Search CSRC

Conference: 2015 Annual Meeting of the Human Factors and Ergonomics Society Abstract: Passwords are tightly interwoven with the digital fabric of our current society. Unfortunately, passwords that provide better security generally tend to be more complex, both in length and composition. Complex passwords are problematic both cognitively and motorically, leading to both memory and mot...

Abstract: The call for a dramatic reduction in software vulnerability is heard from multiple sources, recently from the February 2016 Federal Cybersecurity Research and Development Strategic Plan. This plan starts by describing well known risks: current systems perform increasingly vital tasks and are widely...

Abstract: Mobile platforms offer a significant operational advantage to public safety stakeholders by giving them access to mission critical information and services while deployed in the field, during training and exercises, or participating in day-to-day business and preparations during non-emergency period...

Conference: 8th ACM Computer and Communications Security International Workshop on Managing Insider Security Threats (MIST '16) Abstract: The American National Standards Organization has standardized an access control approach, Next Generation Access Control (NGAC), that enables simultaneous instantiation of multiple access control policies. For large complex enterprises this is critical to limiting the legally authorized access of in...

Conference: 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS '16) Abstract: While attacks on information systems have for most practical purposes binary outcomes (information was manipulated/eavesdropped, or not), attacks manipulating the sensor or control signals of Industrial Control Systems (ICS) can be tuned by the attacker to cause a continuous spectrum in damages. Att...

Journal: INTEGERS: The electronic journal of combinatorial number theory Abstract: Working over the field Q(t), Kihara constructed an elliptic curve with torsion group Z/4Z and five independent rational points, showing the rank is at least five. Following his approach, we give a new infinite family of elliptic curves with torsion group Z/4Z and rank at least five. This matches the...

Journal: Computer (IEEE Computer) Abstract: A panel of seven experts discusses the state of the practice of formal methods (FM) in software development, with a focus on FM's relevance to security. In a 1996 article, formal methods (FM) advocate Tony Hoare asked, "How Did Software Get So Reliable without Proof?"1 Twenty years later, in the sa...

Conference: IEEE 17th International Conference on Information Reuse and Integration (IEEE IRI2016) Abstract: Access control systems are among the most critical of computer security components. Faulty policies, misconfigurations, or flaws in software implementations can result in serious vulnerabilities. To formally and precisely capture the security properties that access control should adhere to, access c...

Abstract: There is a need for cybersecurity capabilities and features to protect the Nationwide Public Safety Broadband Network (NPSBN). However, cybersecurity requirements should not compromise the ability of first responders to complete their missions. In addition, the diversity of public safety disciplines...

Abstract: This bulletin summarizes the information presented in NIST Special Publication (SP) 800-125B, "Secure Virtual Network Configuration for Virtual Machine (VM) Protection." That publication provides an analysis of various virtual network configuration options for protection of VMs and to present recomm...

Journal: Computer (IEEE Computer) Abstract: We asked 7 experts 1 simple question to find out what has occurred recently in terms of applying formal methods (FM) to security-centric, cyber problems: Please summarize in a paragraph the state of the research and practitioner communities in formal method as you see it. Please include standards, c...

Abstract: As a result of payment card industry standards and a strong understanding of the value of valid credit card information in the black market, the retail industry has already invested in security mechanisms to protect credit card data, also referred to as cardholder data. However, this cardholder data...

Abstract: In recent years, there has been a substantial amount of research on quantum computers – machines that exploit quantum mechanical phenomena to solve mathematical problems that are difficult or intractable for conventional computers. If large-scale quantum computers are ever built, they will be able t...

Abstract: Password entry on mobile devices significantly impacts both usability and security, but there is a lack of usable security research in this area, specifically for complex password entry. To address this research gap, we set out to assign strength metrics to passwords for which we already had usabili...

Journal: Journal of Mathematical Cryptology Abstract: A hash function secure in the indifferentiability framework (TCC 2004) is able to resist allmeaningful generic attacks. Such hash functions also play a crucial role in establishing the security of protocols that use them as random functions. To eliminate multi-collision type attacks o...

Abstract: This bulletin summarizes the information presented in NIST Special Publication (SP) 800-38G, "Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption." The publication specifies two methods for format-preserving encryption, FF1 and FF3.

Abstract: This bulletin summarizes the information presented in NIST Special Publication 800-167, "Guide to Application Whitelisting," written by Adam Sedgewick, Murugiah Souppaya and Karen Scarfone. The publication is intended to assist organizations in understanding the basics of application whitelisting....

Abstract: In the past, medical devices were stand-alone instruments that interacted only with the patient. Today, medical devices have operating systems and communication hardware that allow them to connect to networks and other devices. While this technology has created more powerful tools and improved healt...

Abstract: De-identification removes identifying information from a dataset so that individual data cannot be linked with specific individuals. De-identification can reduce the privacy risk associated with collecting, processing, archiving, distributing or publishing information. De-identification thus attempt...

Abstract: Software asset management (SAM) is a key part of continuous monitoring. The approach described here is intended to support the automation of security functions such as risk-based decision making, collection of software inventory data, and inventory-based network access control. SAM, as envisioned in...

Abstract: This standard specifies hash algorithms that can be used to generate digests of messages. The digests are used to detect whether messages have been changed since the digests were generated.

In: Advances in Computers Abstract: Combinatorial testing has rapidly gained favor among software testers in the past decade as improved algorithms have become available and practical success has been demonstrated. This chapter reviews the theory and application of this method, focusing particularly on research since 2010, with a brie...

Conference: Lightweight Cryptography Workshop 2015 Abstract: We present PFLASH, an asymmetric digital signature scheme appropriate for smart card use. We present parameters for several security levels in this low resource environment and bootstrap many technical properties (including side-channel resistance) exposed in the evaluation of predecessors of this s...

Abstract: This bulletin summarizes the information presented in NIST Special Publication (SP) 800-161, Supply Chain Management Practices for Federal Information Systems and Organizations, which provides guidance to federal agencies on identifying, assessing and mitigating ICT supply chain risks at all levels...

Abstract: The Security Content Automation Protocol (SCAP) is a suite of specifications that standardize the format and nomenclature by which software flaw and security configuration information is communicated, both to machines and humans. SCAP version 1.2 requirements are defined in NIST Special Publication...