Search CSRC

Abstract: This report describes the association between the use of Software Identification (SWID) Tags and the Common Platform Enumeration (CPE) specifications. The publication is intended as a supplement to NIST Internal Report 8060, Guidelines for the Creation of Interoperable Software Identification (SWID)...

Abstract: This bulletin summarizes the information presented in NIST Special Publication 800-167, "Guide to Application Whitelisting," written by Adam Sedgewick, Murugiah Souppaya and Karen Scarfone. The publication is intended to assist organizations in understanding the basics of application whitelisting....

Abstract: The National Institute of Standards and Technology (NIST) is developing a cybersecurity performance testbed for industrial control systems. The goal of the testbed is to measure the performance of industrial control systems (ICS) when instrumented with cybersecurity controls in accordance with the b...

Abstract: This publication explains selected security challenges involving Infrastructure as a Service (IaaS) cloud computing technologies and geolocation. It then describes a proof of concept implementation that was designed to address those challenges. The publication provides sufficient details about the p...

Abstract: In the past, medical devices were stand-alone instruments that interacted only with the patient. Today, medical devices have operating systems and communication hardware that allow them to connect to networks and other devices. While this technology has created more powerful tools and improved healt...

Abstract: This bulletin summarizes the information presented in NIST SP 800-82, Rev 2: Guide to Industrial Control Systems (ICS) Security written by Keith Stouffer, Victoria Pillitteri, Suzanne Lightman, Marshall Abrams and Adam Hahn. The publication provides guidance on how to secure Industrial Control Syste...

Conference: Tenth International Conference on Software Engineering Advances (ICSEA 2015) Abstract: An attack graph is a data structure representing how an attacker can chain together multiple attacks to expand their influence within a network (often in an attempt to reach some set of goal states). Restricting attack graph size is vital for the execution of high degree polynomial analysis algorith...

Journal: Computer (IEEE Computer) Abstract: Continuous Authentication has been around but has been met with several limitations. Recent development of mobile platforms are providing relief for many of these limitations as they take advantage of multiple sensors and sufficient processing power for the user and system monitoring.

Journal: Rocky Mountain Journal of Mathematics Abstract: In this work, we present a modification of a well-established measure of dependence appropriate for the analysis of stopping times for adversarial processes on cryptographic primitives. We apply this measure to construct generic criteria for the ideal behavior of fixed functions in both the random o...

Abstract: This Profile for U. S. Federal Cryptographic Key Management Systems (FCKMSs) contains requirements for their design, implementation, procurement, installation, configuration, management, operation, and use by U. S. Federal organizations. The Profile is based on SP 800-130, "A Framework for Designing...

Abstract: An application whitelist is a list of applications and application components that are authorized for use in an organization. Application whitelisting technologies use whitelists to control which applications are permitted to execute on a host. This helps to stop the execution of malware, unlicensed...

Abstract: Multiplicative complexity is a complexity measure, which is defined as the minimum number of AND gates required to implement a given primitive by a circuit over the basis (AND, XOR, NOT), with an unlimited number of NOT and XOR gates. Implementations of ciphers with a small number of AND gates are p...

Abstract: The ability to control access to sensitive data in accordance with policy is perhaps the most fundamental security requirement. Despite over four decades of security research, the limited ability for existing access control mechanisms to enforce a comprehensive range of policy persists. While resear...

Abstract: De-identification removes identifying information from a dataset so that individual data cannot be linked with specific individuals. De-identification can reduce the privacy risk associated with collecting, processing, archiving, distributing or publishing information. De-identification thus attempt...

Abstract: This bulletin summarizes the information presented in NIST SP 800-171: Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. The publication the protection of Controlled Unclassified Information (CUI) while residing in nonfederal information systems and...

Abstract: Users and hosts must be able to access other hosts in an interactive or automated fashion, often with very high privileges, for a variety of reasons, including file transfers, disaster recovery, privileged access management, software and patch management, and dynamic cloud provisioning. This is ofte...

Conference: 22nd ACM Conference on Computer and Communications Security (CCS '15) Abstract: Modern-day attackers tend to use sophisticated multi-stage/multi-host attack techniques and anti-forensics tools to cover their attack traces. Due to the current limitations of intrusion detection and forensic analysis tools, reconstructing attack scenarios from evidence left behind by the attackers...

Conference: 2015 Workshop on Automated Decision Making for Active Cyber Defense (SafeConfig '15) Abstract: Cyber attacks inevitably generate impacts towards relevant missions. However, concrete methods to accurately evaluate such impacts are rare. In this paper, we propose a probabilistic approach based on Bayesian networks for quantitative mission impact assessment. A System Object Dependency Graph (SOD...

Journal: Journal of Cryptology Abstract: We introduce a new cryptographic primitive called a blind coupon mechanism (BCM). In effect, a BCM is an authenticated bit commitment scheme, which is AND-homomorphic. We show that a BCM has natural and important applications. In particular, we use it to construct a mechanism for transmitting alerts...

Abstract: This bulletin summarizes the information presented in FIPS 202. The publication specifies the Secure Hash Algorithm-3 (SHA-3) family of functions on binary data. Each of the SHA-3 functions is based on an instance of the KECCAK algorithm that NIST selected as the winner of the SHA-3 Cryptographic Ha...

Abstract: We consider the multiplicative complexity of Boolean functions with multiple bits of output, studying how large a multiplicative complexity is necessary and sufficient to provide a desired nonlinearity. For so-called $\Sigma\Pi\Sigma$ circuits, we show that there is a tight connection between error...

Abstract: Software asset management (SAM) is a key part of continuous monitoring. The approach described here is intended to support the automation of security functions such as risk-based decision making, collection of software inventory data, and inventory-based network access control. SAM, as envisioned in...

Conference: 17th International Workshop on Cryptographic Hardware and Embedded Systems (CHES 2015) Abstract: Random numbers are essential for cryptography. In most real-world systems, these values come from a cryptographic pseudorandom number generator (PRNG), which in turn is seeded by an entropy source. The security of the entire cryptographic system then relies on the accuracy of the claimed amount of e...

Journal: Mathematics of Computation Abstract: Isogenies are the morphisms between elliptic curves and are, accordingly, a topic of interest in the subject. As such, they have been well studied, and have been used in several cryptographic applications. Velu's formulas show how to explicitly evaluate an isogeny, given a specification of the kerne...

Abstract: Title III of the E-Government Act of 2002, entitled the Federal Information Security Management Act (FISMA) of 2002, requires NIST to prepare an annual public report on activities undertaken in the previous year, and planned for the coming year, to carry out responsibilities under this law. The prim...