Search Publications

Displaying 601 - 625 of 1509

The Authentication Equation: A Tool to Visualize the Convergence of Security and Usability of Text-Based Passwords

August 4, 2015

Author(s)

Cathryn A. Ploehn, Kristen Greene

Password management is the ubiquitous struggle of the modern human. Despite usability playing a vital role in authentication, many password policies and requirements focus on security without sufficient consideration of human factors. In fact, security and

Extending the Cybersecurity Digital Thread with XForms

August 3, 2015

Author(s)

Joshua Lubell

The digital thread for cybersecurity enables security technologies and data sources to interoperate. It consists of an integrated collection of languages, taxonomies, and metrics represented using the Extensible Markup Language (XML). A gap in the

Human Generated Passwords - the Impacts of Password Requirements and Presentation Styles

August 2, 2015

Author(s)

Paul Y. Lee, Yee-Yin Choong

The generation stage of the user password management lifecycle is arguably the most important yet perilous step. Fulfilling minimum length and character type requirements while attempting to create something memorable can become an arduous task, leaving

What 4,500+ people can tell you Employees' Attitudes toward Organizational Password Policy Do Matter

August 2, 2015

Author(s)

Yee-Yin Choong, Mary F. Theofanos

Organizations establish policies on how employees should generate, maintain, and use passwords to authenticate and gain access to the organizations information systems. This paper focuses on employees attitudes towards organizational password policies

Analysis of Network Segmentation Techniques in Cloud Data Centers

July 30, 2015

Author(s)

Ramaswamy Chandramouli

Cloud Data centers are predominantly made up of Virtualized hosts. The networking infrastructure in a cloud (virtualized) data center, therefore, consists of the combination of physical IP network (data center fabric) and the virtual network residing in

Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI)

July 30, 2015

Author(s)

Hildegard Ferraiolo, Ramaswamy Chandramouli, Nabil Ghadiali, Jason Mohler, Scott Shorter

The purpose of this Special Publication is to provide appropriate and useful guidelines for assessing the reliability of issuers of Personal Identity Verification (PIV) Cards and Derived PIV Credentials. These issuers store personal information and issue

Password policy languages: usable translation from the informal to the formal

July 21, 2015

Author(s)

Michelle P. Steves, Mary F. Theofanos, Celia Paulsen, Athos Ribeiro

Password policies documents which regulate how users must create, manage, and change their passwords can have complex and unforeseen consequences on organizational security. Since these policies regulate user behavior, users must be clear as to what is

PFLASH - Secure Asymmetric Signatures on Smart Cards

July 21, 2015

Author(s)

Ming-Shing Chen, Bo-Yin Yang, Daniel Smith-Tone

We present PFLASH, an asymmetric digital signature scheme appropriate for smart card use. We present parameters for several security levels in this low resource environment and bootstrap many technical properties (including side-channel resistance) exposed

Privacy and Security in the Brave New World: The Use of Multiple Mental Models

July 21, 2015

Author(s)

Susanne M. Furman, Mary F. Theofanos, Brian C. Stanton, Sandra S. Prettyman

We live in a world where the flow of electronic information and communication has become a ubiquitous part of our everyday life. While our lives are enhanced in many ways, we also experience a myriad of challenges especially to our priva-cy and security

Defensive Resource Allocations with Security Chokepoints in IPv6 Networks

July 15, 2015

Author(s)

Assane Gueye, Peter M. Mell, Richard Harang, Richard J. La

Securely configured Internet Protocol version 6 networks can be made resistant to network scanning, forcing attackers to propagate following existing benign communication paths. We exploit this attacker limitation in a defensive approach in which

Measuring Limits on the Ability of Colluding Countries to Partition the Internet

June 30, 2015

Author(s)

Peter M. Mell, Richard Harang, Assane Gueye

We show that the strength of Internet-based network interconnectivity of countries is increasing over time. We then evaluate bounds on the extent to which a group of colluding countries can disrupt this connectivity. We evaluate the degree to which a group

Recommendation for Random Number Generation Using Deterministic Random Bit Generators

June 24, 2015

Author(s)

Elaine B. Barker, John M. Kelsey

This Recommendation specifies mechanisms for the generation of random bits using deterministic methods. The methods provided are based on either hash functions or block cipher algorithms. [Supersedes SP 800-90A (January 2012): http://www.nist.gov

New Second-Preimage Attacks on Hash Functions

June 23, 2015

Author(s)

Elena Andreeva, Charles Bouillaguet, Orr Dunkelman, Pierre-Alain Fouque, Jonathan J. Hoch, John M. Kelsey, Adi Shamir, Sebastien Zimmer

In this work, we present several new generic second-preimage attacks on hash functions. Our first attack is based on the herding attack and applies to various Merkle-Damgard-based iterative hash functions. Compared to the previously known long-message

Cardholder Authentication for the PIV Digital Signature Key

June 18, 2015

Author(s)

William Polk, Hildegard Ferraiolo, David Cooper

FIPS 201-2 requires explicit user action by the Personal Identity Verification (PIV) cardholder as a condition for use of the digital signature key stored on the card. This document clarifies the requirement for explicit user action to encourage the

Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations

June 18, 2015

Author(s)

Ronald S. Ross, Kelley L. Dempsey, Patrick Viscuso, Mark Riddle, Gary Guissanie

[Superseded by SP 800-171 (June 2015, w/updates through 09/03/2015): http://www.nist.gov/manuscript-publication-search.cfm?pub_id=919562] The protection of Controlled Unclassified Information (CUI) while residing in nonfederal information systems and

Increasing Visibility and Control of Your ICT Supply Chains

June 15, 2015

Author(s)

Jon M. Boyens, Celia Paulsen, Larry Feldman, Greg Witte

This bulletin summarizes the information presented in NIST SP 800-161, Supply Chain Management Practices for Federal Information Systems and Organizations, written by Jon Boyens and Celia Paulsen. The publication provides guidance to federal agencies on

Guide to Industrial Control Systems (ICS) Security

June 3, 2015

Author(s)

Keith A. Stouffer, Victoria Y. Pillitteri, Suzanne Lightman, Marshall Abrams, Adam Hahn

This document provides guidance on how to secure Industrial Control Systems (ICS), including Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic

Cryptographic Algorithms and Key Sizes for Personal Identity Verification

May 28, 2015

Author(s)

Tim Polk, Donna F. Dodson, William Burr, Hildegard Ferraiolo, David Cooper

[Superseded by SP 800-78-5 (July 2024): https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=957979] This document contains the technical specifications needed for the mandatory and optional cryptographic keys specified in FIPS 201 as well as the

Evaluating Bug Finders: Test and Measurement of Static Code Analyzers

May 23, 2015

Author(s)

Aurelien M. Delaitre, Bertrand C. Stivalet, Elizabeth N. Fong, Vadim Okun

Software static analysis is one of many options for finding bugs in software. Like compilers, static analyzers take a program as input. This paper covers tools that examine source code--without executing it--and output bug reports. Static analysis is a

Authentication Considerations for Public Safety Mobile Networks

May 14, 2015

Author(s)

Nelson Hastings, Joshua M. Franklin, Larry Feldman, Greg Witte

This bulletin summarizes the information presented in NISTIR 8014, Considerations for Identity Management in Public Safety Mobile Networks, written by Nelson Hastings and Joshua Franklin. The publication analyzes approaches to identity management for

Evasion-Resistant Network Scan Detection

May 9, 2015

Author(s)

Richard Harang, Peter Mell

Popular network scan detection algorithms operate through evaluating external sources for unusual connection patterns and traffic rates. Research has revealed evasive tactics that enable full circumvention of existing approaches (specifically the widely

Is Your Replication Device Making An Extra Copy For Someone Else?

April 16, 2015

Author(s)

Celia Paulsen, Larry Feldman, Gregory A. Witte

This bulletin summarizes the information presented in NISTIR 8023, Risk Management for Replication Devices, written by Celia Paulsen and Kelley Dempsey. The publication provides guidance on protecting the confidentiality, integrity, and availability of

NSTIC Pilots: Catalyzing the Identity Ecosystem

April 13, 2015

Author(s)

Katerina N. Megas, Philip Lam, Ellen M. Nadeau, Colin Soutar

[Superseded by NISTIR 8054 (April 2015 w/ updates through 9/20/15): http://www.nist.gov/manuscript-publication-search.cfm?pub_id=919757] Pilots are an integral part of the National Strategy for Trusted Identities in Cyberspace (NSTIC), passed by the White

Proceedings of the Cybersecurity for Direct Digital Manufacturing (DDM) Symposium

April 10, 2015

Author(s)

Celia Paulsen

Direct Digital Manufacturing (DDM) involves fabricating physical objects from a data file using computer-controlled processes with little to no human intervention. It includes Additive Manufacturing (AM), 3D printing, rapid prototyping, etcetera. The

Password Entry Errors: Memory or Motor?

April 9, 2015

Author(s)

Kristen Greene, Frank Tamborello

As we increasingly rely upon our computer information systems to store and operate on sensitive information, the methods we use to authenticate user identity also become more important. One of the most important such methods is the password. However