Search CSRC

The Cryptography Technology Group in the Computer Security Division hosts Crypto Reading Club talks to foster research and collaboration in cryptography. When: Wednesday, once every two weeks, 10:00am-12:00pm (Eastern Time). Where: NIST Gaithersburg campus (MD 20899), Building 222, Room B341 or (since 2020) by virtual conference. Email List: Meeting reminders will be sent to subscribers of the Crypto Reading Club List. To suggest a talk, please contact crypto-club-questions (at) nist (dot) gov.   Brief history...

Users of the former "Crypto Toolkit" can now find that content under this project. It includes cryptographic primitives, algorithms and schemes are described in some of NIST's Federal Information Processing Standards (FIPS), Special Publications (SPs) and NIST Internal/Interagency Reports (NISTIRs).   Crypto Standards and Guidelines Activities Block Cipher Techniques Digital Signatures Hash Functions Interoperable Randomness Beacons Key Management Lightweight Cryptography (LWC) Message Authentication Codes (MACs) Multi-Party Threshold Cryptography Post-quantum...

The Computer Security Division is working with the Department of Homeland Security (DHS) to develop guidance on Computer Security Incident Coordination (CSIC). The goal of CSIC is to help diverse collections of organizations to effectively collaborate in the handling of computer security incidents. Effective collaboration raises numerous issues on how and when to share information between organizations, and in what form information should be shared. Because different organizations may have substantially different capabilities for responding to attacks, diagnosing causes, and handling sensitive...

Information objects that convey information used to maintain the security of resources in computerized environments are known as Computer Security Objects (CSOs). The Computer Security Objects Register (CSOR) specifies names that uniquely identify CSOs. These unique names are used to reference these objects in abstract specifications and during the negotiation of security services for a transaction or application. The CSOR is also a repository of parameters associated with the registered objects. For agencies requesting a new OID, please send email with OID name, associated document and point...

To advance the state of the art in continuous monitoring capabilities and to further interoperability within commercially available tools, the Computer Security Division is working within the international standards development community to establish working groups and to author and comment on emerging technical standards in this area. The CAESARS-FE reference architecture will evolve as greater consensus is developed around interoperable, standards-based approaches that enable continuous monitoring of IT systems. The NCCoE is also working to develop a series of ConMon building blocks that...

The NIST Cryptographic Algorithm Validation Program (CAVP) provides validation testing of Approved (i.e., FIPS-approved and NIST-recommended) cryptographic algorithms and their individual components. Cryptographic algorithm validation is a prerequisite of cryptographic module validation. Vendors may use any of the NVLAP-accredited Cryptographic and Security Testing (CST) Laboratories to test algorithm implementations. An algorithm implementation successfully tested by a lab and validated by NIST is added to an appropriate validation list, which identifies the vendor, implementation,...

Welcome to the CMVP The Cryptographic Module Validation Program (CMVP) is a joint effort between the National Institute of Standards and Technology under the Department of Commerce and the Canadian Centre for Cyber Security, a branch of the Communications Security Establishment. The goal of the CMVP is to promote the use of validated cryptographic modules and provide Federal agencies with a security metric to use in procuring equipment containing validated cryptographic modules.  Each Cryptographic and Security Testing Laboratories (CSTL) is an independent laboratory accredited by NVLAP....

NIST is working with stakeholders from across government, industry, and academia to research and prototype methods and tools to enable predictive risk analytics and identify cyber risk trends. NIST’s goal is to enable information sharing among risk owners about historical, current and future cyber risk conditions and is intended to help not only enhance existing cyber risk mitigation strategies but also improve and expand upon existing cybersecurity risk metrology efforts. We will be leveraging past and present efforts such as data repository for cyber incident analysis, predictive analytics...

[Redirect to https://www.nist.gov/cyberframework] The Cybersecurity Framework is voluntary guidance, based on existing standards, guidelines, and practices, for critical infrastructure organizations to better manage and reduce cybersecurity risk. In addition to helping organizations manage and reduce risks, it was designed to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders. *Federal agencies do have requirements to implement the Cybersecurity Framework; see the  for more information.

As an electronic analogue of a written signature, a digital signature provides assurance that: the claimed signatory signed the information, and the information was not modified after signature generation. Federal Information Processing Standard (FIPS) 186-4, Digital Signature Standard (DSS), specifies three NIST-approved digital signature algorithms: DSA, RSA, and ECDSA. All three are used to generate and verify digital signatures, in conjunction with an approved hash function specified in FIPS 180-4, Secure Hash Standard or FIPS 202, SHA-3 Standard: Permutation-Based Hash and...

Elliptic curve cryptography is critical to the adoption of strong cryptography as we migrate to higher security strengths. NIST has standardized elliptic curve cryptography for digital signature algorithms in FIPS 186 and for key establishment schemes in SP 800-56A.  In FIPS 186-4, NIST recommends fifteen elliptic curves of varying security levels for use in these elliptic curve cryptographic standards. However, more than fifteen years have passed since these curves were first developed, and the community now knows more about the security of elliptic curve cryptography and practical...

Blockchains provide a strong mechanism to ensure that data blocks have not been altered, but this feature conflicts with many privacy requirements, such as those in GDPR, which allow users to have private data deleted at their request. The immutability property makes a blockchain solution impractical for many such privacy rules, leading to the need for "editable blockchains".   The blockchain immutability property was designed to solve the problem of double spending in cryptocurrencies.  But conventional blockchains are hard to use in many distributed system applications, without the ability...

Cryptography is critical for securing data at rest or in transit over the IoT. But cryptography fails when a device uses easy-to-guess (weak) keys generated from low-entropy random data. Standard deterministic computers have trouble producing good randomness, especially resource-constrained IoT-class devices that have little opportunity to collect local entropy before they begin network communications. The best sources of true randomness are based on unpredictable physical phenomena, such as quantum effects, but they can be impractical to include in IoT devices. We research novel Internet...

While FIPS 140-2 continues on through 2026, development to support and validate FIPS 140-3 modules must be in place by September 2020. This project addresses questions concerning the process of migrating from FIPS 140-2 to FIPS 140-3.  The transition process includes organizational, documentation and procedural changes necessary to update and efficiently manage the ever increasing list of security products that are tested for use in the US and Canadian governments.  Changes also support the migration of internally developed security standards towards a set of standards developed and maintained...

[Redirect to https://www.nist.gov/itl/applied-cybersecurity/fissea] FISSEA, founded in 1987, is an organization run by and for Federal government information security professionals to assist Federal agencies in strengthening their employee cybersecurity awareness and training programs. FISSEA conducts an annual fee-based conference.

THIS PAGE IS FOR HISTORICAL PURPOSES ONLY SEE FIPS 140-3 TRANSITION EFFORT FOR THE CURRENT STATUS Approval of FIPS 140-3  |  SP 800-140x Development  |  Implementation Schedule  |  2015 RFI FIPS 140-3 approved On March 22, 2019, the Secretary of Commerce approved Federal Information Processing Standards Publication (FIPS) 140-3, Security Requirements for Cryptographic Modules, which supersedes FIPS 140-2. This was announced in the Federal Register on May 1, 2019. FIPS 140-3 aligns with ISO/IEC 19790:2012(E) and includes modifications of the Annexes that are allowed to the Cryptographic...

In 2015, Executive Order 13702 established the National Strategic Computing Initiative (NSCI) to maximize the benefits of high-performance computing (HPC) for economic competitiveness and scientific discovery. The ability to process large volumes of data and perform complex calculations at high speeds is a key part of the nation's vision for maintaining its global competitive edge.  Security for HPC systems is an essential component of HPC to provide the anticipated benefits. Our goal is to help HPC community to create a HPC Risk Management Framework (RMF) that shall provide a comprehensive...

The Interoperable Randomness Beacons project at NIST intends to promote the availability of trusted public randomness as a public utility. This can be used for example for auditability and transparency of services that depend on randomized processes. The project is spearheaded by the Cryptographic Technology Group in the Computer Security Division of the Information Technology Laboratory (ITL), and has counted with the participation of many collaborators over the years. WARNING: Do NOT use Beacon generated values as cryptographic secret keys! The webpage of the NIST Randomness Beacon (with...

Developing an IoT Laboratory based on LPWAN using LoRaWAN This project is developing a LoRaWAN infrastructure in order to study the security of communications based on Low Power Wide Area Networks, with the objective of Identifying and evaluating security vulnerabilities and countermeasures. Recent Accomplishments Wired IoT prototype for multiple IoT devices (temp sensors, others TBD). Survey of low power wide area networking. Architecture formulated for LPWAN-IoT at NIST. Preliminary risk analysis of LPWA networking deployment at NIST. Risk-balanced phased laboratory development...

NIST, in collaboration with the industry, is developing the Open Security Controls Assessment Language (OSCAL), a set of hierarchical, formatted, XML- JSON- and YAML-based formats that provide a standardized representation for different categories of security information pertaining to the publication, implementation, and assessment of security controls. The OSCAL website provides an overview of the OSCAL project, including tutorials, concepts, references, downloads, and much more. OSCAL is organized in a series of layers that each provides a set of models.  A model represents an information...

[Redirect to https://www.nist.gov/privacy-framework] The NIST Privacy Framework is a voluntary tool developed in collaboration with stakeholders intended to help organizations identify and manage privacy risk to build innovative products and services while protecting individuals’ privacy.

Presentations & Speakers at a Glance: Update on NIST SP 800-63, David Temoshok, NIST VA's Cyber NexGen Developmental Program, Clarence Williams and Sharon McPherson, Department of Veterans Affairs Facilitated Discussion: Agency Use of NIST Cybersecurity Framework and NIST Risk Management Framework, Victoria Pillitteri and Katherine Schroeder, NIST Update to (Draft) NIST SP 800-50, Rev. 1: Building a Cybersecurity and Privacy Awareness and Training Program, Don Walden, IRS and Marian Merritt, NIST   The Federal Cybersecurity and Privacy Professionals Forum is an informal group...

Approved Algorithms Approved hash algorithms for generating a condensed representation of a message (message digest) are specified in two Federal Information Processing Standards: FIPS 180-4, Secure Hash Standard and FIPS 202, SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions.  FIPS 180-4 specifies seven hash algorithms: SHA-1 (Secure Hash Algorithm-1), and the SHA-2 family of hash algorithms: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256. FIPS 202 specifies the new SHA-3 family of permutation-based functions based on KECCAK as a result of the...

NIST has initiated a process to solicit, evaluate, and standardize lightweight cryptographic algorithms that are suitable for use in constrained environments where the performance of current NIST cryptographic standards is not acceptable. In August 2018, NIST published a call for algorithms (test vector generation code) to be considered for lightweight cryptographic standards with authenticated encryption with associated data (AEAD) and optional hashing functionalities. The deadline for submitting algorithms has passed. NIST received 57 submissions to be considered for standardization. After...

Enterprise networks have become essential to the operation of companies, laboratories, universities, and government agencies. As they continue to grow both in size and complexity, their security has become a critical concern. Vulnerabilities are regularly discovered in software applications which are exploited to stage cyber attacks. There is no objective way to measure the security of an enterprise network. As a result it is difficult to answer such objective questions as "are we more secure than yesterday" or "how should we invest our limited resources to improve security" or "how does this...