Highest Voted 'nist' Questions - IT Security Stack Exchange

60

votes

4 answers

What is SHA-3 and why did we change it?

On the 2nd of October NIST decided that SHA-3 is the new standard hashing algorithm, does this mean we need to stop using SHA-2 as it is not secure? What is this SHA-3 anyway?

asked Oct 04 '12 at 14:17

Lucas Kauffman

54,169
17
112
196

36

votes

1 answer

Which is the Best Cipher Mode and Padding Mode for AES Encryption?

As per PCI-DSS 3.4 requirement: For storing Credit Card Data Strong Cryptography should be used. I decided to use AES Encryption which is a strong and mostly recommended crypto for encrypting Credit Card Details. I saw that AES has Cipher Mode and…

encryption pci-dss aes cipher-selection nist

asked Mar 04 '14 at 10:21

RajeshKannan

585
2
7
12

25

votes

4 answers

Difference between hardening guides (CIS, NSA, DISA)

I'm researching OS hardening and it seems there are a variety of recommended configuration guides. I realize the different configuration providers supply different offerings per Operating System, but let's assume (for convenience) we're talking…

vulnerability-scanners compliance configuration cve nist

asked Nov 19 '14 at 03:57

blong

359
1
3
9

25

votes

6 answers

Password entry: are "paste from password manager" and "eyeball to view passwords" mutually-exclusive features?

Context NIST SP 800-63b gives the following guidance for password forms (aka login pages): Verifiers SHOULD permit claimants to use “paste” functionality when entering a memorized secret. This facilitates the use of password managers, which are…

passwords password-policy nist sp800-63b

asked Aug 25 '20 at 21:23

Mike Ounsworth

57,707
21
150
207

21

votes

1 answer

Has SHA-3 Arrived?

I know NIST called for contenders (in 2007) regarding the new hash algorithm to replace SHA-2. Has there been a selection, or finalists selected?

cryptography hash nist

asked May 06 '11 at 04:02

Abdu

511
4
12

10

votes

2 answers

Password expiration and compliance (ISO, NIST, PCI, etc)

I'm quite confused about what is the current state in 2017 for the idea of password expiration/rotation especially related to security certifications as ISO, PCI, etc. I keep reading that password expiration is not very useful, but I've found…

passwords pci-dss password-policy iso27001 nist

asked Jun 07 '17 at 12:44

Jacob

233
1
2
7

8

votes

2 answers

More secure curve than Curve25519

As far as I know, Curve25519 offers "only" a security level equal to an 128bit symmetric cipher. I'd like to know if there are new (not NIST) curves, which provide a security-level comparable to a 256bit cipher AND already used by some…

ecc nist

asked Apr 13 '15 at 18:10

K. Biermann

364
2
11

8

votes

2 answers

How can Network Disconnect be implemented for RDP on a Windows system (2003/XP or later)?

From NIST SP 800-53, Rev. 3: SC-10 NETWORK DISCONNECT Control: The information system terminates the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of…

windows compliance rdp nist

asked Mar 10 '11 at 15:34

Iszi

26,997
18
98
163

7

votes

2 answers

How can IA-5(1)(b) be enforced on Windows systems?

Note: I've also posted a question for this issue on non-Windows systems. In NIST SP 800-53 Rev. 3, IA-5 is the control addressing "Authenticator Management". The requirements in this control include such things as enforcement of password length,…

windows compliance password-management nist

asked Apr 19 '11 at 13:11

Iszi

26,997
18
98
163

6

votes

1 answer

Who can certify RNG according NIST SP800-22?

I have written my own random number generator as a C library and I tested it on NIST Statistical Test Suite. Now I would like to get a certification to have a formal proof that my C library generates random numbers randomly enough according…

validation certification nist random

asked Jul 12 '15 at 17:18

user1563721

1,099
11
22

6

votes

2 answers

What is the recommended expiration for a password reset link?

What is the recommended expiration for a password reset link generated for a user? Citations/ links to NIST guidelines and documentation are very much appreciated.

passwords nist

asked Jan 28 '19 at 19:25

ztech

163
1
4

6

votes

3 answers

Security Testing Methods for Enterprise Level

I have been asked to perform risk assessment for a company. The scope covers about 100 applications and in various business units. Major task is to assess currently implemented security controls and provided recommendations after the assessment.…

risk-analysis nist devops agile sdlc

asked Dec 23 '18 at 04:48

ray bash

61
1

5

votes

1 answer

CCM instead of key wrap

Is there any instance of NIST or other encryption standards using AES-CCM to encrypt/authenticate key data? I would like to use CCM over a keywrap function, but cannot find any precedent for this in cryptography standards. If by design I guarantee…

encryption key-management aes nist

asked Mar 02 '15 at 22:31

rose

183
4

5

votes

1 answer

NIST test vectors for HMAC-SHA-256

I'm working on an implementation of HMAC-SHA-256 in classic ASP (legacy code). I currently have it working, and the resulting values are correct compared to some test cases I came up with along with test cases found in RFC4231. Does NIST have…

hmac sha256 nist

asked Jul 04 '13 at 08:22

nerdybeardo

273
2
7

5

votes

2 answers

Why is NIST removing & not updating TLS guidance? What is the replacement?

The document NIST Special Publication 800-52 Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations was retired without superseding it with a newer document. In addition there is a Network World article that mentions…

tls protocols nist

asked Mar 22 '13 at 16:44

Drew Lex

2,013
2
19
24

Questions tagged [nist]