Search CSRC

Abstract: Adequate user authentication is a persistent problem, particularly with handheld devices, which tend to be highly personal and at the fringes of an organization's influence. Yet, these devices are being used increasingly in corporate settings where they pose a security risk, not only by containing s...

Conference: Eighth ACM Symposium on Access Control Models and Technologies (SACMAT '03) Abstract: Role-based Access Control (RBAC) models have been implemented not only in self-contained resource management products such as DBMSs and Operating Systems but also in a class of products called Enterprise Security Management Systems (ESMS). ESMS products are used for centralized management of authori...

Abstract: Recently proposed quantum key distribution protocols are shown to be vulnerable to a classic man-in-the-middle attack using entangled pairs created by Eve. The attack could be applied to any protocol that relies on manipulation and return of entangled qubits to create a shared key. The protocols tha...

Abstract: CSPP-OS provides a worked example of the guidance in NISTIR-6462 for the development of Common Criteria Protection Profiles for commercial off the shelf (COTS) information technology. The intended audience consists of those individuals and organizations in both government and private sectors who are...

Abstract: The use of mobile handheld devices, such as Personal Digital Assistants (PDAs) and tablet computers, within the workplace is expanding rapidly. These devices are no longer viewed as coveted gadgets for early technology adopters, but instead have become indispensable tools that offer competitive busi...

Abstract: This ITL Bulletin summarizes Special Publication (SP) 800-47, Security Guide for Interconnecting Information Technology Systems. That publication provides guidance for planning, establishing, maintaining, and terminating secure yet cost-effective interconnections between IT systems that are owned an...

Abstract: Over the past decade, interest in role-based access control (RBAC) has increased dramatically, with most major information technology (IT) vendors offering a product that incorporates some form of role-based access. The profusion of new RBAC products offers many advantages for security administrator...

Conference: 27th Annual NASA Goddard/IEEE Software Engineering Workshop (SEW ’02) Abstract: Approaches to software testing based on methods from the field of design of experiments have been advocated as a means of providing high coverage at relatively low cost. Tools to generate all pairs, or higher n-degree combinations, of input values have been developed and demonstrated in a few applic...

Abstract: This Federal Information Processing Standard (140-2) specifies the security requirements that will be satisfied by a cryptographic module, providing four increasing, qualitative levels intended to cover a wide range of potential applications and environments. The areas covered, related to the secure...

Abstract: The National Institute of Standards and Technology (NIST), Information Technology Laboratory, Computer Security Division, has developed this S/MIME (Secure / Multipurpose Internet Mail Extensions) client profile as guidance in the development and procurement of commercial-off-the-shelf (COTS) S/MIME...

Abstract: The key asset in Federal agencies today is the information and data used to implement, sustain and maintain critical government programs and operations. Current efforts in ensuring that the United States can recover and restore activities which have great impact on the physical and economic health a...

Abstract: The National Institute of Standards and Technology (NIST) began working on RBAC in the early 1990s after a study of federal agency security needs identified the need to develop a better method for managing large networked systems and complex access issues (Ferraiolo, Gilbert, and Lynch, 1992). Over...

Journal: International Journal of Reliability, Quality and Safety Engineering Abstract: Most complex systems today contain software, and systems failures activated by software faults can provide lessons for software development practices and software quality assurance. This paper presents an analysis of software-related failures of medical devices that caused no death or injury but led...

Abstract: This recommendation defines five confidentiality modes of operation for use with an underlying symmetric key block cipher algorithm: Electronic Codebook (ECB), Cipher Block Chaining (CBC), Cipher Feedback (CFB), Output Feedback (OFB), and Counter (CTR). Used with an underlying block cipher algorithm...

Abstract: The Advanced Encryption Standard (AES) specifies a FIPS-approved cryptographic algorithm that can be used to protect electronic data. The AES algorithm is a symmetric block cipher that can encrypt (encipher) and decrypt (decipher) information. Encryption converts data to an unintelligible form calle...

Abstract: [Prepared by TASC, Inc. for NIST] This report examines the evolution and economic significance of NIST’s Data Encryption Standard (DES) Program. DES was developed by the National Institute of Standards and Technology (NIST, formerly the National Bureau of Standards, NBS) for protecting sensitive, un...

Abstract: NIST sponsored a public workshop for the analysis of block cipher modes of operation on August 24, 2001, in Goleta, California. This report summarizes the presentations and discussions at that workshop.

Journal: ACM Transactions on Information and System Security (TISSEC) Abstract: In this article we propose a standard for role-based access control (RBAC). Although RBAC models have received broad support as a generalized approach to access control, and are well recognized for their many advantages in performing large-scale authorization management, no single authoritative defi...

Journal: Journal of Research of the National Institute of Standards and Technology Abstract: In 1997, the National Institute of Standards and Technology (NIST) initiated a process to select a symmetric-key encryption algorithm to be used to protect sensitive (unclassified) Federal information in furtherance of NIST’s statutory responsibilities. In 1998, NIST announced the acceptance of 15 c...

In: A Century of Excellence in Measurements, Standards, and Technology Abstract: This chapter provides an overview of the development of the Data Encryption Standard (DES) and was published in NIST Special Publication 958, A Century of Excellence in Measurements, Standards, and Technology: A Chronicle of Selected NBS/NIST Publications, 1901-2000.

Abstract: A workshop was held to discuss the modes of operation for symmetric key block cipher algorithms on October 20, 2000 at the Baltimore Convention Center in Baltimore Maryland.

Abstract: [The NIST Computer Security Division prepared this report for the Security, Privacy, and Critical Infrastructure Committee of the CIO Council.] The Federal Information Technology (IT) Security Assessment Framework (or Framework) provides a method for agency officials to 1) determine the current sta...

Conference: 23rd National Information Systems Security Conference (NISSC '00) Abstract: Defining an Access Control Service for an enterprise application requires the choice of an access control model and a process for formulation of access decision rules to be used by the access enforcement mechanism. In this paper, we describe a business process driven framework (called the BPD-ACS) f...

Conference: 23rd National Information Systems Security Conference Abstract: The Proceedings of the 23rd National information Systems Security Conference (NISSC), held October 16-19, 2000, in Baltimore, Maryland.

Conference: Fifth ACM Workshop on Role-Based Access Control (RBAC '00) Abstract: The use of Extensible Markup Language (XML) and its associated APIs, for information modeling and information interchange applications is being actively explored by the research community. In this paper we develop an XML Document Type Definition (DTD) for representing the schema of a Role-based Acce...