NIST Revises the Digital Signature Standard (DSS) and Publishes a Guideline for Elliptic Curve Domain Parameters
Today, NIST is publishing Federal Information Processing Standard (FIPS) 186-5, Digital Signature Standard (DSS), along with NIST Special Publication (SP) 800-186, Recommendations for Discrete Logarithm-based Cryptography: Elliptic Curve Domain Parameters.
FIPS 186-5 specifies three techniques for the generation and verification of digital signatures that can be used for the protection of data:
- Rivest-Shamir-Adleman (RSA) Algorithm
- Elliptic Curve Digital Signature Algorithm (ECDSA)
- Edwards Curve Digital Signature Algorithm (EdDSA)
The Digital Signature Algorithm (DSA), which was specified in prior versions of FIPS 186, is retained only for the purposes of verifying existing signatures.
The companion document, NIST SP 800-186, specifies the set of recommended elliptic curves. In addition to the previously recommended Weierstrass curves, there are two newly specified Edwards curves included for use with the EdDSA algorithm. Edwards curves provide increased performance, side-channel resistance, and simpler implementation when compared to traditional curves. While NIST SP 800-186 includes the specifications for elliptic curves over binary fields, these curves are now deprecated, and the use of other (prime) curves is strongly recommended.
The algorithms in these standards are not expected to provide resistance to attacks from a large-scale quantum computer. Digital signature algorithms that will provide security from quantum computers will be specified in future NIST publications. For more information, see the Post-Quantum Cryptography Standardization project.
Read More
Fri, 03 Feb 2023 14:04:00 +0000
Phishing Resistance – Protecting the Keys to Your Kingdom
|
Fri, 03 Feb 2023 13:39:00 +0000
Migrate from AD FS to Microsoft Azure Active Directory for identity management
The Microsoft 365 cloud environment benefits from an extensive monitoring and security infrastructure. Using machine learning and human intelligence that looks across worldwide traffic can rapidly detect attacks and allow you to reconfigure almost in real time. None of the following scenarios apply to my org, and I'm ready to move forward with my migration.
- Custom attribute store to retrieve additional claims from LDAP and SQL
- Non-Microsoft MFA provider integrated with AD FS Non-Microsoft Mobile Device Management (MDM) integrated with AD FS
- Non-persistent virtual desktop infrastructure (VDI) with Windows 11 Windows Hello for Business in certificate authentication mode
- Azure AD Cloud Sync with hybrid Azure AD join Dual-federation (for example, Azure commercial and Azure China 21Vianet)
- Sign-in with SamAccountName or EmployeeID
- Legacy authentication, such as POP3 and SMTP
- Nested groups, dynamic groups, and groups that contain contact objects If your application includes the "domain_hint" attribute
- Windows 10 version 1903 or older for both hybrid Azure AD join or Azure AD join if user has a non-routable UPN
What to expect
To get custom guidance for migrating to Azure AD, you'll first answer a few questions about your Active Directory Federation Services (AD FS) infrastructure. Then implement either pass-through authentication (PTA) or password hash sync (PHS) to give users a streamlined experience while accessing your org's apps
Thu, 02 Feb 2023 18:15:00 +0000
Register for the Identity workshop for Developers Free
When: Tuesday - Thursday, February 14 to 16, 2023
Time: 9 AM UTC to 12 PM UTC (EMEA/IST)
Where: Microsoft Teams Meeting
When: Tuesday - Thursday, March 14-16, 2023
Time: 9:00 AM – 12:00 PM (Pacific Time)
Where: Microsoft Teams Meeting
Modules for the workshop:
- Microsoft Identity Platform Overview
- Fundamentals of Modern Authentication
- Permissions and Consent
- Migrating your Apps
- Protecting APIs
- Token Customization
The workshop will be a combination of discourses and hands-on modules.
Microsoft Privacy Statement - https://privacy.microsoft.com/en-US/privacystatement
Tue, 31 Jan 2023 19:02:00 +0000
NIST Privacy Enhancing Cryptography (PEC) — Special Topics on Privacy and Public Auditability, Event
What: "Special Topics on Privacy and Public Auditability" (STPPA) — Event 5.
- New date & time: 2023-Feb-09, 12:00pm–15:50pm (Eastern Time)
- Featured topics: identity-based encryption (IBE), attribute-based encryption (ABE), broadcast encryption
- Format: Three talks and one panel conversation.
- Detailed info: https://csrc.nist.gov/events/2023/stppa5
- Free registration (via Webex): https://nist-secure.webex.com/weblink/register/r92f4ffc27fc2534733799ac4161f454e
- Tweet about the event: https://twitter.com/NISTcyber/status/1620080992936665097
- PEC-Forum: For future related announcements, you may also join the "PEC-forum" mailing list: https://csrc.nist.gov/projects/pec/email-list
STPPA: In the "Special Topics on Privacy and Public Auditability" series, the NIST privacy-enhancing cryptography (PEC) project, in the cryptographic technology group, hosts talks on various interconnected topics related to privacy and public auditability. The goal is to convey basic technical background, incite curiosity, suggest research questions and discuss applications, with an emphasis on the role of cryptographic tools.
For more information, contact: pec-stppa@nist.gov
Read More
Tue, 31 Jan 2023 16:31:00 +0000
Ransomware Risk Management: A Cybersecurity Framework Profile an great document from NIST
Ransomware is a type of malicious attack where attackers encrypt an organization’s data and demand payment to restore access. Attackers may also steal an organization’s information and demand an additional payment in return for not disclosing the information to authorities, competitors, or the public. This Ransomware Profile identifies the Cybersecurity Framework Version 1.1 security objectives that support identifying, protecting against, detecting, responding to, and recovering from ransomware events. The profile can be used as a guide to managing the risk of ransomware events. That includes helping to gauge an organization’s level of readiness to counter ransomware threats and to deal with the potential consequences of events.
to download the publications go here
Thu, 26 Jan 2023 15:11:00 +0000
NIST AI Risk Management Framework Aims to Improve Trustworthiness
NIST today released its Artificial Intelligence Risk Management Framework (AI RMF 1.0), a guidance document for voluntary use by organizations designing, developing, deploying or using AI systems to help manage the risks of AI technologies. The Framework seeks to cultivate trust in AI technologies and promote AI innovation while mitigating risk. The AI RMF follows a direction from Congress for NIST to develop the framework and was produced in close collaboration with the private and public sectors over the past 18 months.
AI RMF 1.0 was released at a livestreamed event today with Deputy Secretary of Commerce Don Graves, Under Secretary for Technology and Standards and NIST Director Laurie Locascio, Principal Deputy Director for Science and Society in the White House Office of Science and Technology Policy Alondra Nelson, House Science, Space, and Technology Chairman Frank Lucas and Ranking Member Zoe Lofgren, and panelists representing businesses and civil society. A recording of the event is available here.
NIST also today released, for public comment, a companion voluntary AI RMF Playbook, which suggests ways to navigate and use the framework, a Roadmap for future work to enhance the Framework and its use, and the first two AI RMF 1.0 crosswalks with key AI standards and US and EU documents.
NIST plans to work with the AI community to update the framework periodically and welcomes suggestions for additions and improvements to the Playbook at any time. Comments received through February 2023 will be included in an updated version of the Playbook to be released in spring 2023.
Sign up to receive email notifications about NIST’s AI activities here or contact us at: AIframework@nist.gov. Also, see information about how to engage in NIST’s broader AI activities.
Read More
Thu, 26 Jan 2023 15:06:00 +0000
Draft Call for Multi-Party Threshold Schemes: NIST IR 8214C ipd Available for Public Comment
NIST requests public comments on NIST IR 8214C ipd (initial public draft), NIST First Call for Multi-Party Threshold Schemes, for primitives organized into two categories:
- Cat1: selected NIST-specified primitives
- Cat2: other primitives not specified by NIST
The report specifies the various categories, subcategories, and requirements for a successful submission, including security characterization, technical description, open-source implementation, and performance evaluation. The process intends to help the NIST cryptographic technology group collect reference material to promote a public analysis of the viability of threshold schemes and related primitives. This will support the NIST multi-party threshold cryptography and privacy-enhancing cryptography projects in developing future recommendations.
Threshold schemes should NOT be submitted until the final version of this report is published. However, using the present draft as a baseline, potential submitters are encouraged to prepare early for future submissions.
The public comment period is open through April 10, 2023. See the publication details for a copy of the initial public draft and instructions for submitting comments.
NOTE: A call for patent claims is included on page iii of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL Publications.
Read More
Wed, 25 Jan 2023 18:38:00 +0000
Here is a list of the new state data privacy statutes slated to come online in 2023:
Here is a list of the new state data privacy statutes slated to come online in 2023:
(1) Most of the provisions of the California Privacy Rights Act (CPRA) become effective on Jan. 1, 2023. CPRA amended the California Consumer Privacy Act (CCPA), which had already created a number of individual rights modeled after the GDPR. CPRA created a new state agency, similar to data protection agencies in the EU countries charged with enforcing the GDPR.
(2) The Colorado Privacy Act (CPA) becomes effective on July 1, 2023. In addition to creating rights patterned after the individual rights under GDPR, CPA requires data security and contract provisions for vendors and assessments for "high-risk" processing.
(3) The Connecticut Data Privacy Act (CDPA), like Colorado's new privacy law, goes into effect on July 1, 2023. CDPA likewise creates a suite of GDPR-like individual rights, and requires data minimization, security, and assessments for "high risk" processing.
(4) The Utah Consumer Privacy Act (UCPA) becomes effective on Dec. 31, 2023. It provides for certain GDPR-like individual rights, and also requires data security and contract provisions. But UCPA does not include expressly required risk assessments.
(5) The Virginia Consumer Data Privacy Act (VCDPA) becomes effective Jan. 1, 2023. It provides for certain GDPR-like individual rights. But in 2022, the "right-to-delete" was replaced with a right to opt out from certain processing.
Tue, 24 Jan 2023 23:54:00 +0000
IPv6 Coming to Azure AD Important NOTICE
THIS IS A POST I FOUND ON MICROSOFT HERE
With the growing adoption and support of IPv6 across enterprise networks, service providers, and devices, many customers are wondering if their users can continue to access their services and applications from IPv6 clients and IPv6 networks.
Today, we’re excited to announce our plan to bring IPv6 support to Microsoft Azure Active Directory (Azure AD). This will allow customers to reach the Azure AD services over IPv4, IPv6 or dual stack endpoints.
For most customers, IPv4 won't completely disappear from their digital landscape, so we aren't planning to require IPv6 or to de-prioritize IPv4 in any Azure AD features or services. However, it is important you start planning and prepare for IPv6 support by taking the actions recommended in this blog, and also checking in for updated guidance at https://aka.ms/azureadipv6.
We’ll begin introducing IPv6 support into Azure AD services in a phased approach, starting March 31st, 2023.
We have guidance below which is specifically for Azure AD customers who use IPv6 addresses and also use Named Locations in their Conditional Access policies.
Customers who use named locations to identify specific network boundaries in their organization need to:
- Conduct an audit of existing named locations to anticipate potential impact;
- Work with your network partner to identify egress IPv6 addresses in use in your environment;
- Review and update existing named locations to include the identified IPv6 ranges.
Customers who use Conditional Access location based policies to restrict and secure access to their apps from specific networks need to:
- Conduct an audit of existing Conditional Access policies to identify use of named locations as a condition to anticipate potential impact;
- Review and update existing Conditional Access location based policies to ensure they continue to meet your organization’s security requirements.
We created an easy to remember link where we’ll continue to share additional guidance on IPv6 enablement in Azure AD. Access these details here: https://aka.ms/azureadipv6.
Learn more about Microsoft identity:
- Get to know Microsoft Entra – a comprehensive identity and access product family
- Return to the Microsoft Entra (Azure AD) blog home
- Join the conversation on Twitter and LinkedIn
- Share product suggestions on the Entra (Azure AD) forum
Tue, 24 Jan 2023 16:21:00 +0000