|
|
|
|
|
|
|
|
|
New Three-Part Webinar Series and Share your Input on Draft NIST SP 800-63-4, Digital Identity Guidelines
NIST is hosting a new webinar series to gain critical input on Draft NIST
Special Publication 800-63 Revision 4, Digital
Identity Guidelines. During these three separate virtual
events, NIST moderators will explore different aspects of the guidance with
expert panelists and seek additional input from the public via a moderated
Slack discussion and extended Q&A.
Webinar #1: Digital Identity Risk Management and Assurance Level
Selection
Details:
This webinar will feature a discussion about digital identity
risks. Panelists will explore the various lenses through which digital identity
can be viewed, the variety and breadth of associated risks, and how those risks
might be considered in organizational, societal, and individual contexts.
Webinar #2: Innovating Identity Proofing
Details:
This webinar will focus on the changes NIST has made to identity
proofing guidance and illicit inputs on how the government and industry can
continue to innovate on identity proofing technology and services. Panelists
will discuss leading practices in commercial and public sector use cases,
emerging trends, areas of continued improvement, and techniques that may
provide additional optionality and choice for end users.
Webinar #3: The Future of Authentication
Details:
This webinar will focus on the evolving nature of authentication
technology and how organizations and NIST are addressing new innovations in the
space. Panelists will explore phishing resistant authentication, trends in
multifactor authentication, and the challenges with moving on from SMS
authentication.
Learn
More
High-Performance Computing (HPC) Security: Draft NIST SP 800-223
NIST is requesting public comments on the initial public draft of
Special Publication (SP) 800-223, High-Performance
Computing (HPC) Security: Architecture, Threat Analysis, and Security Posture.
Executive Order 13702 established the National Strategic Computing
Initiative (NSCI) to maximize the benefits of high-performance computing (HPC)
for economic competitiveness and scientific discovery. Securing HPC systems is
challenging due to their size; performance requirements; diverse and complex
hardware, software, and applications; varying security requirements; the nature
of shared resources; and the continuing evolution of HPC systems.
Draft SP 800-223 provides guidance on standardizing and
facilitating the sharing of HPC security postures by introducing a zone-based
HPC system reference model that captures common features of HPC systems and
serves as a foundation for a system lexicon. The draft also discusses HPC
system threat analysis, security postures, challenges, and recommendations.
The public comment period for this
initial public draft is open through April 7, 2022. See
the publication
details for a copy of the draft and instructions for submitting
comments. Additional information can be found at the NIST HPC Security
Working Group website. A 3rd High-Performance Computing
Workshop will be held March 15-16, 2023; see the event page
for more details and a registration link.
NOTE:
A call for patent claims is included on page ii of this document. For
additional information, see the Information
Technology Laboratory (ITL) Patent Policy–Inclusion of Patents in ITL
Publications.
Read
More
NIST Selects ‘Lightweight Cryptography’ Algorithms to Protect Small Devices
Lightweight electronics, meet the heavyweight champion for
protecting your information: Security experts at the National Institute of
Standards and Technology (NIST) have announced a victor in their program to
find a worthy defender of data generated by small devices. The winner, a group
of cryptographic algorithms called Ascon, will be published as NIST’s lightweight
cryptography standard later in 2023.
The chosen algorithms are designed to protect information created
and transmitted by the Internet of Things (IoT), including its myriad tiny
sensors and actuators. They are also designed for other miniature technologies
such as implanted medical devices, stress detectors inside roads and bridges,
and keyless entry fobs for vehicles. Devices like these need “lightweight
cryptography” — protection that uses the limited amount of electronic resources
they possess. According to NIST computer scientist Kerry McKay, the newly
selected algorithms should be appropriate for most forms of tiny tech.
VMware ESXi have come under attack
Patch your VMware ESXi
Servers running the popular
virtualization hypervisor VMware ESXi have come under attack from at least one
ransomware group over the past week, likely following scanning activity to
identify hosts with Open Service Location Protocol (OpenSLP) vulnerabilities.
Specifically, threat actors have
been taking advantage of unpatched systems vulnerable to CVE-2020-3992 and CVE-2021-21974 that, when
exploited, can allow remote code execution.
Of the incidents observed thus
far, a ransomware-as-a-service (RaaS) group known as Nevada, appears to
be responsible ― although their ransom note shares many similarities with
Cheerscrypt, a ransomware threat that targeted ESXi in early- to mid-2022.
Attend Microsoft Secure
|
Join Why join Microsoft Secure? By · · · · Register now Thank |
NIST Cloud Computing Forensic Reference Architecture: NIST Requests Public Comments on SP 800-201
The initial public draft of NIST Special Publication (SP) 800-201,
NIST Cloud
Computing Forensic Reference Architecture, is now
available for public comment. This document addresses the need to support a
cloud system’s forensic readiness, which is the ability to quickly and
effectively collect digital evidence with minimal investigation costs.
The document presents a reference architecture to help users
understand the forensic challenges that might exist for an organization’s cloud
system based on its architectural capabilities, as well as the mitigation
strategies that might be required. The reference architecture is both a
methodology and an initial implementation that can be used by cloud system
architects, cloud engineers, forensic practitioners, and cloud consumers to
analyze and review their cloud computing architectures for forensic readiness.
The public comment period for this
initial public draft is open through March 31, 2023. See
the publication
details for a copy of the draft and instructions for submitting
comments.
NOTE:
A call for patent claims is included on page ii of this document. For
additional information, see the Information
Technology Laboratory (ITL) Patent Policy–Inclusion of Patents in ITL
Publications.
Read
More
Proposal to Update NIST SP 800-38E, Using the XTS-AES Mode for Confidentiality on Storage Devices
In August 2021, NIST’s Crypto Publication Review
Board announced the review of NIST Special Publication (SP) 800-38E, Recommendation
for Block Cipher Modes of Operation: the XTS-AES Mode for Confidentiality on
Storage Devices. In response, NIST received public comments.
NIST proposes to update SP 800-38E to
address the editorial suggestions in the public comments. In particular, the
updated publication will mention the security vulnerability that results when
the two AES (sub)keys are improperly generated to be identical, as discussed in
Annex C.I of Implementation
Guidance for FIPS 140-3 and the Cryptographic Module Validation Program.
The updated SP 800-38E would be published without a period of
public comment.
Submit your comments on
this decision proposal by March 10, 2023. See the
full announcement,
which includes NIST’s rationale for this proposal and instructions for
submitting comments.
Read
More
Comment Period Extended to Feb. 27th for NIST SP 800-55 Initial Working Draft
NIST is extending the public comment due date to February
27, 2023, for the initial working draft (iwd) of NIST Special
Publication (SP) 800-55r2, Performance Measurement Guide for Information
Security. See the publication
details for a copy of the draft and instructions for submitting
comments.
Read
More
NIST Revises the Digital Signature Standard (DSS) and Publishes a Guideline for Elliptic Curve Domain Parameters
Today, NIST is publishing Federal Information Processing Standard
(FIPS) 186-5, Digital Signature
Standard (DSS), along with NIST Special Publication (SP)
800-186, Recommendations
for Discrete Logarithm-based Cryptography: Elliptic Curve Domain Parameters.
FIPS 186-5 specifies three techniques for the generation and
verification of digital signatures that can be used for the protection of data:
- Rivest-Shamir-Adleman (RSA)
Algorithm - Elliptic Curve Digital
Signature Algorithm (ECDSA) - Edwards Curve Digital Signature
Algorithm (EdDSA)
The Digital Signature Algorithm (DSA), which was specified in
prior versions of FIPS 186, is retained only for the purposes of verifying
existing signatures.
The companion document, NIST SP 800-186, specifies the set of
recommended elliptic curves. In addition to the previously recommended
Weierstrass curves, there are two newly specified Edwards curves included for
use with the EdDSA algorithm. Edwards curves provide increased
performance, side-channel resistance, and simpler implementation when compared
to traditional curves. While NIST SP 800-186 includes the specifications
for elliptic curves over binary fields, these curves are now deprecated, and the
use of other (prime) curves is strongly recommended.
The algorithms in these standards are not expected to provide
resistance to attacks from a large-scale quantum computer. Digital
signature algorithms that will provide security from quantum computers will be specified
in future NIST publications. For more information, see the Post-Quantum
Cryptography Standardization project.