Search CSRC

Journal: IT Professional Abstract: This article reviews risks and vulnerabilities in interdomain routing, and best practices that can have near-term benefits for routing security. It includes examples of routing failures and common attacks on routers, and coutermeasures to reduce router vulnerabilities.

Abstract: This bulletin summarizes the information that was published in NIST Interagency Report (NISTIR) 7621, Small Business Information Security: The Fundamentals, by Richard Kissel. The publication presents three major areas that small businesses should address to provide security for their information, s...

Conference: 16th International Workshop, Selected Areas in Cryptography (SAC 2009) Abstract: In this paper we present new attack techniques to analyze the structure of hash functions that are not based on the classical Merkle-Damgard construction. We extend the herding attack to concatenated hashes, and to certain hash functions that process each message block several times. Using this tech...

Abstract: Firewalls are essential devices or programs that help organizations protect their networks and systems, and help home users protect their computers, from hostile attacks, break-ins, viruses, and malicious software. Firewalls control the flow of network traffic between networks and between hosts that...

Conference: MODSIM World 2009 Abstract: This study compared random and t-way combinatorial inputs of a network simulator, to determine if these two approaches produce significantly different deadlock detection for varying network configurations. Modeling deadlock detection is important for analyzing configuration changes that could inadve...

Conference: 5th International Workshop on Security Measurements and Metrics, 2009 (MetriSec 2009) Abstract: The Common Vulnerability Scoring System (CVSS) is a specification for measuring the relative severity of software vulnerabilities. Finalized in 2007, CVSS version 2 was designed to address deficiencies found during analysis and use of the original CVSS version. This paper analyzes how effectively CV...

Abstract: This report concerns the theoretical and practical issues with automatically populating mobile devices with reference test data for use as reference materials in validation of forensic tools. It describes an application and data set developed to populate identity modules and highlights subtleties in...

Journal: IEEE Security & Privacy Abstract: This paper describes some practical administrative issues and challenges in the deployment of DNSSEC - an IETF specified suite of security measures for securing the Domain Name System (DNS). The issues covered include: (a) Choice of Cryptographic algorithms and Key Sizes (2) Roll over schemes for Cr...

Abstract: This report contains a list of selected acronyms and abbreviations for system and network security terms with their generally accepted or preferred definitions. It is intended as a resource for Federal agencies and other users of system and network security publications.

Abstract: Firewalls are devices or programs that control the flow of network traffic between networks or hosts employing differing security postures. This publication provides an overview of several types of firewall technologies and discusses their security capabilities and their relative advantages and disa...

Conference: End-to-End Voting Systems Workshop Abstract: This paper provides definitions for some desirable properties of voting systems, including auditability, ballot secrecy, incoercibility, usability and accessibility. In the context of these desirable properties, it defines the class of end-to-end independently verifiable (E2E) voting systems that pr...

Abstract: The National Institute of Standards and Technology is in the process of selecting a new cryptographic hash algorithm through a public competition. The new hash algorithm will be referred to as “SHA-3” and will complement the SHA-2 hash algorithms currently specified in FIPS 180-3, Secure Hash Standa...

Abstract: Establishing the time when a digital signature was generated is often a critical consideration. A signed message that includes the (purported) signing time provides no assurance that the private key was used to sign the message at that time unless the accuracy of the time can be trusted. With the ap...

Abstract: This document describes the use of ISO/IEC 24727 in enabling client-applications to access identity credentials issued by different credential issuers.

In: Safety and Security in Multiagent Systems: Research Results from 2004-2006 (2009) Abstract: Mobile commerce and location-aware services promise to combine the conveniences of both online and offline bricks-and-mortar services. Just as agent-enabled desktop computers can be used to improve a user s e-commerce experience, so can agent-enabled mobile devices be used to improve a user s mobile...

Journal: Computer (IEEE Computer) Abstract: Developers of large data-intensive software often notice an interesting – though not surprising – phenomenon: when usage of an application jumps dramatically, components that have operated for months without trouble suddenly develop previously undetected errors. For example, newly added customers ma...

Abstract: This bulletin summarizes information about the Risk Management Framework (RMF) and points to NIST standards and guidelines that assist agencies in achieving effective security for their information technology (IT) systems. The RMF guides agencies through a series of steps, taking into account the ri...

Conference: 16th International Workshop, Fast Software Encryption (FSE 2009) Abstract: The CBC-MAC, or cipher block chaining message authentication code, is a well-known method to generate message authentication codes. Unfortunately, it is not forgery-secure over an arbitrary domain. There are several secure variants of CBC-MAC, among which OMAC (or one-key CBC-MAC) is a widely-used c...

Conference: 13th World Multi-Conference on Systemics, Cybernetics and Informatics (WMSCI 2009) Abstract: Deployment of smart cards as identity tokens (Smart ID Cards) requires the support of an enterprise system called Identity Management System (IDMS) for collection, storage, processing and distribution of personal identity credentials. Secure configuration of IDMS for this application domain (IDMS-SC...

Conference: 14th Australasian Conference on Information Security and Privacy (ACISP 2009) Abstract: This paper characterizes collision preserving padding rules and provides variants of Merkle-Damgard (MD) which are having less or no overhead costs due to length. We first show that suffix-free property of padding rule is necessary as well as sufficient to preserve the collision security of MD hash...

In: Wiley Handbook of Science and Technology for Homeland Security (2010) Abstract: The goal of cyber security standards is to improve the security of information technology (IT) systems, networks, and critical infrastructures. A cyber security standard defines both functional and assurance requirements within a product, system, process, or technology environment. Well-developed cy...

Journal: IT Professional Abstract: IT systems have long been at risk from vulnerable software, malicious actions, or inadvertent user errors, in addition to run-of-the-mill natural and human-made disasters. As we discussed in the last issue ( Surviving Insecure IT: Effective Patch Management, pp. 49 51), effective patch management is...

Abstract: More than 100 years ago, Lord Kelvin insightfully observed that measurement is vital to deep knowledge and understanding in physical science. During the last few decades, researchers have made various attempts to develop measures and systems of measurement for computer security with varying degrees...

Conference: 8th Symposium on Identity and trust on the Internet (IDtrust '09) Abstract: Public key cryptography is widely used to secure transactions over the Internet. However, advances in quantum computers threaten to undermine the security assumptions upon which currently used public key cryptographic algorithms are based. In this paper, we provide a survey of some of the public key...

Conference: 2009 WRI World Congress on Computer Science and Information Engineering Abstract: While mobile handheld devices, such as cell phones and PDAs, provide productivity benefits, they also pose new risks. A vital safeguard against unauthorized access to a device s contents is authentication. This paper describes a location-based authentication mechanism that employs trusted servers ca...