Search CSRC

Abstract: This report defines the Common Platform Enumeration (CPE) Dictionary version 2.3 specification. The CPE Dictionary Specification is a part of a stack of CPE specifications that support a variety of use cases relating to IT product description and naming. An individual CPE dictionary is a repository...

Abstract: This report defines the Common Platform Enumeration (CPE) Applicability Language version 2.3 specification. The CPE Applicability Language specification is part of a stack of CPE specifications that support a variety of use cases relating to IT product description and naming. The CPE Applicability L...

Abstract: This report defines the Common Platform Enumeration (CPE) Naming version 2.3 specification. The CPE Naming specification is a part of a stack of CPE specifications that support a variety of use cases relating to IT product description and naming. The CPE Naming specification defines the logical stru...

Conference: 2011 International Conference on Security & Management (SAM 2011), WORLDCOMP'11 Abstract: Quantifying security risk is an important and yet difficult task in enterprise network risk management, critical for proactive mission assurance. Even though metrics exist for individual vulnerabilities, there is currently no standard way of aggregating such metrics. We developed a quantitative mode...

Abstract: Today’s information systems face sophisticated attackers who combine multiple vulnerabilities to penetrate networks with devastating impact. The overall security of an enterprise network cannot be determined by simply counting the number of vulnerabilities. To more accurately assess the security of...

Journal: IT Professional Abstract: Billions of copies of apps for mobile devices have been purchased in recent years. With this growth, however, comes an increase in the spread of potentially dangerous security vulnerabilities. Because of an app's low cost and high proliferation, the threat of these vulnerabilities could be far great...

Conference: International Conference on Security and Cryptography (SECRYPT 2011) Abstract: We argue that it is time to design, implement, and deploy a trusted public randomness server on the Internet. NIST plans to deploy a prototype during 2011. We discuss some of the engineering choices that have been made as well as some of the issues currently under discussion.

Conference: World Multi-Conference on Systemics, Cybernetics and Informatics 2011 (WMSCI 2011) Abstract: With the increasing maturity of various cloud service delivery models (Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS)) and deployment models (Private, Community, Public, Hybrid), the security risk profile of each cloud service configuration is coming i...

Conference: Fast Software Encryption 2011 (FSE 2011) Abstract: Analyzing desired generic properties of hash functions is an important current area in cryptography. For example, in Eurocrypt 2009, Dodis, Ristenpart and Shrimpton introduced the elegant notion of "Preimage Awareness" (PrA) of a hash function H^P , and they showed that a PrA hash function followed...

Abstract: The Access Control for SAR Systems (ACSS) project focused on developing a prototype privilege management system used to express and enforce policies for controlling access to Suspicious Activity Report (SAR) data within the law enforcement domain. This report details the work conducted for the ACSS...

Abstract: This bulletin summarizes the information presented in NIST Special Publication (SP) 800-147, BIOS Protection Guidelines: Recommendations of the National Institute of Standards and Technology. The publication was written by David Cooper, William Polk, Andrew Regenscheid, and Murugiah Souppaya of NIST...

Abstract: The Computer Security Division of NIST/ITL supports the development of biometric conformance testing methodology standards and other conformity assessment efforts through active technical participation in the development of these standards and the associated conformance test architectures and test s...

Abstract: This specification describes the Asset Reporting Format (ARF), a data model for expressing the transport format of information about assets and the relationships between assets and reports. The standardized data model facilitates the reporting, correlating, and fusing of asset information throughout...

Abstract: New techniques for reducing the depth of circuits for cryptographic applications are described and applied to the AES S-box. These techniques also keep the number of gates quite small. The result, when applied to the AES S-box, is a circuit with depth 16 and only 128 gates. For the inverse, it is al...

Abstract: Asset identification plays an important role in an organization?s ability to quickly correlate different sets of information about assets. This specification provides the necessary constructs to uniquely identify assets based on known identifiers and/or known information about the assets. This speci...

Conference: 36th International Symposium on Symbolic and Algebraic Computation (ISSAC '11) Abstract: In this paper we find division polynomials for Jacobi quartics. These curves are an alternate model for elliptic curves to the more common Weierstrass equation. Division polynomials for Weierstrass curves are well known, and the division polynomials we find are analogues for Jacobi quartics. Using t...

Abstract: This annual report covers the work conducted within the National Institute of Standards and Technology's Computer Security Division during Fiscal Year 2010. It discusses all projects and programs within the Division, staff highlights, and publications.

Abstract: This bulletin summarizes the information presented in NIST Special Publication (SP) 800-70 Rev. 2, National Checklist Program for IT Products—Guidelines for Checklist Users and Developers: Recommendations of the National Institute of Standards and Technology. The publication was written by Stephen D...

Journal: Journal of AHIMA Abstract: Healthcare and health information technology professionals are entrusted with patient data which, because of its personal nature, requires protection to ensure its confidentiality. To provide this protection, these professionals frequently look to commonly accepted technologies and methodologies to...

Abstract: This document provides guidelines for preventing the unauthorized modification of Basic Input/Output System (BIOS) firmware on PC client systems. Unauthorized modification of BIOS firmware by malicious software constitutes a significant threat because of the BIOS’s unique and privileged position wit...

Abstract: This bulletin summarizes the information presented in NIST SP 800-125, Guide To Security for Full Virtualization Technologies: Recommendations of the National Institute of Standards and Technology, which was written by Karen Scarfone of G2, Inc., Murugiah Souppaya of NIST, and Paul Hoffman of the VP...

Journal: Electronic Journal of Combinatorics Abstract: Two-valued covering arrays of strength t are 0--1 matrices having the property that for each t columns and each of the possible 2t sequences of t 0's and 1's, there exists a row having that sequence in that set of t columns. Covering arrays are an important tool in certain applications, for example,...

Abstract: This report defines version 2.0 of the Open Checklist Interactive Language (OCIL). The intent of OCIL is to provide a standardized basis for expressing questionnaires and related information, such as answers to questions and final questionnaire results, so that the questionnaires can use a standardi...

Journal: Journal of Information System Security Abstract: More than 100 years ago, Lord Kelvin observed that measurement is vital to deep knowledge and understanding in physical science. During the last few decades, researchers have made various attempts to develop measures and systems of measurement for computer security with varying degrees of success. T...

Journal: Journal of Systems Architecture Abstract: The ability to control access to sensitive data in accordance with policy is perhaps the most fundamental security requirement. Despite over four decades of security research, the limited ability for existing access control mechanisms to generically enforce policy persists. While researchers, practi...