ITL Develops Refreshable Tactile Graphic Display Technology
In
cooperation
with the
National
Federation
of the Blind,
ITL has
developed
a new refreshable
tactile
graphic
technology
that allows
blind and
visually
impaired
users to
view images
using the
sense of
touch. Unlike
current
devices
that make
a permanent
record on
plastic
sheets or
heavy- duty
paper, the
NIST device
has a reusable
surface
made up
of thousands
of rounded
pins, which
can display
a succession
of images
without
the cost
and disposal
problems
of printouts.
This capability is
highly important to users who need to view a large number of images, or who
need to be able to modify images. Future applications include viewing web
graphics, science, engineering, mathematics, education, and design (both
technical and artistic). By using a passive pin locking mechanism, it is
believed that this technology will make possible tactile displays initially
in the range of $2000 to $3000, up to a factor
of twenty less expensive than performing a similar function using conventional piezoelectric
technology.
NIST has filed patents
for the new technology and is in discussion with manufacturers to add the
technology to their product lines. The website is http://www.itl.nist.gov/div895/isis/projects/brailleproject.html.
Test Report Validates ITL’s Computer Forensics Tool Testing Program
Our Computer Forensics
Tool Testing (CFTT) project helps to assure the accuracy of computer forensics
investigations. The first test report based on the CFTT program was recently
published by the National Institute of Justice at
http://www.ojp.usdoj.gov/nij/pubs-sum/196352.htm. The test report documents results of testing dd GNU fileutils 4.0.36 provided with Red Hat Linux 7.1 and resulted in procedural changes in computer forensics laboratories across the country. ITL developed the CFTT to provide a measure of assurance that the tools used in computer forensics investigations produce accurate results. We accomplish this by developing specifications and test methods for computer forensics tools.
Currently specifications are available for disk imaging and software write blocking tools. The test specifications and methods provide the information necessary for toolmakers to improve tools, for users to make informed choices about acquiring and using computer forensics tools, and for the legal community and others to understand the tools’ capabilities. Our approach for testing computer forensic tools is based on well-recognized methodologies for conformance testing and quality testing.
The CFTT is a joint project of the National Institute of Justice, ITL, and other law enforcement agencies with participation from the broader computer forensics community. For more information, see http://www.cftt.nist.gov.
ITL’s Cryptographic Module Validation Program Validates 250th Cryptographic Module and Adds Seventh Testing Laboratory
The Cryptographic Module Validation Program (CMVP), run by the U.S. and Canadian governments, recently achieved a significant milestone by issuing the program’s 250th certificate. Lucent Technologies received the 250th certificate for their Access Point 300-ST product. This module was successfully validated as meeting the overall Level 1 security requirements of Federal Information Processing Standard (FIPS) 140-1, Security Requirements for Cryptographic Modules. The Access Point 300-ST is a next-generation, high performance Internet protocol (IP) Services router optimized for service providers wishing to quickly introduce high demand managed IP services at small to medium-sized enterprise customer premises locations.
The CMVP achieved yet another milestone by adding a seventh National Voluntary Laboratory Accreditation Program (NVLAP)-accredited laboratory. The addition of Logica Security Consulting, located in the United Kingdom, is significant since this is the first new laboratory added to the program outside of the U.S. and Canada. The seven CMVP testing laboratories test cryptographic modules to the requirements of FIPS 140-2. The CMVP continues its exponential growth by recently issuing the program’s 264th validation certificate. These 264 certificates actually represent over 300 separate modules by 74 different vendors.
The FIPS 140-1 and FIPS 140-2 Validated Modules List has become a “Who’s Who” of cryptographic and information technology vendors and developers from the U.S., Canada, and abroad. The list contains a complete range of security levels and a broad spectrum of product types including secure radios, Internet browsers, VPN devices, PC Postage equipment, cryptographic accelerators, secure tokens, smart cards, PDAs, and others. The recent validations impact federal agencies by further increasing the number and types of tested and validated cryptographic products available for use in securing sensitive information.
The CMVP is a joint effort between NIST and the Communications Security Establishment (CSE) of the Government of Canada. ITL’s Computer Security Division and CSE serve as the validation authorities for the program. The seven NVLAP-accredited laboratories that test cryptographic modules are Atlan Laboratories of McLean, Virginia, COACT Inc. CAFÉ Laboratory of Columbia, Maryland, CygnaCom Solutions Laboratory of McLean, Virginia, DOMUS IT Security Laboratory of Ottawa, Ontario, Canada, EWA - Canada LTD, IT Security Evaluation Facility of Ottawa, Ontario, Canada, InfoGard Laboratories of San Luis Obispo, California, and Logica Security Consulting of Surrey, UK. The website is http://www.nist.gov/cmvp.
On August 1, 2002, the Secretary of Commerce approved FIPS 180-2, Secure Hash Standard (SHS). The standard replaces FIPS 180-1, which was issued in 1992. FIPS 180-1 specified an algorithm (SHA-1) for producing a 160-bit output called a message digest. A message digest is a condensed representation of electronic data and is used in cryptographic processes, such as digital signatures, message authentication, and the generation of random numbers. FIPS 180-2 includes three additional algorithms, which produce 256-bit, 384-bit and 512-bit message digests. These expanded capabilities are compatible with and support the strengthened security requirements of FIPS 197, Advanced Encryption Standard. FIPS 180-2 is available at http://csrc.nist.gov/publications/fips/index.html.
UPDATE
ON NEW PUBLICATIONS
ITL publishes the results of research, investigations, and conferences. The reports listed below may be available online or ordered from:
National Technical Information Service (NTIS)
5285 Port Royal Road
Springfield, VA 22161
Telephone (703) 605-6000
Rush Service (800) 553-6847
Fax (703) 321-8547 or (703) 321-9038
Home Page: http://www.ntis.gov/onow
Use of the Common Vulnerabilities and Exposures (CVE)
Vulnerability Naming Scheme
By P.
Mell and T. Grance
NIST SP
800-51
September
2002
http://csrc.nist.gov/publications/nistpubs/index.html
The
Common Vulnerabilities and Exposures (CVE) vulnerability naming scheme is a
dictionary of common names for publicly known information technology (IT)
system vulnerabilities. It is an emerging industry standard that has achieved
wide acceptance by the security industry and a number of government
organizations. Federal departments and agencies should use this standard for
computer vulnerability related activities.
Security Guide for Interconnecting Information Technology Systems
By T.
Grance, J. Hash, S. Peck, J. Smith, and K. Korow-Diks
NIST SP
800-47
September
2002
http://csrc.nist.gov/publications/nistpubs/index.html
This
document provides guidance for planning, establishing, maintaining, and
terminating interconnections between IT systems that are owned and operated by
different organizations. The document describes the benefits of interconnecting
IT systems, defines the basic components of an interconnection, identifies
methods and levels of interconnectivity, and discusses potential security
risks. Also presented is a life-cycle approach for system interconnections,
with an emphasis on security.
Security for Telecommuting and Broadband Communications
By D.R.
Kuhn, S.E. Frankel, and M.C. Tracy
NIST SP
800-46
September
2002
http://csrc.nist.gov/publications/nistpubs/index.html
This
document introduces broadband communication technologies and the security
considerations associated with them. It discusses the use of a personal
firewall, which is essential in protecting a home computer from intrusion, and
provides instructions on how to configure PCs and web browsers for added
security. It also explains home networking and how a home network can be
protected. Also covered are virtual private networks, which are sophisticated
technologies that can provide telecommuters with security approximating that
available from an isolated inter-office network.
Guidelines on Electronic Mail Security
By M.
Tracy, W.A. Jansen, and S. Bisker
NIST SP
800-45
September
2002
http://csrc.nist.gov/publications/nistpubs/index.html
Electronic mail (e-mail) is perhaps the
most popularly used system for exchanging information over the Internet. It is
essential to secure mail servers and clients as well as the network
infrastructure that supports them. This document assists federal departments
and agencies, state agencies, and commercial organizations in installing,
configuring, and maintaining secure mail servers and mail clients. It presents
generic security principles and covers details specific to the various
components of a mail system.
Guidelines on Securing Public Web Servers
By
M.Tracy, W.A.Jansen, and M. McLarnon
NIST SP
800-44
September
2002
http://csrc.nist.gov/publications/nistpubs/index.html
Web
servers maintained for public use are normally the most targeted and attacked
hosts on an organization’s network. This document assists federal departments
and agencies, state agencies, and commercial organizations in installing,
configuring, and maintaining secure public web servers. It presents generic
security principles and covers details specific to the various components of
web content, web applications, and web servers.
Procedures for Handling Security Patches
By P.
Mell and M. Tracy
NIST SP
800-40
September
2002
http://csrc.nist.gov/publications/nistpubs/index.html
Timely
patching is critical to maintain the operational availability, confidentiality,
and integrity of IT systems. This special publication recommends methods to
help organizations have an explicit and documented patching and vulnerability
policy and a systematic, accountable, and documented process for handling
patches. This document also covers areas such as prioritizing patches,
obtaining patches, testing patches, and applying patches.
Comparative Statistical Analysis of Test Parts
Manufactured in Production Environment
By D.E.
Gilsinn and A.V. Ling
NISTIR
6868
June
2002
PB2002-104233 $29.50 paper
Order
from NTIS $12.00 microfiche
This
report describes an approach for estimating uncertainties of errors of machined
part features. The main conclusion of the work is that the Law of Propagation
of Uncertainties can be used to estimate machining uncertainties and that
predicted uncertainties could be related to actual part error uncertainties.
UPCOMING TECHNICAL CONFERENCES
16th
Annual FISSEA Conference
With a theme of “FISSEA: Securing Your Cyber Frontier Through Awareness, Training, and Education,” this conference will focus on how federal agencies are empowering their workforce through IT security awareness, training, and education. Topics include preparation for the Government Information Security Reform Act (GISRA), awareness, training, and education resources, and OPM and DoD scholarships.
Co-Sponsors: NIST and the Federal Information Systems Security Educators’
Association (FISSEA)
Dates: March 4-6, 2003
Place: Hilton Hotel, Silver Spring, MD
Cost: $275.00
http://csrc.nist.gov/organizations/fissea/index.html
Disclaimer: Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by the National Institute of Standards and Technology nor does it imply that the products mentioned are necessarily the best available for the purpose.