Search CSRC

Journal: Journal of Research of the National Institute of Standards and Technology Abstract: Covering arrays are structures for well-representing extremely large input spaces and are used to efficiently implement blackbox testing for software and hardware. This paper proposes refinements over the In-Parameter-Order strategy (for arbitrary $t$). When constructing homogeneous-alphabet coverin...

Conference: 33rd International Symposium, MFCS 2008 Abstract: We study the complexity of the Shortest Linear Program (SLP) problem, which is to the number of linear operations necessary to compute a set of linear forms. SLP is shown to be NP-hard. Furthermore, a special case of the corresponding decision problem is shown to be Max SNP-Complete. Algorithms prod...

Abstract: Phone managers are non-forensic software tools designed to carry out a range of tasks for the user, such as reading and updating the contents of a phone, using one or more of the communications protocols supported by the phone. Phone managers are sometimes used by forensic investigators to recover d...

Conference: Third Workshop on Security Metrics (Metricon 3.0) Abstract: One of the holy grail questions in computer security is how secure are my organization systems? This paper describes our new approach to answering this question. This approach is distinguished from previous efforts in three ways: 1) uses evidence-based security decision-making, 2) produces good enou...

Abstract: Title III of the E-Government Act, titled the Federal Information Security Management Act (FISMA) of 2002, tasked NIST to develop (1) standards to be used by all Federal agencies to categorize information and information systems collected or maintained by or on behalf of each agency based on the obj...

Abstract: Title III of the E-Government Act, titled the Federal Information Security Management Act (FISMA) of 2002, tasked NIST to develop (1) standards to be used by all Federal agencies to categorize information and information systems collected or maintained by or on behalf of each agency based on the obj...

Abstract: The purpose of this document is to assist organizations in understanding the fundamental activities performed as part of securing and maintaining the security of servers that provide services over network communications as a main function. The document discusses the need to secure servers and provid...

Conference: 2008 International Conference on Security and Management (SAM 2008) Abstract: Phone managers are non-forensic tools sometimes used by forensic investigators to recover data from a cell phone when no suitable forensic tool is available for the device. While precautions can be taken to preserve the integrity of data on a cell phone, inherent risks exist. Applying a forensic fil...

Abstract: Secure Sockets Layer (SSL) Virtual Private Networks (VPNs) provide users with secure remote access to an organization's resources. An SSL VPN consists of one or more VPN devices to which users connect using their Web browsers. The traffic between the Web browser and SSL VPN device is encrypted with...

Conference: 22nd Annual IFIP WG 11.3 Working Conference on Data and Applications Security Abstract: Web services-based computing is currently an important driver for the software industry. While several standards bodies (such as W3C and OASIS) are laying the foundation for Web services security, several research problems must be solved to make secure Web services a reality. This talk will present...

Conference: 22nd Annual IFIP WG 11.3 Working Conference on Data and Applications Security Abstract: In today's networked environments, protecting critical resources usually requires us to understand and measure the likelihood of multi-step attacks that combine different vulnerabilities for reaching the attack goal.  Such a measurement is now feasible due to a qualitative model of causal relationsh...

Abstract: This document provides guidance on how an organization, through the use of metrics, identifies the adequacy of in-place security controls, policies, and procedures. It provides an approach to help management decide where to invest in additional security protection resources or identify and evaluate...

Abstract: This Standard describes a keyed-hash message authentication code (HMAC), a mechanism for message authentication using cryptographic hash functions. HMAC can be used with any iterative Approved cryptographic hash function, in combination with a shared secret key.

Abstract: Secure Sockets Layer (SSL) Virtual Private Networks (VPNs) provide users with secure remote access to an organization's resources. An SSL VPN consists of one or more VPN devices to which users connect using their Web browsers. The traffic between the Web browser and SSL VPN device is encrypted with...

Conference: 1st International Conference on Information Technology, 2008 (IT 2008) Abstract: This paper proposes a framework for measuring the vulnerability of individual hosts based on current and historical operational data for vulnerabilities and attacks. Previous approaches have not been scalable because they relied on complex manually constructed models, and most approaches have examin...

Conference: 13th ACM Symposium on Access Control Models and Technologies (SACMAT '08) Abstract: Security policy enforcement is instrumental in preventing the unauthorized disclosure of sensitive data, protecting the integrity of vital data, mitigating the likelihood of fraud, and ultimately enabling the secure sharing of information. In accessing a given resource, policy may dictate, for examp...

Conference: IEEE Workshop on Policies for Distributed Systems and Networks (IEEE Policy 2008) Abstract: Deployment of Smart Cards for Identity Verification requires collection of credentials and provisioning of credentials from and to heterogeneous and sometimes legacy systems. To facilitate this process, a centralized identity store called Identity Management System (IDMS) is often used. To protect t...

Journal: Crosstalk (Hill AFB): the Journal of Defense Software Engineering Abstract: Pairwise testing has become a popular approach to software quality assurance because it often provides effective error detection at low cost. However, pairwise (2-way) coverage is not sufficient for assurance of mission-critical software. Combinatorial testing beyond pairwise is rarely used because...

Journal: IT Professional Abstract: With new algorithms and tools, developers can apply high-strength combinatorial testing to detect elusive failures that occur only when multiple components interact. In pairwise testing, all possible pairs of parameter values are covered by at least one test, and good tools are available to generate...

Journal: IEEE Security & Privacy Abstract: Recognizing that the 32-bit addresses used by the current version of the Internet Protocol (IPv4) would soon be depleted, the Internet Engineering Task Force (IETF) has been developing its successor, Internet Protocol version 6 (IPv6). This has been a more complex undertaking than simply changing im...

Abstract: This bulletin summarizes the information that was disseminated by the National Institute of Standards and Technology (NIST) in a November 2007 Federal Register Notice. NIST is soliciting candidates for a new and robust cryptographic hash algorithm for use by Federal government agencies in protecting...

Journal: IEEE Security & Privacy Abstract: Since the discovery of collision attacks against several well-known cryptographic hash functions in 2004, a rush of new cryptanalytic results cast doubt on the current hash function standards. The relatively new NIST SHA-2 standards aren't yet immediately threatened, but their long-term viability is...

Journal: Theoretical Computer Science Abstract: The multiplicative complexity of a Boolean function f is defined as the minimum number of binary conjunction (AND) gates required to construct a circuit representing f, when only exclusive-or, conjunction and negation gates may be used. This article explores in detail the multiplicative complexity o...

Abstract: This bulletin summarizes information disseminated in revised NIST Special Publication (SP) 800-28-2, Guidelines on Active Content and Mobile Code: Recommendations of the National Institute of Standards and Technology. Written by Wayne A. Jansen and Karen Scarfone of NIST and by Theodore Winograd of...

Conference: IADIS International Conference Information Systems Abstract: With the increasing use of smart cards for identity verification of individuals, it has become imperative for organizations to properly design and engineer the expensive infrastructure system that supports smart card deployment. Apart from sound system design principles, this class of system (which...