NIST-DEVELOPED VOTING
SYSTEM GUIDELINES APPROVED FOR THE NATION
On December 13, 2005, the U.S. Election Assistance Commission (EAC) formally adopted voluntary voting system guidelines (VVSG) for the nation (http://www.eac.gov/vvsg_intro.htm). The initial recommendations for these guidelines were completed in May 2005 by the Technical Guidelines Development Committee (TGDC), chaired by NIST Director William Jeffrey and mandated by the Help America Vote Act (HAVA) of 2002. The final VVSG is a result of a public comment and editing process that took place after the initial recommendations were delivered to the EAC by the TGDC. ITL scientists contributed their technical expertise in security, human factors, and core requirements to the recommendations in the standards development process as well as to the EAC in the public comment resolution process. For more information on NIST’s work, see http://vote.nist.gov.
In other voting news, the NIST voting team initiated a web-based threats catalog as an outcome of a recent workshop on “Developing an Analysis of Threats to Voting Systems.” Over 130 members of the election community attended the workshop, including vendors, state election directors, and university researchers. The workshop solicited threat analysis material and gathered critical analysis of the collected threats, the plausibility of various scenarios, assumptions made, and lessons learned as a result of the analysis. The team organized the collected information into a voting system threats catalog, which is available at http://vote.nist.gov/threats/index.html. Additional threat papers and comments on threat papers will be posted as they are received from the election community.
ITL Leads Effort to
Secure Domain Name System
ITL recently conducted a two-day policy-to-practice workshop on emerging Domain Name System Security (DNSSEC) standards and technologies. This early-adopters workshop targeted select federal agencies (e.g., General Services Administration, Department of Homeland Security, and Department of Commerce) that are vital to ITL's efforts to make the U.S. Government a global leader in the adoption and deployment of DNSSEC technologies.
The Domain Name System (DNS) is a globally distributed database that provides two-way mappings between names (e.g., www.nist.gov) and Internet Protocol (IP) addresses (e.g., 129.6.13.23). Practically all Internet communications are initiated with a DNS request to resolve a name to an IP address. Although arguably one of the most critical components of the Internet's core infrastructure, the current operational DNS is extremely vulnerable to malicious attack. Examples of such attacks include “zone hijacking” in which third parties impersonate entire DNS zones (e.g., nist.gov.) and redirect network traffic towards their own machines for malicious purposes.
The National Strategy to Secure Cyberspace identified the need to address these inherent vulnerabilities in the DNS as a national priority. ITL's Trustworthy Networking program responded to this mandate by taking a leadership role in the Internet Engineering Task Force (IETF) effort to design and standardize protocol extensions to secure the DNS. Under ITL's technical leadership, the IETF has recently developed industry consensus standards for the base DNSSEC specifications. The website is http://w3.antd.nist.gov/iipp.shtml.
ITL Releases Reference Implementation of Sparse BLAS Standard
ITL recently released a reference implementation of the Sparse Basic Linear Algebra Subprogram (BLAS) standard in ANSI/ISO C++. The Sparse BLAS standardize the user interface to routines for performing elementary operations on sparse matrices. Sparse matrices represent systems of linear equations in which only a few elements per row are non-zero. Operations on very large sparse matrices form the innermost kernel of the solution to mathematical problems at the core of a very wide range of applications, from fluid flow to structural mechanics.
The new release of the NIST Sparse BLAS provides a baseline source-code-portable C++ implementation with complete functionality of the Sparse BLAS standard, including 79 functions and 23 matrix/vector properties. It establishes a portable software platform upon which architecture-specific or application-specific optimized version can be developed. It also serves as a reference to which optimized implementations can be compared for testing purposes.
The interface specification was one of the outcomes of a five-year standardization effort of the BLAS Technical Forum, with participants from industry, academia, and government. ITL led the subcommittee which developed the Sparse BLAS specification. The website is http://math.nist.gov/spblas/.
Our list of selected new publications, available online, features work in information security, imaging, biometrics, and cell phone forensic tools.
Guide to Malware
Incident Prevention and Handling
By Peter Mell, Karen
Kent, and Joseph Nusbaum
NIST Special Publication (SP) 800-83
November 2005
http://csrc.nist.gov/publications/nistpubs/800-83/SP800-83.pdf
This publication provides recommendations for improving an organization’s malware incident prevention measures. It gives extensive recommendations for enhancing an organization’s existing incident response capability to handle malware incidents, particularly widespread ones.
Guide to IPsec VPNs
By Sheila Frankel,
Karen Kent, Ryan Lewkowski, Angela D. Orebaugh, Ronald W. Ritchey, and Steven
R. Sharma
NIST SP 800-77
December 2005
http://csrc.nist.gov/publications/nistpubs/800-77/sp800-77.pdf
This document discusses the need for network layer security and introduces the concept of virtual private networking (VPN). It covers the fundamentals of Internet protocol security (IPsec), focusing on its primary components: the Encapsulating Security Payload (ESP), the Authentication Header (AH), and the Internet Key Exchange (IKE). Also described are issues to be considered during IPsec planning and implementation, and alternatives to IPsec. The document presents several case studies of IPsec scenarios and discusses future directions for IPsec.
Creating a Patch and Vulnerability Management Program
By Peter Mell, Tiffany Bergeron, and David Henning
NIST SP 800-40, Version 2.0
November 2005
http://csrc.nist.gov/publications/nistpubs/800-40-Ver2/SP800-40v2.pdf
This document provides
guidance on creating a security patch and vulnerability management program and
testing the effectiveness of the program. It targets security managers who are
responsible for designing and implementing such the program. The document also
contains information useful to system administrators and operations personnel
who are responsible for applying patches and deploying solutions (i.e.,
information related to testing patches and enterprise patching software).
Guideline for Implementing Cryptography in the Federal Government
By Elaine B. Barker, William C. Barker, and Annabelle Lee
NIST Special Publication 800-21-1, Second Edition
December 2005
http://csrc.nist.gov/publications/nistpubs/800-21-1/sp800-21-1_Dec2005.pdf
The Second Edition of NIST SP 800-21 updates and replaces
the November 1999 edition of Guideline for Implementing Cryptography in the
Federal Government. NIST SP 800-21-1 provides a structured, yet flexible
set of guidelines for selecting, specifying, employing, and evaluating cryptographic
protection mechanisms in federal information systems—and thus, makes a
significant contribution toward satisfying the security requirements of the
Federal Information Security Management Act (FISMA) of 2002, Public Law
107-347.
APEX Blind
Deconvolution of Real Hubble Space Telescope Imagery and Other Astronomical
Data
By Alfred Carasso
NISTIR 7283
December 2005
E-mail alfred.carasso@nist.gov for copy
The APEX method is a non-iterative, single frame, direct blind deconvolution technique that can sharpen certain kinds of high resolution images in quasi real-time. The method is predicated on a restricted class of blurs, in the form of 2D heavy-tailed bell-shaped surfaces. Not all images can be usefully enhanced with the APEX method. Nevertheless, the method is found effective on a broad class of galaxy images, including color Hubble Space Telescope ACS imagery. APEX-detected optical transfer functions that successfully sharpen these images are far from Gaussian and of a type not commonly found in the astronomical imaging literature. Visually striking enhancements are obtained, with significant sharpening confirmed by better than threefold increases in image gradient norms.
The Impact of RAID on Disk Imaging
By Steven L. Mead
NISTIR 7276
December 2005
E-mail steven.mead@nist.gov for copy
In the time since disk imaging specifications were developed, Redundant Arrays of Inexpensive Disks (RAID) devices are increasingly being encountered by law enforcement. This paper examines RAID and identifies where it may impact disk imaging in either completeness or accuracy. Additionally, findings that might be of special concern to investigators are identified and researched further. ITL develops specifications, assertions, and testing methodology to assess how well imaging tools function as part of the Computer Forensic Tool Testing (CFTT) project, which ensures that tools used by law enforcement produce accurate and objective results.
The Myth of the Goats: How Many People Have Fingerprints that are Hard to Match?
By Austin Hicklin, Brad Ulery, and Craig Watson
NISTIR 7271
September 2005
http://www.itl.nist.gov/iaui/894.03/pact/ir_7271.pdf
The proportion of people who have fingerprints that are particularly hard to match (also known as "Goats") is a topic of great interest in biometrics, especially for those involved in the design, development, or evaluation of fingerprint-based identification or verification systems. There have been a variety of statements made in the recent past that a small percentage of people (usually 2 percent) cannot be fingerprinted due to poor quality fingers. This study shows these statements are based on misconceptions: the fact that some small percentage of fingerprints may be hard to match does not mean that a corresponding percentage of people are hard to match.
Cell Phone Forensic Tools: An Overview and Analysis
By Rick Ayers, Wayne Jansen, Nicolas Cilleros, and Ronan Daniellou
NISTIR 7250
October 2005
http://csrc.nist.gov/publications/nistir/nistir-7250.pdf
When cell phones or other cellular devices are involved in a crime or other incident, forensic examiners require tools that allow the proper retrieval and speedy examination of information present on the device. This report gives an overview of current forensic software that is designed for acquisition, examination, and reporting of data discovered on cellular handheld devices, and discusses their capabilities and limitations.
UPCOMING TECHNICAL
CONFERENCES
Hands-on Workshop on Estimating and Reporting Measurement Uncertainty
The purpose of this workshop is to describe the statistical framework and methods needed to develop uncertainty statements based on the ISO Guide to the Expression of Uncertainty in Measurement. The target audience is industry and government metrologists.
Dates: February 27-28, 2005
Place: Measurement Science Conference, Anaheim, California
Technical contact: Will Guthrie, 301-975-2854, william.guthrie@nist.gov
Conference website: http://www.msc-conf.com/msc/index.html
Regression Analysis
Using NIST/SEMATECH e-Handbook of Statistical Methods
This workshop will use the handbook to present and illustrate the basics of linear and nonlinear regression along with other topics that are related to regression, such as prediction and calibration. The workshop will emphasize, through practical examples, the proper application of regression techniques. The target audience is industry and government managers.
Dates: February 27-28, 2005
Place: Measurement Science Conference, Anaheim, California
Technical contact: Jolene Splett, 303-497-3808, jsplett@boulder.nist.gov
Conference website: http://www.msc-conf.com/msc/index.html
Experiment Design, Calibrations and Interlaboratory
Studies
This workshop
presents a general overview of experiment design principles and techniques.
Statistical issues for use in calibrations and analysis methods of
interlaboratory experiments will be demonstrated through practical examples.
With a target audience of industry and government metrologists, an
understanding of basic statistics will be assumed.
Dates: February 27-28, 2005
Place: Measurement Science Conference, Anaheim, California
Technical contact: Ivelisse Aviles, a.aviles@nist.gov
Conference website: http://www.msc-conf.com/msc/index.html
FISSEA Conference
With the theme of “Training for a Cyber-Secure Future,” this conference
presents topics of information systems security awareness, training, education,
resources, certifications, FISMA, trends, practical solutions, and performance
metrics. The target audience is IT security professionals, educators, CIOs,
academia, and researchers involved with information systems education and
certification.
Dates: March 20-21, 2006
Place: Marriott Hotel and Conference Center, North Bethesda, Maryland
Sponsors: NIST and Federal Information Systems Security Educators’
Association (FISSEA)
NIST contact: Peggy Himes, peggy.himes@nist.gov
Conference website: http://www.nist.gov/public_affairs/confpage/060320.htm
5th Annual PKI
R&D Workshop: Making PKI Easy to Use
This workshop
considers the full range of public key technology (PKI) used for security
decisions and supporting functionalities, including authentication,
authorization, identity (syndication, federation, and aggregation), and trust.
This year, the workshop has a particular interest in novel approaches to
simplifying the use and management of X.509 digital certificates, both within
and across enterprises. The target audience is security researchers from
academia and industry.
Dates: April 4-6,
2006
Place: NIST,
Gaithersburg, Maryland
Sponsors: NIST,
National Institutes of Health, and Internet 2, in cooperation with OASIS
NIST contact: Nelson
Hastings, nelson.hastings@nist.gov
Conference website: http://www.nist.gov/public_affairs/confpage/060404.htm
Disclaimer: Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by the National Institute of Standards and Technology nor does it imply that the products mentioned are necessarily the best available for the purpose.