Search CSRC

Journal: Computer (IEEE Computer) Abstract: Metamorphic testing (MT) can enhance security testing by providing an alternative to using a test oracle, which is often unavailable or impractical. The authors report how MT detected previously unknown bugs in real-world critical applications such as code obfuscators, giving evidence that software...

Journal: Computer (IEEE Computer) Abstract: Industrial Internet of Things (IoT) is a distributed network of smart sensors that enables precise control and monitoring of complex processes over arbitrary distances. The concept of Internet of Things ... is that every object in the Internet infrastructure is interconnected into a global dynamic e...

Abstract: NIST Special Publication (SP) 800-157 contains technical guidelines for the implementation of standards-based, secure, reliable, interoperable Public Key Infrastructure (PKI)-based identity credentials that are issued for mobile devices by federal departments and agencies to individuals who possess...

Abstract: This bulletin summarizes the information presented in NIST Special Publication (SP) 800-125B, "Secure Virtual Network Configuration for Virtual Machine (VM) Protection." That publication provides an analysis of various virtual network configuration options for protection of VMs and to present recomm...

Abstract: The Association of Public-Safety Communications (APCO), in cooperation with FirstNet and the Department of Commerce held a half-day workshop on June 2nd 2015 titled “Identifying and Categorizing Data Types for Public Safety Mobile Applications.” The goal of this workshop was to begin identifying dif...

Journal: Computer (IEEE Computer) Abstract: We asked 7 experts 1 simple question to find out what has occurred recently in terms of applying formal methods (FM) to security-centric, cyber problems: Please summarize in a paragraph the state of the research and practitioner communities in formal method as you see it. Please include standards, c...

Abstract: This document provides a common XML-based data representation of a chain-of-trust record to facilitate the exchange of Personal Identity Verification (PIV) Card enrollment data. The exchanged record is the basis to personalize a PIV Card for a transferred employee and also for service providers to p...

Journal: Cryptography and Communication Abstract: A necessary condition for the security of cryptographic functions is to be “sufficiently distant” from linear, and cryptographers have proposed several measures for this distance. In this paper, we show that six common measures, nonlinearity, algebraic degree, annihilator immunity, algebraic thickne...

Abstract: This bulletin focuses on NIST's combinatorial testing work. Combinatorial testing is a proven method for more effective software testing at lower cost. The key insight underlying combinatorial testing's effectiveness resulted from a series of studies by NIST from 1999 to 2004. NIST research showed...

Abstract: This is a brief introduction on how to run the Python command-line programs (hosted on GitHub at https://github.com/usnistgov/SP800-90B_EntropyAssessment) that implement the statistical entropy estimation methods found in Section 6 of the Second Draft NIST SP 800-90B (January 2016). It is not a desc...

Conference: 31st IFIP TC 11 International Conference (SEC 2016) Abstract: Multicast authentication of synchrophasor data is challenging due to the design requirements of Smart Grid monitoring systems such as low security overhead, tolerance of lossy networks, time-criticality and high data rates. In this work, we propose inf-TESLA, Infinite Timed Efficient Stream Loss-tol...

Conference: High Confidence Software and Systems Conference Abstract: We present a combinatorial coverage measurement analysis for (subsets) of the TLS cipher suite registries by analyzing the specified ciphers of IANA, ENISA, BSI, Mozilla and NSA Suite B. The method introduced here may contribute towards the design of quality measures of cipher suites, and may also b...

Abstract: Threats of destructive malware, malicious insider activity, and even honest mistakes create the imperative for organizations to be able to quickly recover from an event that alters or destroys any form of data (database records, system files, configurations, user files, application code, etc.). Orga...

Abstract: As a result of payment card industry standards and a strong understanding of the value of valid credit card information in the black market, the retail industry has already invested in security mechanisms to protect credit card data, also referred to as cardholder data. However, this cardholder data...

Abstract: In recent years, there has been a substantial amount of research on quantum computers – machines that exploit quantum mechanical phenomena to solve mathematical problems that are difficult or intractable for conventional computers. If large-scale quantum computers are ever built, they will be able t...

Abstract: Password entry on mobile devices significantly impacts both usability and security, but there is a lack of usable security research in this area, specifically for complex password entry. To address this research gap, we set out to assign strength metrics to passwords for which we already had usabili...

Abstract: This report provides an overview of the capabilities and usage of software identification (SWID) tags as part of a comprehensive software lifecycle. As instantiated in the International Organization for Standardization/International Electrotechnical Commission 19770-2 standard, SWID tags support num...

Abstract: The Cybersecurity Strategy and Implementation Plan (CSIP), published by the Office of Management and Budget (OMB) on October 30, 2015, requires that federal agencies use Personal Identity Verification (PIV) credentials for authenticating privileged users. This will greatly reduce unauthorized access...

Journal: Journal of Mathematical Cryptology Abstract: A hash function secure in the indifferentiability framework (TCC 2004) is able to resist allmeaningful generic attacks. Such hash functions also play a crucial role in establishing the security of protocols that use them as random functions. To eliminate multi-collision type attacks o...

Abstract: This bulletin summarizes the information presented in NIST Special Publication (SP) 800-38G, "Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption." The publication specifies two methods for format-preserving encryption, FF1 and FF3.

Abstract: This Recommendation specifies constructions for the implementation of random bit generators (RBGs). An RBG may be a deterministic random bit generator (DRBG) or a non-deterministic random bit generator (NRBG). The constructed RBGs consist of DRBG mechanisms, as specified in NIST Special Publication...

Abstract: NIST Special Publication (SP) 800-73 contains the technical specifications to interface with the smart card to retrieve and use the Personal Identity Verification (PIV) identity credentials. This document, SP 800-85A, contains the test assertions and test procedures for testing smart card middleware...

Conference: Fifth International Workshop on Combinatorial Testing (IWCT 2016) Abstract: Access control typically requires translating policies or rules given in natural language into a form such as a programming language or decision table, which can be processed by an access control system. Once rules have been described in machine-processable form, testing is necessary to ensure that...

Conference: 11th Annual Cyber and Information Security Research Conference (CISRC '16) Abstract: Industrial control systems (ICS) are composed of sensors, actuators, control processing units, and communication devices all interconnected to provide monitoring and control capabilities. Due to the integral role of the networking infrastructure, such systems are vulnerable to cyber attacks. Indepth...

Journal: IEEE Cloud Computing Magazine Abstract: Organizations often struggle to capture the necessary functional capabilities for each cloud-based solution adopted for their information systems. Identifying, defining, selecting, and prioritizing these functional capabilities and the security components that implement and enforce them is surprisin...