U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Publications

NIST Authors in Bold

Displaying 526 - 550 of 1430

Password policy languages: usable translation from the informal to the formal

July 21, 2015
Author(s)
Michelle P. Steves, Mary F. Theofanos, Celia Paulsen, Athos Ribeiro
Password policies – documents which regulate how users must create, manage, and change their passwords – can have complex and unforeseen consequences on organizational security. Since these policies regulate user behavior, users must be clear as to what is

PFLASH - Secure Asymmetric Signatures on Smart Cards

July 21, 2015
Author(s)
Ming-Shing Chen, Bo-Yin Yang, Daniel Smith-Tone
We present PFLASH, an asymmetric digital signature scheme appropriate for smart card use. We present parameters for several security levels in this low resource environment and bootstrap many technical properties (including side-channel resistance) exposed

Privacy and Security in the Brave New World: The Use of Multiple Mental Models

July 21, 2015
Author(s)
Susanne M. Furman, Mary F. Theofanos, Brian C. Stanton, Sandra S. Prettyman
We live in a world where the flow of electronic information and communication has become a ubiquitous part of our everyday life. While our lives are enhanced in many ways, we also experience a myriad of challenges especially to our priva-cy and security

Defensive Resource Allocations with Security Chokepoints in IPv6 Networks

July 15, 2015
Author(s)
Assane Gueye, Peter M. Mell, Richard Harang, Richard J. La
Securely configured Internet Protocol version 6 networks can be made resistant to network scanning, forcing attackers to propagate following existing benign communication paths. We exploit this attacker limitation in a defensive approach in which

Measuring Limits on the Ability of Colluding Countries to Partition the Internet

June 30, 2015
Author(s)
Peter M. Mell, Richard Harang, Assane Gueye
We show that the strength of Internet-based network interconnectivity of countries is increasing over time. We then evaluate bounds on the extent to which a group of colluding countries can disrupt this connectivity. We evaluate the degree to which a group

New Second-Preimage Attacks on Hash Functions

June 23, 2015
Author(s)
Elena Andreeva, Charles Bouillaguet, Orr Dunkelman, Pierre-Alain Fouque, Jonathan J. Hoch, John M. Kelsey, Adi Shamir, Sebastien Zimmer
In this work, we present several new generic second-preimage attacks on hash functions. Our first attack is based on the herding attack and applies to various Merkle-Damgard-based iterative hash functions. Compared to the previously known long-message

Cardholder Authentication for the PIV Digital Signature Key

June 18, 2015
Author(s)
William Polk, Hildegard Ferraiolo, David Cooper
FIPS 201-2 requires explicit user action by the Personal Identity Verification (PIV) cardholder as a condition for use of the digital signature key stored on the card. This document clarifies the requirement for explicit user action to encourage the

Increasing Visibility and Control of Your ICT Supply Chains

June 15, 2015
Author(s)
Jon M. Boyens, Celia Paulsen, Larry Feldman, Greg Witte
This bulletin summarizes the information presented in NIST SP 800-161, Supply Chain Management Practices for Federal Information Systems and Organizations, written by Jon Boyens and Celia Paulsen. The publication provides guidance to federal agencies on

Guide to Industrial Control Systems (ICS) Security

June 3, 2015
Author(s)
Keith A. Stouffer, Victoria Y. Pillitteri, Suzanne Lightman, Marshall Abrams, Adam Hahn
This document provides guidance on how to secure Industrial Control Systems (ICS), including Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic

Cryptographic Algorithms and Key Sizes for Personal Identity Verification

May 29, 2015
Author(s)
William Polk, Donna F. Dodson, William Burr, Hildegard Ferraiolo, David Cooper
This document contains the technical specifications needed for the mandatory and optional cryptographic keys specified in FIPS 201 as well as the supporting infrastructure specified in FIPS 201 and the related Special Publication 800-73, Interfaces for

Evaluating Bug Finders: Test and Measurement of Static Code Analyzers

May 23, 2015
Author(s)
Aurelien M. Delaitre, Bertrand C. Stivalet, Elizabeth N. Fong, Vadim Okun
Software static analysis is one of many options for finding bugs in software. Like compilers, static analyzers take a program as input. This paper covers tools that examine source code--without executing it--and output bug reports. Static analysis is a

Authentication Considerations for Public Safety Mobile Networks

May 14, 2015
Author(s)
Nelson Hastings, Joshua M. Franklin, Larry Feldman, Greg Witte
This bulletin summarizes the information presented in NISTIR 8014, Considerations for Identity Management in Public Safety Mobile Networks, written by Nelson Hastings and Joshua Franklin. The publication analyzes approaches to identity management for

Evasion-Resistant Network Scan Detection

May 9, 2015
Author(s)
Richard Harang, Peter Mell
Popular network scan detection algorithms operate through evaluating external sources for unusual connection patterns and traffic rates. Research has revealed evasive tactics that enable full circumvention of existing approaches (specifically the widely

Is Your Replication Device Making An Extra Copy For Someone Else?

April 16, 2015
Author(s)
Celia Paulsen, Larry Feldman, Gregory A. Witte
This bulletin summarizes the information presented in NISTIR 8023, Risk Management for Replication Devices, written by Celia Paulsen and Kelley Dempsey. The publication provides guidance on protecting the confidentiality, integrity, and availability of

Password Entry Errors: Memory or Motor?

April 9, 2015
Author(s)
Kristen Greene, Frank Tamborello
As we increasingly rely upon our computer information systems to store and operate on sensitive information, the methods we use to authenticate user identity also become more important. One of the most important such methods is the password. However

Towards a "Periodic Table" of Bugs

April 8, 2015
Author(s)
Irena Bojanova
Our vision for a "periodic table" of bugs is a "natural" organization of a catalog or dictionary or taxonomy to describe software weaknesses and vulnerabilities. Such an organization will help the community to: a) more closely explain the nature of

Analysis of VAES3 (FF2)

April 2, 2015
Author(s)
Morris J. Dworkin, Ray A. Perlner
The National Institute of Standards and Technology (NIST) specified three methods for format-preserving encryption (FPE) in Draft NIST Special Publication (SP) 800-38G, which was released for public comment in July, 2013. Each method was a mode of

Considerations for Identity Management in Public Safety Networks

March 30, 2015
Author(s)
Nelson Hastings, Joshua M. Franklin
This document analyzes approaches to identity management for public safety networks in an effort to assist individuals developing technical and policy requirements for public safety use. These considerations are scoped into the context of their

Guidance for Secure Authorization of Mobile Applications in the Corporate Environment

March 19, 2015
Author(s)
Athanasios T. Karygiannis, Stephen Quirolgico, Larry Feldman, Gregory A. Witte
This bulletin provides an overview of NIST Special Publication (SP) 800-163, "Vetting the Security of Mobile Applications." The NIST SP helps organizations understand the process for vetting the security of mobile applications, plan for the implementation
Displaying 526 - 550 of 1430