Search CSRC

Journal: IT Professional Abstract: We analyzed data from the National Vulnerability Database (NVD). Designed and operated by the National Institute of Standards and Technology (NIST) with support from the Department of Homeland Security, the NVD provides fine-grained search capabilities of all publicly reported software vulnerabiliti...

Journal: International Journal of Next Generation Computing Abstract: Today’s computer systems face sophisticated attackers who combine multiple vulnerabilities to penetrate networks with devastating impact. The overall security of a network cannot be determined by simply counting the number of vulnerabilities. To accurately assess the security of networked systems, o...

Abstract: Web services are currently a preferred way to architect and provide complex services. This complexity arises due to the composition of new services and dynamically invoking existing services. These compositions create service inter-dependencies that can be misused for monetary or other gains. When a...

Abstract: This bulletin is written to assist federal departments and agencies to meet their information security training responsibilities. Determining who has significant responsibilities for information security is the crucial first step that allows an organization to focus its information security trainin...

Conference: 24th Annual IFIP WG 11.3 Working Conference on Data and Applications Security (DBSec 2010) Abstract: Authentication assurance level taxonomies that have been specified in many real-world smart identity token deployments do not fully reflect all the security properties associated with their underlying authentication mechanisms. In this paper we describe the development and application of a new metho...

Abstract: NIST Special Publication 800-73-3 introduces the ability to store retired Key Management Keys within the Personal Identity Verification (PIV) Card Application on a PIV Card. This paper complements SP 800-73-3 by providing some of the rationale for the design of the mechanism for storing retired Key...

Journal: Crossroads Abstract: Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. However, the security readiness of cloud computing is commonl...

Journal: Computer (IEEE Computer) Abstract: Role based access control (RBAC) is a popular model for information security. It helps reduce the complexity of security administration and supports the review of permissions assigned to users, a feature critical to organizations that must determine their risk exposure from employee IT system access...

Conference: 9th International Symposium on Experimental Algorithms (SEA 2010) Abstract: A new technique for combinational logic optimization is described. The technique is a two-step process. In the first step, the non-linearity of a circuit – as measured by the number of non-linear gates it contains – is reduced. The second step reduces the number of gates in the linear components of...

Abstract: This paper discusses some aspects of selecting and testing random and pseudorandom number generators. The outputs of such generators may be used in many cryptographic applications, such as the generation of key material. Generators suitable for use in cryptographic applications may need to meet stro...

Abstract: This bulletin summarizes the information presented in NIST Special Publication (SP) 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII). Written by Erika McCallister, Tim Grance, and Karen Scarfone of NIST, the publication assists Federal agencies in carryin...

Conference: 9th Symposium on Identity and Trust on the Internet (IDtrust '10) Abstract: This paper describes and contrasts two families of schemes that enable a user to purchase digital content without revealing to anyone what item he has purchased. One of the basic schemes is based on anonymous cash, and the other on blind decryption. In addition to the basic schemes, we present and c...

Abstract: The purpose of this document is to assist Federal agencies in protecting the confidentiality of personally identifiable information (PII) in information systems. The document explains the importance of protecting the confidentiality of PII in the context of information security and explains its rela...

Journal: Journal of AHIMA Abstract: This publication discusses, at a high level, the ubiquitous threats facing email systems today and impresses the need to secure these systems. This article will provide high level tips and techniques for securing email systems and point to resources that an organization can use to further this cause...

Journal: International Journal of Information Security Abstract: We analyse the security of iterated hash functions that compute an input dependent checksum which is processed as part of the hash computation. We show that a large class of such schemes, including those using non-linear or even one- way checksum functions, is not secure against the second preimage...

Abstract: This document is based on the discussions and conclusions of the Privilege (Access) Management Workshop held on 1-3 September, 2009 at the Gaithersburg, Maryland facilities of the National Institute of Standards and Technology (NIST), sponsored by NIST and the National Security Agency (NSA). This do...

Journal: IT Professional Abstract: In today's digital economy, data enters and leaves cyberspace at record rates. A typical enterprise sends and receives millions of email messages and downloads, saves, and transfers thousands of files via various channels on a daily basis. Enterprises also hold sensitive data that customers, busines...

Abstract: This bulletin summarizes the information presented in NIST Special Publication (SP) 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. Developed by NIST in partnership with the Joint Task Force Transformation Initiativ...

Abstract: This annual report covers the work conducted within the National Institute of Standards and Technology's Computer Security Division during Fiscal Year 2009. It discusses all projects and programs within the Division, staff highlights, and publications.

Abstract: This bulletin summarizes the information presented in NIST Special Publication (SP) 800-57, Recommendation for Key Management, Part 3, Application Specific Key Management Guidance. The publication supplements Parts 1 and 2 of SP 800-57, by providing guidance on the management of keys and the selecti...

Abstract: SIMfill is a proof-of-concept, open source, application developed by NIST to populate identity modules with test data, as a way to assess the recovery capability of mobile forensic tools. An initial set of test data is also provided with SIMfill as a baseline for creating other test cases. This repo...

In: Towards Trustworthy Elections: New Directions in Electronic Voting (2010) Abstract: In this paper, we develop methods for constructing vote-buying/coercion attacks on end-to-end voting systems, and describe vote-buying/coercion attacks on three proposed end-to-end voting systems: Punchscan, Pret-a-voter, and ThreeBallot. We also demonstrate a different attack on Punchscan, which co...

Abstract: This bulletin summarizes the information that was presented in NIST Interagency Report (NISTIR)7564, Directions in Security Metrics Research, by Wayne Jansen. The publication examines past efforts to develop security measurements that could help organizations make informed decisions about the design...

Abstract: This publication approves the XTS-AES mode of the AES algorithm by reference to IEEE Std 1619-2007, subject to one additional requirement, as an option for protecting the confidentiality of data on storage devices. The mode does not provide authentication of the data or its source.

Abstract: On June 8 and 9, 2009, NIST held a Cryptographic Key Management (CKM) Workshop at its Gaithersburg, Maryland, campus that attracted approximately 80 people attending the workshop in person, with another 75 participating through video conferencing, and an additional 36 participating via audio telecon...