FYI - A LETTER FROM THE COMPUTER SYSTEMS LABORATORY August 1993 TRACKING DEVELOPMENTS IN TRUSTED SYSTEMS The 16th National Computer Security Conference, to be held September 20-23, 1993, at the Baltimore Convention Center, will dedicate a full track to Information Technology (IT) Security Criteria and Evaluation. The track will expand on the collaborative effort between the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) to develop a security criteria document suitable for use by both government and industry. The objectives are to enhance the development and evaluation of IT products with security features and to develop an extensible and flexible framework for defining new requirements for IT security products that will be used by the international IT community. The new track will focus on IT security criteria efforts over the last year. An introduction to the Federal Criteria will be followed by tutorials on protection profile development and the potential ways in which profiles may be reviewed and registered for use by product developers, customers, and evaluators. Other panel discussions will include a comparison of the current evaluation processes in North America and Europe and a report on the status and plans for a commercial security evaluation process in the U.S. The track will also feature a panel discussion on a new international project to develop common IT security criteria that will align existing national criteria. NIST and NSA officials announced the project during the Federal Criteria Invitational Workshop, held on June 2-3, 1993. The project is a joint activity of the governments of the U.S., Canada, and European nations. Six government IT security officials from these nations have formed the Common Criteria Editorial Board (CCEB). Presenting their perspectives, CCEB panel members will describe their work, the starting documents, and the timetable for planned draft criteria, review, and trial use periods. Ellen Flahavin, coordinator for the Criteria and Evaluation track, expects IT professionals from around the world to attend these sessions. For specific information on the track, contact Ellen at NIST, Computer Systems Laboratory, POLY A241, Gaithersburg, MD 20899-0001, telephone (301) 975-3871. For general information on the computer security conference, see the Upcoming Technical Conferences section of the newsletter. We welcome your participation in the 16th National Computer Security Conference and look forward to seeing you at the Baltimore Convention Center at the Inner Harbor in September. FEDERAL INFORMATION PROCESSING STANDARDS (FIPS) ACTIVITIES Secure Hash Standard Approved for Federal Agency Use On May 11, 1993, the Secretary of Commerce approved FIPS 180, Secure Hash Standard, for use by federal agencies in protecting unclassified information that is not subject to section 2315 of Title 10, United States Code, or section 3502(2) of Title 44, United States Code. To be effective October 15, 1993, FIPS 180 specifies a Secure Hash Algorithm (SHA) which can be used to generate a condensed representation of a message called a message digest. The SHA is required for use with the planned Digital Signature Algorithm (DSA) and whenever a secure hash algorithm is required for federal applications. Private and commercial organizations are encouraged to adopt and use the standard. The SHA is used by both the transmitter and intended receiver of a message in computing and verifying a digital signature. Appropriate applications of the SHA include electronic mail, electronic funds transfer, software distribution, data storage, and other applications which require data integrity assurance and data origin authentication. The SHA may be implemented in software, firmware, hardware, or any combination. Implementations of the SHA will be validated by NIST. Secretary of Commerce Approves POSIX Revision FIPS 151-1, POSIX: Portable Operating System Interface for Computer Environments, has been revised to adopt International Standard ISO/IEC 9945-1:1990, Information Technology--Portable Operating System Interface (POSIX)--Part 1: System Application Program Interface (API) [C Language] which defines a C programming language source interface to an operating system environment. Effective October 15, 1993, the revised standard will be published as FIPS 151-2 and supersedes FIPS 151-1 in its entirety. FIPS 151-2 will maximize the federal return on investment in generating or purchasing computer programs by enhancing operating system compatibility. Computer Graphics Metafile (CGM) Standard Revised The Secretary of Commerce approved a revision to FIPS 128, CGM, which will be published as FIPS 128-1. The revised standard adopts the redesignated version of the CGM standard known as ANSI/ISO 8632.1-4:1992; adds a requirement for the use of profiles which define the options, elements, and parameters of ANSI/ISO 8632 necessary to accomplish a particular function and to maximize the probability of interchange between systems implementing the profile; and adopts the first such profile, the military specification MIL-D-28003A, November 15, 1991, known as the CALS (Computer-aided Acquisition and Logistic Support) CGM Application Profile. FIPS 128-1 is a graphics data interface standard which specifies a file format suitable for the description, storage, and communication of graphical (pictorial) information in a device- independent manner. The standard facilitates the transfer of graphical information between different graphical software systems, different graphical devices, and different computer graphics installations. The revised standard becomes effective October 15, 1993. The use of the CGM Application Profile is mandatory October 15, 1994. We encourage agencies to use the application profile in acquisitions initiated during this period. Revision of FIPS for Database Language SQL On May 12, 1993, the Secretary of Commerce approved a substantial enhancement of FIPS 127-1, SQL. Effective December 3, 1993, the revised standard will be published as FIPS 127-2 and replaces FIPS 127-1 in its entirety. FIPS 127-2 is mandatory for all federal procurements of relational model database management systems. The revised SQL standard adds significant new features for schema definition, diagnostics management, integrity constraints, and international character set support, as well as new data types, new table operations, and enhanced data manipulation expressions. A new Information Schema makes all schema data available to applications. FIPS 127-2 is specified in four separate conformance levels: Entry SQL, Transitional SQL, Intermediate SQL, and Full SQL. Although only Entry SQL is required, initially, for conformance to FIPS 127-2, a higher conformance level may be specified as mandatory in individual agency procurements. The NIST SQL Test Suite, Version 4.0, provides conformance tests for the Entry SQL level of FIPS 127-2. Future versions of the test suite will evaluate other FIPS SQL conformance levels. We invite you to call Joan Sullivan on (301) 975-3258 for order information on the NIST SQL Test Suite. Input/Output Interface Standards Withdrawn Effective May 11, 1993, eight FIPS have been withdrawn because the technical specifications that they adopt are obsolete and are no longer supported by industry. The standards include: -- FIPS 60-2, I/O Channel Interface, revised December 18, 1990. -- FIPS 61-1, Channel Level Power Control Interface, revised December 18, 1990. -- FIPS 62, Operational Specifications for Magnetic Tape Subsystems, revised December 18, 1990. -- FIPS 63-1, Operational Specifications for Variable Block Rotating Mass Storage Subsystems, revised December 18, 1990; Supplement to FIPS 63-1, Additional Operational Specifications for Variable Block Rotating Mass Storage Subsystems, revised December 18, 1990. -- FIPS 97, Operational Specifications for Fixed Block Rotating Mass Storage Subsystems, revised December 18, 1990. -- FIPS 111, Storage Module Interfaces (with extensions for enhanced storage module interfaces), revised December 18, 1990. -- FIPS 130, Intelligent Peripheral Interface (IPI), revised December 18, 1990. -- FIPS 131, Small Computer System Interface (SCSI), revised December 18, 1990. UPDATE ON NEW PUBLICATIONS CSL publishes the results of studies, investigations, and research. The reports listed below may be ordered from the following sources as indicated for each: *Superintendent of Documents U.S. Government Printing Office (GPO) Washington, DC 20402 Telephone (202) 783-3238 *National Technical Information Service (NTIS) 5285 Port Royal Road Springfield, VA 22161 Telephone (703) 487-4650 The First Text REtrieval Conference (TREC-1) D. K. Harman, Editor NIST Spec. Pub. 500-207 March 1993 SN003-003-03207-7 $29.00 Order from GPO This report constitutes the proceedings of the first Text REtrieval Conference (TREC-1) held November 4-6, 1992. Cosponsored by NIST and the Defense Advanced Research Projects Agency (DARPA), the conference was the first in an ongoing series of workshops to evaluate new technologies in text retrieval. Software Error Analysis By Wendy W. Peng and Dolores R. Wallace NIST Spec. Pub. 500-209 March 1993 SN003-003-03212-3 $7.00 Order from GPO This document provides the software engineering community with current information regarding error analysis for software. It assists users by describing how error analysis can improve the software development process and provides guidelines for the evaluation of high-integrity software. The DARPA TIMIT Acoustic Phonetic Continuous Speech Corpus CD-ROM [TIMIT] By John S. Garofolo, Lori F. Lamel, William M. Fisher, Jonathan G. Fiscus, David S. Pallett, and Nancy L. Dahlgren NISTIR 4930 February 1993 PB93-173938 $19.50 paper Order from NTIS $ 9.00 microfiche This document presents the documentation supporting the DARPA TIMIT (Texas Instruments/Massachusetts Institute of Technology) Acoustic-Phonetic Continuous Speech Corpus released on CD-ROM in October 1990 (NIST Speech Disc 1-1.1). An International Survey of Industrial Applications of Formal Methods Volume 1: Purpose, Approach, Analysis, and Conclusions; Volume 2: Case Studies By Dan Craigen, Susan Gerhart, and Ted Ralston NIST GCR 93/626 March 1993 PB93-178556(vol.1) $27.00 paper PB93-178564(vol.2) $17.50 microfiche Order from NTIS This two-volume study evaluates international industrial experience in using formal methods and presents cases representative of industrial-grade projects which span a variety of application domains. Building Hadamard Matrices in Steps of 4 to Order 200 By Nathalie Drouin NISTIR 5121 April 1993 PB93-189835 $17.50 paper Order from NTIS $ 9.00 microfiche This report describes the construction of Hadamard matrices for use in generating statistical plans of analysis for the synthetic perturbation tuning technique of program sensitivity analysis. Computer Systems Laboratory Annual Report--1992 By Elizabeth B. Lennon, Shirley Radack, and Ramona Roach NISTIR 5127 December 1992 PB93-181873 $19.50 paper Order from NTIS $12.50 microfiche This report describes the 1992 computer and related telecommunications activities of NIST's Computer Systems Laboratory. Using Synthetic-Perturbation Techniques for Tuning Shared Memory Programs By Robert Snelick, Joseph Ja'Ja', Raghu Kacker, and Gordon Lyon NISTIR 5139 March 1993 PB93-178572 $17.50 paper Order from NTIS $ 9.00 microfiche This paper explains the synthetic-perturbation tuning (SPT) methodology which is based on an empirical approach that introduces artificial delays into the multiple-instruction, multiple-data (MIMD) program. It also addresses specific features that are the main source of poor performance on the shared memory programming model. Detailed Design Specification for Conformance Testing of Computer Graphics Metafile (CGM) Interpreter Products Daniel R. Benigni, Editor NISTIR 5146 March 1993 PB93-178580 $19.50 paper Order from NTIS $ 9.00 microfiche This report presents a detailed design specification for determining conformance of CGM Interpreter Products to the requirements of Federal Information Processing Standard (FIPS) 128, CGM, and the Military Specification MIL-D-28003A. The work supports the Computer-aided Acquisition and Logistic Support (CALS) initiative of the Department of Defense. Statistical Analysis of Information Content for Training Pattern Recognition Networks By C.L. Wilson NISTIR 5149 March 1993 PB93-178861 $17.50 paper Order from NTIS $ 9.00 microfiche This report provides an analysis, based upon statistical models of neural networks, of the data content for training pattern recognition systems. Minimum Security Requirements for Multi-User Operating Systems By David Ferraiolo, Nickilyn Lynch, Patricia Toth, David Chizmadia, Michael Ressler, Roberta Medlock, and Sarah Weinberg NISTIR 5153 March 1993 PB93-185999 $17.50 paper Order from NTIS $ 9.00 microfiche This document provides basic commercial computer system security requirements applicable to both government and commercial organizations. These requirements form the basis for the commercially oriented protection profiles in Volume II of the draft Federal Criteria for Information Technology Security document (known as the Federal Criteria). Comparative Performance of Classification Methods for Fingerprints By G.T. Candela and R. Chellappa NISTIR 5163 April 1993 PB93-184273 $17.50 paper Order from NTIS $ 9.00 microfiche This study compares the results of several pattern classifiers as tested on NIST Special Database 4, which consists of fingerprint images produced from two rollings of each of 2000 different fingers. The classifiers tested are drawn from traditional pattern recognition literature as well as neural network literature. NIST Scoring Package Certification Procedures in Conjunction with NIST Special Databases 2 and 6 By Michael D. Garris NISTIR 5173 April 1993 PB93-188126 $17.50 paper Order from NTIS $ 9.00 microfiche This document presents procedures developed by CSL to promote compliance with existing Scoring Package file formats. CSL strongly encourages Scoring Package certification to maximize the successful scoring of recognition system data. Optimization of Adaptive Resonance Theory Network With Boltzmann Machine By Omid M. Omidvar and Charles L. Wilson NISTIR 5176 April 1993 PB93-188134 $17.50 paper Order from NTIS $ 9.00 microfiche This report presents optical character recognition research which combines Boltzmann methods and the Adaptive Resonance Theory (ART) to generate small testing networks which achieve reduced training error and improved network speed applicable to the optimization of large neural networks. Computer Graphics Metafile (CGM) Test Requirements Document (Update) By Lynne S. Rosenthal NISTIR 5191 April 1993 PB93-198273 $19.50 paper Order from NTIS $ 9.00 microfiche This document updates and supplements the Computer Graphics Metafile (CGM) Test Requirements Document published in 1989 as NISTIR 4329. Revisions in FIPS 128, CGM, and MIL-D-28003A add new functionality and additional requirements, necessitating the update of the conformance test suite and tools. UPCOMING TECHNICAL CONFERENCES Digital Systems Reliability and Nuclear Safety Workshop This workshop will provide state-of-the-art information to the U.S. Nuclear Regulatory Commission (NRC) staff and to the nuclear industry from outside experts regarding potential safety issues, proposed regulatory positions, and research associated with the application of digital systems in nuclear power plants. Sponsor: Nuclear Regulatory Commission, in cooperation with NIST Dates: September 13-14, 1993 Place: Rockville Crowne Plaza Hotel, Rockville, MD Contact: Dolores Wallace (301) 975-3340 Open System Environment (OSE) Implementors Workshop (OIW) This workshop is part of a continuing series to develop implementation specifications from international standard design specifications for computer network protocols. Sponsors: NIST and the IEEE Computer Society Dates: September 13-17, 1993 December 6-10, 1993 Place: NIST, Gaithersburg, MD Contact: Brenda Gray (301) 975-3664 16th National Computer Security Conference The theme of this year's conference is "Information Systems Security: User Choices." The major emphasis will be on meeting the special needs of users and creating better security for user information technology resources. Sponsors: NIST and NSA's National Computer Security Center Date: September 20-23, 1993 Place: Baltimore Convention Center, Inner Harbor, Baltimore, MD Contacts: Irene Gilbert Perry (301) 975-3360 Dennis Gilbert (301) 975-3872 Federal Wireless Users Forum (FWUF) This new users group was established to address wireless digital interface issues in the federal government. Although focusing on the requirements of federal wireless telecommunication users, the forum encourages the participation of state and local government, other interested users, product providers, and service providers. Sponsors: NIST and the National Communications System (NCS) Date: September 27-29, 1993 at Marriott Washingtonian Center, Gaithersburg, MD Date: January 18-20, 1994, at NIST Contact: Mary Ruhl (301) 975-2983 North American ISDN Users' Forum (NIUF) The NIUF addresses many concerns over a broad range of Integrated Services Digital Network (ISDN) issues and seeks to reach consensus on ISDN Implementation Agreements. Participants include ISDN users, implementors, and service providers. Dates: October 18-22, 1993 Place: NIST, Gaithersburg, MD Contact: Dawn Hoffman (301) 975-2937 Applications Portability Profile (APP)/Open Systems Environment (OSE) Workshop This workshop is designed as a user's forum to discuss the latest developments in the APP/OSE. Dates: November 16-17, 1993 Place: NIST, Gaithersburg, MD Contact: Joe Hungate (301) 975-3368 Paul Ferguson | "Government, even in its best state, Network Integrator | is but a necessary evil; in its worst Centreville, Virginia USA | state, an intolerable one." fergp@sytex.com | - Thomas Paine, Common Sense I love my country, but I fear its government.