Search CSRC

Conference: 27th Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT 2008) Abstract: We develop a new generic long-message second preimage attack, based on combining the techniques in the second preimage attacks of Dean and Kelsey and Schneier with the herding attack of Kelsey and Kohno. We show that these generic attacks apply to hash functions using the Merkle-Damgard construction...

Conference: The Cryptographers’ Track at the RSA Conference 2008 Abstract: We consider the security of Damgard-Merkle variants which compute linear-XOR or additive checksums over message blocks, intermediate hash values, or both, and process these checksums in computing the final hash value.  We show that these Damgard-Merkle variants gain almost no security against generi...

Journal: Journal of Computer Security Abstract: An attack graph models the causal relationships between vulnerabilities. Attack graphs have important applications in protecting critical resources in networks against sophisticated multi-step intrusions. Currently, analyses of attack graphs largely depend on proprietary implementations of specializ...

Abstract: Title III of the E-Government Act of 2002, entitled the Federal Information Security Management Act (FISMA) of 2002, requires NIST to prepare an annual public report on activities undertaken in the previous year, and planned for the coming year, to carry out responsibilities under this law. The prim...

Journal: Electronics Letters Abstract: Testing for element membership in a Bloom Filter requires hashing of a test element (e.g., a string) and multiple look-ups in memory. A design of a new two-tier Bloom filter with on-chip hash functions and cache is described. For elements with a heavy-tailed distribution for popularity, membership t...

Abstract: Active content technologies allow code, in the form of a script, macro, or other kind of portable instruction representation, to execute when the document is rendered. Like any technology, active content can be used to deliver essential services, but it can also become a source of vulnerability for...

Abstract: The Federal Desktop Core Configuration (FDCC) was jointly developed by the National Institute of Standards and Technology (NIST), the Department of Defense (DOD), and the Department of Homeland Security (DHS) to help Federal organizations improve their information security and reduce the information...

Abstract: This bulletin summarizes the contents of NIST Special Publication 800-44, Version 2, Guidelines on Securing Public Web Servers. The publication details the steps that organizations should take to plan, install, and maintain secure Web server software and their underlying operating systems. The bulle...

Conference: 41st Hawaii International Conference on System Sciences (HICSS) Abstract: Cell phones are an emerging but rapidly growing area of computer forensics. While cell phones are becoming more like desktop computers functionally, their organization and operation are quite different in certain areas. For example, most cell phones do not contain a hard drive and rely instead on fl...

Abstract: This report specifies the data model and Extensible Markup Language (XML) representation for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.1.4. An XCCDF document is a structured collection of security configuration rules for some set of target systems. The XCCDF specifi...

Journal: IEEE Security & Privacy Abstract: [This is a response to comments on INCITS Standard 359-2004, Role Based Access Control. For original paper see Ninghui Li et al., IEEE Security & Privacy, vol. 5, no. 6, p.41, (2007).]

Abstract: FIPS 201, "Personal Identity Verification (PIV) of Federal Employees and Contractors," and its associated special publications define a method to perform biometric match-off-card authentication of a PIV cardholder when the PIV card is inserted into a contact smart card reader. Today, many smart card...

Journal: Software Testing, Verification, and Reliability Abstract: We present two strategies for multi-way testing (i.e., t-way testing with t > 2). The first strategy generalizes an existing strategy, called In-Parameter-Order, from pairwise testing to multi-way testing. This strategy requires all t-way combinations to be explicitly enumerated. When the number of...

Abstract: This Recommendation specifies the Galois/Counter Mode (GCM), an algorithm for authenticated encryption with associated data, and its specialization, GMAC, for generating a message authentication code (MAC) on data that is not encrypted. GCM and GMAC are modes of operation for an underlying approved...

Abstract: This bulletin summarizes the guidance developed by NIST and published in SP 800-111 to help organizations secure their end user devices, and deter unauthorized parties from accessing the stored information. The bulletin explains three classes of storage encryption techniques (full disk encryption, v...

Abstract: Many threats against end user devices, such as desktop and laptop computers, smart phones, personal digital assistants, and removable media, could cause information stored on the devices to be accessed by unauthorized parties. To prevent such disclosures of information, the information needs to be s...

Abstract: This bulletin summarizes the guidance developed by NIST and published in NISTIR 7435 to help IT managers to make sense of data about the vulnerabilities of their information systems and to take appropriate actions that will protect their systems and information. The bulletin explains the Common Vuln...

Abstract: Web servers are often the most targeted and attacked hosts on organizations' networks. As a result, it is essential to secure Web servers and the network infrastructure that supports them. This document is intended to assist organizations in installing, configuring, and maintaining secure public Web...

Abstract: NIST hosted the sixth Annual Public Key Infrastructure (PKI) Research Workshop on April 17-19, 2007. The two and a half day event brought together PKI experts from academia, industry, and government had a particular interest in novel approaches to simplifying the use and management of X.509 digital...

Abstract: The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. The National Vulnerability Database (NVD) provides specific CVSS scores for virtually all publicly known vulnerabilities. Federal agencies can use the Fe...

Abstract: The advance of Web services technologies promises to have far-reaching effects on the Internet and enterprise networks. Web services based on the eXtensible Markup Language (XML), SOAP, and related open standards, and deployed in Service Oriented Architectures (SOA) allow data and applications to in...

Abstract: This bulletin provides information on current and emerging standards that have been developed for Web services, and provides background information on the most common security threats to service-oriented architectures (SOAs). The bulletin discusses Web services issues and challenges that apply to ma...

Abstract: This Recommendation defines a mode of operation, called Counter with Cipher Block Chaining-Message Authentication Code (CCM), for a symmetric key block cipher algorithm. CCM may be used to provide assurance of the confidentiality and the authenticity of computer data by combining the techniques of t...

Abstract: The data that is captured on mobile phones can be a source of valuable information to organizations that are investigating crimes, policy violations and other security incidents. The science of recovering digital evidence from mobile phones, using forensically sound conditions and accepted methods,...

Abstract: Radio frequency identification (RFID) is a form of automatic identification and data capture technology that uses electric or magnetic fields at radio frequencies to transmit information. An RFID system can be used to identify many types of objects, such as manufactured goods and animals. RFID techn...