Friday, February 3, 2023

NIST Revises the Digital Signature Standard (DSS) and Publishes a Guideline for Elliptic Curve Domain Parameters

 Today, NIST is publishing Federal Information Processing Standard (FIPS) 186-5, Digital Signature Standard (DSS), along with NIST Special Publication (SP) 800-186, Recommendations for Discrete Logarithm-based Cryptography: Elliptic Curve Domain Parameters

FIPS 186-5 specifies three techniques for the generation and verification of digital signatures that can be used for the protection of data:

  1. Rivest-Shamir-Adleman (RSA) Algorithm
  2. Elliptic Curve Digital Signature Algorithm (ECDSA)
  3. Edwards Curve Digital Signature Algorithm (EdDSA)

The Digital Signature Algorithm (DSA), which was specified in prior versions of FIPS 186, is retained only for the purposes of verifying existing signatures. 

The companion document, NIST SP 800-186, specifies the set of recommended elliptic curves. In addition to the previously recommended Weierstrass curves, there are two newly specified Edwards curves included for use with the EdDSA algorithm. Edwards curves provide increased performance, side-channel resistance, and simpler implementation when compared to traditional curves. While NIST SP 800-186 includes the specifications for elliptic curves over binary fields, these curves are now deprecated, and the use of other (prime) curves is strongly recommended.

The algorithms in these standards are not expected to provide resistance to attacks from a large-scale quantum computer. Digital signature algorithms that will provide security from quantum computers will be specified in future NIST publications. For more information, see the Post-Quantum Cryptography Standardization project.

Read More

Phishing Resistance – Protecting the Keys to Your Kingdom


Image depicting cybersecurity phishing

If you own a computer, watch the news, or spend virtually any time online these days you have probably heard the term “phishing.” Never in a positive context…and possibly because you have been a victim yourself.

Phishing refers to a variety of attacks that are intended to convince you to forfeit sensitive data to an imposter. These attacks can take a number of different forms; from spear-phishing (which targets a specific individual within an organization), to whaling (which goes one step further and targets senior executives or leaders). Furthermore, phishing attacks take place over multiple channels or even across channels; from the more traditional email-based attacks to those using voice – vishing – to those coming via text message – smishing. Regardless of the type or channel, the intent of the attack is the same – to exploit human nature to gain control of sensitive information (citation 1). These attacks typically make use of several techniques including impersonated websites, attacker-in-the-middle, and relay or replay to achieve their desired outcome.

Read More

Thursday, February 2, 2023

Migrate from AD FS to Microsoft Azure Active Directory for identity management

The Microsoft 365 cloud environment benefits from an extensive monitoring and security infrastructure. Using machine learning and human intelligence that looks across worldwide traffic can rapidly detect attacks and allow you to reconfigure almost in real time.   None of the following scenarios apply to my org, and I'm ready to move forward with my migration.

For all types of migrations, the following AD FS scenarios can't be migrated to Azure AD.
  • Custom attribute store to retrieve additional claims from LDAP and SQL
  • Non-Microsoft MFA provider integrated with AD FS Non-Microsoft Mobile Device Management (MDM) integrated with AD FS
  • Non-persistent virtual desktop infrastructure (VDI) with Windows 11 Windows Hello for Business in certificate authentication mode
  • Azure AD Cloud Sync with hybrid Azure AD join Dual-federation (for example, Azure commercial and Azure China 21Vianet)
  • Sign-in with SamAccountName or EmployeeID
For staged rollouts (migrating a small group), the following configurations are unsupported.
  • Legacy authentication, such as POP3 and SMTP
  • Nested groups, dynamic groups, and groups that contain contact objects If your application includes the "domain_hint" attribute
  • Windows 10 version 1903 or older for both hybrid Azure AD join or Azure AD join if user has a non-routable UPN

What to expect 

To get custom guidance for migrating to Azure AD, you'll first answer a few questions about your Active Directory Federation Services (AD FS) infrastructure. Then implement either pass-through authentication (PTA) or password hash sync (PHS) to give users a streamlined experience while accessing your org's apps

Use the full tool here

Tuesday, January 31, 2023

Register for the Identity workshop for Developers Free

he Identity workshop for Developers, you will create an opportunity to upskill & upgrade to secure and contemporary practices while developing, integrating, migrating, and managing apps on the Microsoft Identity Platform. The workshop is designed to be hands-on, which will not only enable you to learn and practice the latest but also earn Badges. We look forward to your participation in the Identity workshop for Developers for an engaged and immersive learning experience. You have 3 opportunities to register for the workshop.

When: Tuesday - Thursday, February 14 to 16, 2023
Time: 9 AM UTC to 12 PM UTC (EMEA/IST)
Where: Microsoft Teams Meeting

When: Tuesday - Thursday, March 14-16, 2023
Time: 9:00 AM – 12:00 PM (Pacific Time)
Where: Microsoft Teams Meeting

Modules for the workshop:
  • Microsoft Identity Platform Overview
  • Fundamentals of Modern Authentication
  • Permissions and Consent
  • Migrating your Apps
  • Protecting APIs
  • Token Customization

The workshop will be a combination of discourses and hands-on modules.
Microsoft Privacy Statement - 

click here to register.

NIST Privacy Enhancing Cryptography (PEC) — Special Topics on Privacy and Public Auditability, Event

         What: "Special Topics on Privacy and Public Auditability" (STPPA) — Event 5.

STPPA: In the "Special Topics on Privacy and Public Auditability" series, the NIST privacy-enhancing cryptography (PEC) project, in the cryptographic technology group, hosts talks on various interconnected topics related to privacy and public auditability. The goal is to convey basic technical background, incite curiosity, suggest research questions and discuss applications, with an emphasis on the role of cryptographic tools.

For more information, contact:

Read More

Thursday, January 26, 2023

Ransomware Risk Management: A Cybersecurity Framework Profile an great document from NIST

 Ransomware is a type of malicious attack where attackers encrypt an organization’s data and demand payment to restore access. Attackers may also steal an organization’s information and demand an additional payment in return for not disclosing the information to authorities, competitors, or the public. This Ransomware Profile identifies the Cybersecurity Framework Version 1.1 security objectives that support identifying, protecting against, detecting, responding to, and recovering from ransomware events. The profile can be used as a guide to managing the risk of ransomware events. That includes helping to gauge an organization’s level of readiness to counter ransomware threats and to deal with the potential consequences of events.


to download the publications go here