part of our nation’s critical infrastructure. Energy sector companies rely on ICS to generate, transmit, and distribute power and to drill, produce, refine, and transport oil and natural gas. There are a wide variety of ICS assets, such as supervisory...

Abstract: In recent years, there has been a substantial amount of research on quantum computers - machines that exploit quantum mechanical phenomena to solve mathematical problems that are difficult or intractable for conventional computers. If large-scale quantum computers are ever built, they will compromis...