Search CSRC

Conference: IEEE International Workshop on Information Forensics and Security 2012 (WIFS 2012) Abstract: Attack graphs compute potential attack paths from a system configuration and known vulnerabilities of a system. Evidence graphs model intrusion evidence and dependencies among them for forensic analysis. In this paper, we show how to map evidence graphs to attack graphs. This mapping is useful for a...

Conference: Fifth International Workshop on Digital Forensics (WSDF 2012) Abstract: Attack graphs are used to compute potential attackpaths from a system configuration and known vulnerabilities of asystem. Attack graphs can be used to eliminate knownvulnerability sequences that can be eliminated to make attacksdifficult and help forensic examiners in identifying manypotential attac...

Journal: Cryptologia Abstract: This paper describes the changes between FIPS 180-3 and FIPS 180-4. FIPS 180-4 specifies two new secure cryptographic hash algorithms: SHA-512/224 and SHA-512/256; it also includes a method for determining initial value(s) for any future SHA-512-based hash algorithm(s). FIPS 180-4 also removes a req...

Abstract: A workshop was held on September 10-11, 2012 to discuss two documents that have been posted for public comment: SP 800-130 (A Framework for Designing Cryptographic Key Management Systems) and a table of proposed requirements for SP 800-152 (A Profile for U. S. Federal Cryptographic Key Management Sy...

Journal: International Journal of Biometrics Abstract: The paper discusses the current status of biometric standards development activities, with a focus on international standards developments. Published standards, as well as standards under development or planned for the near future, are addressed. The work of Joint Technical Committee 1 of ISO and IE...

Abstract: This bulletin summarizes the information presented in NIST Special Publication (SP) 800-133, Recommendation for Cryptographic Key Generation. The publication helps federal government organizations generate the cryptographic keys that are to be used with approved cryptographic algorithms to protect i...

Journal: The Next Wave - The National Security Agency's Review of Emerging Technologies Abstract: This article provides an overview of the establishment of the National Initiative for Cybersecurity Education (NICE), its government structure, and it goals. Parallels are drawn between the strategic R&D thrust, Developing Scientific Foundations, described in "Trustworthy Cyberspace: Strategic Plan...

Journal: The Next Wave - The National Security Agency's Review of Emerging Technologies Abstract: In December 2011, the White House Office of Science and Technology Policy (OSTP) released the Trustworthy Cyberspace: Strategic Plan for the Federal Cybersecurity Research and Development Program —a framework for a set of coordinated Federal strategic priorities and objectives for cybersecurity rese...

Abstract: This publication describes cryptographic methods that are approved for “key wrapping,” i.e., the protection of the confidentiality and integrity of cryptographic keys. In addition to describing existing methods, this publication specifies two new, deterministic authenticated-encryption modes of oper...

Conference: 2012 Annual Computer Security Applications Conference (ACSAC 2012) Abstract: Ontology for Modeling Enterprise Level Security Risk using RDF (Resource Description Framework) and OWL (Web Ontology Language). Knowledge of threats and corresponding countermeasures is integrated into this ontology framework. This ontology was applied to a test network for image management applic...

Journal: IT Professional Abstract: This article summarizes the information that was presented in the February 2012 Information Technology Laboratory (ITL) bulletin, Guidelines for Securing Wireless Local Area Networks (WLANs). The bulletin, which was noted by WERB in February 2012, was based on NIST Special Publication (SP) 800-153,...

Abstract: The Supply Chain Management Center of The RH Smith School Of Business, University Of Maryland has completed a third phase of research for NIST ITL built upon its prior activities; and developed an Enterprise ICT SCRM Assessment Package as a proof of concept. This Package is delivered through an...

Abstract: A large number of Identity Management Systems (IDMSs) are being deployed worldwide that use different technologies for the population of their users. With the diverse set of technologies, and the unique business requirements for organizations to federate, there is no uniform approach to the federati...

Abstract: This bulletin summarizes the information that is included in NISTIR 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems. This publication provides federal departments and agencies with a notional set of repeatable and commercially reasonable supply chain assurance m...

Abstract: The Federal Cloud Strategy, February 8, 2010, outlines a federal cloud computing program that identifies program objectives aimed at accelerating the adoption of cloud computing across the federal government. NIST, along with other agencies, was tasked with a key role and specific activities in supp...

Abstract: The National Institute of Standards and Technology (NIST) opened a public competition on November 2, 2007, to develop a new cryptographic hash algorithm – SHA-3, which will augment the hash algorithms specified in the Federal Information Processing Standard (FIPS) 180-4, Secure Hash Standard (SHS)....

Journal: International Journal of Number Theory Abstract: We show that a character sum attached to a family of 3-isogenies defined on the fibers of a certain elliptic surface over Fp relates to the class number of the quadratic imaginary number field Q(\sqrt{p}). In this sense, this provides a higher-dimensional analog of some recent class number formula...

Abstract: The guidelines in this document are intended to provide a common baseline of security technologies that can be implemented across a wide range of mobile devices to help secure organization-issued mobile devices as well as devices brought into an organization, such as personally-owned devices used in...

Abstract: Combinatorial testing applies factor covering arrays to test all t-way combinations of input or configuration state space. In some testing situations, it is not practical to use covering arrays, but any set of tests covers at least some portion of t-way combinations up to t [less than or equal to] n...

Abstract: This bulletin summarizes the information presented in NIST Special Publication (SP) 800-30 Rev.1, Guide to Conducting Risk Assessments. This publication was developed by the Joint Task Force Transformation Initiative, a joint partnership among the Department of Defense, the Intelligence Community, N...

Conference: 2012 17th IEEE International Conference on Engineering of Complex Computer Systems (ICECCS 2012) Abstract: Combinatorial testing has been shown to be a very effective testing strategy. Most work on combinatorial testing focuses on t-way test data generation, where each test is an unordered set of parameter values. In this paper, we study the problem of t-way test sequence generation, where each test is a...

Abstract: This publication is intended to provide a wide array of practices that, when implemented, will help mitigate supply chain risk to federal information systems. It seeks to equip federal departments and agencies with a notional set of repeatable and commercially reasonable supply chain assurance metho...

Conference: 2012 IEEE 31st Symposium on Reliable Distributed Systems (SRDS) Abstract: A network security metric is desirable in evaluating the effectiveness of security solutions in distributed systems. Aggregating CVSS scores of individual vulnerabilities provides a practical approach to network security metric. However, existing approaches to aggregating CVSS scores usually cause u...

Abstract: This bulletin summarizes the information that is included in NIST Special Publication (SP) 800-61 Revision 2, Computer Security Incident Handling Guide. This publication assists organizations in establishing computer security incident response capabilities and handling incidents efficiently and effe...

Abstract: The purpose of Special Publication 800-30 is to provide guidance for conducting risk assessments of federal information systems and organizations, amplifying the guidance in Special Publication 800-39. Risk assessments, carried out at all three tiers in the risk management hierarchy, are part of an...