Author: jay f

 As a part of the periodic review of NIST’s cryptographic standards
and guidelines, NIST’s Crypto Publication Review Board announced
the review of FIPS 198-1 The
Keyed-Hash Message Authentication Code (HMAC) in August
2021. In response, NIST received public comments.

NIST proposes to convert FIPS 198-1 to a NIST Special Publication
(SP), and apply the following changes:

• Update the HMAC specification
  to include block sizes for the SHA-3 family of hash functions
• Include a discussion on
  truncation
• Improve the editorial quality
  and update references

Conversion to an SP: NIST typically specifies
fundamental cryptographic primitives—block ciphers, digital signatures
algorithms, and hash functions—as FIPS publications, whereas other
cryptographic schemes—modes of operation, message authentication codes,
etc.—are published as a part of the NIST SP 800 series. (For more information,
see Section 3 of NISTIR 7977.)
To be consistent with that approach, NIST proposes to convert FIPS 198-1 to an
SP.

In particular, NIST proposes to develop a draft SP for the HMAC
specification, updated as described above, which would be released for public
comment. When the SP is finalized and published, FIPS 198-1 would be withdrawn
simultaneously.

Send comments on the decision proposal by October 20, 2022 to [email protected]
with “Comments on FIPS 198-1 decision proposal” in the subject
line.  

Comments received in response to this request will be posted on the Crypto
Publication Review Project site after the due date. Submitters’
names and affiliations (when provided) will be included, while contact
information will be removed. See the project site for additional information
about the review process.

Read
More

 The National Institute of Standards and Technology (NIST) has
released the initial public draft of NIST Interagency Report (IR) 8427, Discussion on the Full Entropy Assumption of the SP 800-90
Series. This document is being released at the same time as the
third public draft of NIST Special Publication (SP) 800-90C, Recommendation for Random Bit Generator (RBG) Constructions,
in support of the SP 800-90 series of publications.

The NIST SP 800-90 series supports the generation of high-quality
random bits for cryptographic and non-cryptographic use. The security of a
random number generator depends on the unpredictability of its outputs, which
can be measured in terms of entropy. The NIST SP 800-90 series uses min-entropy
to measure entropy. A full-entropy bitstring has an amount of entropy equal to
its length. Full-entropy bitstrings are important for cryptographic
applications, as these bitstrings have ideal randomness properties and may be
used for any cryptographic purpose. Due to the difficulty of generating and
testing full-entropy bitstrings, the SP 800-90 series assumes that a bitstring
has full entropy if the amount of entropy per bit is at least 1 – ε, where ε is
at most 2^-32. NIST IR 8427 provides a justification for the
selection of ε.

The public comment period for NIST IR 8427 is open through October
31, 2022. See the publication
details for a copy of the draft and instructions for submitting
comments.

Read
More

The Post-Quantum Cryptography (PQC) standardization process is
continuing into a fourth round with the following key-encapsulation mechanisms
(KEMs) still under consideration: BIKE, Classic McEliece, HQC, and SIKE.
However, there are no remaining digital signature candidates under
consideration. As such, NIST
is requesting additional digital signature proposals to be considered in the
PQC standardization process.

NIST is primarily interested in additional general-purpose
signature schemes that are not based on structured lattices. For certain
applications, such as certificate transparency, NIST may also be interested in
signature schemes that have short signatures and fast verification. NIST is
open to receiving additional submissions based on structured lattices but is
intent on diversifying the post-quantum signature standards.  As such, any
structured lattice-based signature proposal needs to significantly outperform
CRYSTALS-Dilithium and FALCON in relevant applications and ensure substantial
security properties in order to be considered for standardization.

Complete instructions on how to submit a candidate package,
including the minimal acceptability requirements, are posted on the PQC: Digital Signature Schemes project page.
The finalized evaluation criteria that will be used to assess the submissions
are also posted at the same website. Submission
packages must be received by NIST by June 1, 2023.

Read
More

 NIST is in the process of a periodic review and maintenance of its
cryptography standards and guidelines.   

This announcement initiates the review of Federal Information Processing
Standard (FIPS) 180-4, Secure Hash
Standard (SHS), 2015.

NIST requests public
comments on all aspects of FIPS 180-4. Additionally, NIST would
appreciate feedback on the following two areas of particular concern:

1. SHA-1. In recent years, the cryptanalytic attacks on the SHA-1
   hash function have become increasingly severe and practical (see, e.g., the 2020
   paper “SHA-1 is a Shambles” by Leurent and Peyrin).
   NIST, therefore, plans to remove SHA-1 from a revision of FIPS 180-4 and
   to deprecate and eventually disallow all uses of SHA-1. The Cryptographic
   Module Validation Program will establish a validation
   transition schedule.

*  How will this
plan impact fielded and planned SHA-1 implementations?
*  What should NIST consider in establishing the timeline for disallowing
SHA-1?

2. Interface. The “Init, Update, Final” interface was part
   of the SHA-3 Competition submission requirements. Should a revision of
   FIPS 180-4 discuss the “Init, Update, Final” hash function interface?

 The public comment period is open through September 9, 2022. Comments
may address the concerns raised in this announcement or other issues around
security, implementation, clarity, risk, or relevance to current
applications.  

Send comments to [email protected] with
“Comments on FIPS 180-4” in the Subject. 

For more information about the review process, visit the Crypto
Publication Review Project page. 

Read
More

 The Chief Information Security Office (CISO) workshop helps accelerate security program modernization with reference strategies built using Zero Trust principles.

The workshop covers all aspects of a comprehensive security program including strategic initiatives, roles and responsibilities, success metrics, maturity models, and more. Videos and slides can be found here.

This is free training

To learn more go here

 Free and Affordable Training with a focus on DFIR/Blue Team. Search only the free resources or search everything at once.

 

great site by DFIR Diva: Overview | LinkedIn 

This is a great resource for those pursuing Microsoft certification.

Join our experts as they provide tips, tricks, and strategies for preparing for a Microsoft Certification exam. Our exam prep videos will help you identify the key knowledge and skills measured on the exam and how to allocate your study time. Each video segment corresponds to a major topic area on the exam. Our trainer will point out objectives that many test takers find difficult. In these videos, we include example questions and answers with explanations. We recommend that you watch these videos after you have completed training or had some practice. However, you can watch them at any point in your certification journey. We also provide additional exam preparation resources

 

Exam Readiness Zone | Microsoft Docs

 Ever wonder what a Microsoft data center looks like i found this on the internet it is a great view and insight to data centers

We Live in the Cloud | Microsoft Story Labs

Comment Now: NCCoE Draft
Project Description for Mitigating AI Bias 

The National Cybersecurity Center of Excellence (NCCoE) has
released a new draft project description, Mitigating
AI/ML Bias in Context: Establishing Practices for Testing, Evaluation,
Verification, and Validation of AI Systems. Publication of this
project description begins a process to solicit public comments for the project
requirements, scope, and hardware and software components for use in a
laboratory environment.

We want your feedback on this draft to help refine the project.
The comment period is now open and will close on September 16, 2022.

To tackle the complex problem of mitigating AI bias, this project
will adopt a comprehensive socio-technical approach to testing, evaluation,
verification, and validation (TEVV) of AI systems in context. This approach
will connect the technology to societal values in order to develop guidance for
recommended practices in deploying automated decision-making supported by AI/ML
systems. A small but novel part of this project will be to look at the
interplay between bias and cybersecurity and how they interact with each other.

The initial phase of the project will focus on a proof-of-concept
implementation for credit underwriting decisions in the financial services
sector. We intend to consider other application use cases, such as hiring and
school admissions, in the future. This project will result in a freely
available NIST SP 1800 Series Practice Guide.

Upcoming Workshop Update

Earlier this month, we announced a hybrid workshop on Mitigating AI
Bias in Context on Wednesday, August 31, 2022. The workshop will now
be virtual only via WebEx and will provide an opportunity to discuss this topic
and work towards finalizing this project description. You can register by
clicking on the above workshop link. We hope to see you there! 

We Want to Hear from You!

The public comment period for this draft is open through September
16, 2022. See the publication details for a copy of the draft and
instructions for submitting comments.

We value and welcome your input and look forward to your comments.

Comment
Now!

NIST requests public comments on the initial public draft (ipd) of
NIST IR 8214B, Notes on Threshold
EdDSA/Schnorr Signatures.
This report considers signature schemes that are compatible with the
verification phase of the Edwards Curve Digital Signature Algorithm (EdDSA)
specified in Draft Federal Information Processing Standards (FIPS) publication
186-5. The report analyzes threshold schemes, where the private signing key is
secret-shared across multiple parties, and signatures can be produced without
the parties reconstructing the key. Security holds even if up to a threshold number
of parties has been compromised.

The report reviews the properties of EdDSA/Schnorr deterministic
and probabilistic signatures schemes, both in the conventional (non-threshold)
and threshold setting, summarizing various known properties and approaches.
These threshold signatures can allow for a drop-in replacement of conventional
signatures without changing the legacy code used for verification. This work is
useful to advance the NIST Multi-Party Threshold Cryptography project, which is
also interested in other primitives. The document suggests that it is
beneficial to further consult with the community of experts for security
formulations, technical descriptions, and reference implementations. 

The report includes a section for each of the following: 

• Conventional setting: gives
  context of conventional EdDSA/Schnorr-style signature schemes and their
  security properties; 
• Threshold approaches:
  summarizes various threshold approaches for deterministic and
  probabilistic schemes, at a high level; 
• Further considerations:
  describes how various aspects only arise in the threshold setting, thus
  requiring a more sophisticated analysis with respect to the security
  formulation; 
• Conclusions: identifies the
  need for additional analysis aided by the community of experts. 

The public comment period is open through October 24, 2022. See
the publication details for a copy of the draft and
instructions for submitting comments. 

 

NOTE: A call for patent claims is included on page iii of this
draft. For additional information, see the Information Technology
Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL Publications. 

Read
More