https://drive.google.com/drive/u/0/folders/0B387pMJx9Vjoa2V2TWJIUkJjOVU

The following links are broken (they point to a copy of the bibliography in the wrong Google Drive... and the right copy does not have the index.html in it...)

Foundations of Information Assurance Reference Material

Papers

• Anderson 1972 - Computer Security Technology Planning Study

• Anderson - Programming Satans Computer

• Bell/La Padula 1973 - Secure Computer Systems: Mathematical Foundations

• Bell/La Padula 1976 - Secure Computer Systems Unfied Exposition and Multics Interpretation

• Bell 2005 - Looking Back at the Bell-La Padula Model

• Bell - Looking Back: Addendum

• Schell 1979 - Computer Security the Achilles' heel of the electronic Air Force?

• Gutmann - The Commercial Malware Industry

• Gamble - Turning Multiple Evaluated Products into Trusted Systems

• Saltzer/Schroeder - A Hardware Architecture for Implementing Protection Rings

• Kuhn/Anderson - Soft Tempest: Hidden Data Transmission Using Electromagnetic Emanations

• The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments

• What is Information

• Landwehr - Computer Security

• Landwehr - Taxonomy

• Schaefer 2004 - If A1 is the Answer, What was the Question?

• Myers - Subversion: The Neglected Aspect of Computer Security

• Orange Book Threat Model

• Design and Implementation of PUF-Based �Unclonable� RFID ICs for Anti-Counterfeiting and Security Applications

• Physical Unclonable Functions for Device Authentication and Secret Key Generation

• Saltzer/Schroeder - The Protection of Information in computer Systems

• Schell - Thirty Years Later Lessons Learned From Multics

• Schell - What Is There to Worry About

• Schell - Concepts and Terminology

• Schell - Information Security: Science, Pseudoscience, and Flying Pigs

• Shannon 1949 - A Mathematical Theory of Communication

• Snow - We Need Assurance

• The von Neumann Architecture of Computer Systems

• Thompson - Trusting Trust

• Tinto - The Design and Evaluation of INFOSEC Systems

• Trusted RUBIX Architecture and Policy Model Interpretation

• Understanding Buffer Overflows

• What is Information Anyway

• Countering Trusting Trust through Diverse Double-Compiling

• Ware Report

• Ware Report (RAND site)

• King - Designing and implementing malicious hardware

• A Taxonomy of Computer Worms

• Fixing Federal E-Voting Standards

Books and Excerpts

Handbook of Applied Cryptography

• Index

• Chapter 1

• Chapter 2

• Chapter 3

• Chapter 4

• Chapter 5

• Chapter 6

• Chapter 7

• Chapter 8

• Chapter 9

• Chapter 10

• Chapter 11

• Chapter 12

• Chapter 13

• Chapter 14

• Chapter 15

• References

• Appendix

Trusted DBMS Interpretation

• Public Release Documents

• Front Matter

• Division C - Discretionary Protection

• Class B1 - Labeled Security Protection

• Class B2 - Structured Protection

• Class B3 - Security Domains

• Division A - Verified Protection

• Guidelines - Servers, Integrity-Lock, Appendix 1

• Appendix 2 - Rationale for TCB Subsets

• Appendices 3 - Devices and 4 - Balanced Assurance

• Back Matter

Security Engineering

• Security Engineering - Ross Anderson

The Multics System: An Examination of Its Structure

• The Multics System: An Examination of Its Structure - Elliot Organick

Building a Secure Computer System

• Building a Secure Computer System - Morrie Gasser

Covert channel vulnerabilities in anonymity systems

• Covert Channel Vulnerabilities in Anonymity Systems - Steven J. Murdoch

Rainbow Series (and related documents)

• 5200.28-STD ORANGE - DEPARTMENT OF DEFENSE TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA

• C1-TR-001 - COMPUTER VIRUSES: PREVENTION, DETECTION, AND TREATMENT

• CSC-STD-001-93 - DEPARTMENT OF DEFENSE TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA

• CSC-STD-002-85 GREEN - DEPARTMENT OF DEFENSE PASSWORD MANAGEMENT GUIDELINE

• CSC-STD-003-85 LIGHT YELLOW - COMPUTER SECURITY REQUIREMENTS GUIDANCE FOR APPLYING THE DEPARTMENT OF DEFENSE TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA IN SPECIFIC ENVIRONMENTS

• CSC-STD-004-85 YELLOW - TECHNICAL RATIONAL BEHIND CSC-STD-003-85: COMPUTER SECURITY REQUIREMENTS

• C-TR-32-92 - The Design and Evaluation of INFOSEC Systems

• C-TR-79-91 - INTEGRITY IN AUTOMATED INFORMATION SYSTEMS

• C-TR-111-91 - INTEGRITY-ORIENTED CONTROL OBJECTIVES: PROPOSED REVISIONS TO THE TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA (TCSEC), DoD 5200.28-STD

• n-c-1-87 - National Telecommunications and Information Systems Security Advisory Memorandum

• NCSC-TG-001-2 TAN - A Guide to Understanding Audit in Trusted Systems

• NCSC-TG-002 BRIGHT BLUE - Trusted Product Security Evaluation Program

• NCSC-TG-003 NEON ORANGE - Discretionary Access Control in Trusted Systems

• NCSC-TG-004 TEAL GREEN - Glossary of Computer Security Terms

• NCSC-TG-005 RED - Trusted Network Interpretation

• NCSC-TG-006 AMBER - Configuration Management in Trusted Systems

• NCSC-TG-007 BURGUNDY - A Guide to Understanding Design Documentation in Trusted Systems

• NCSC-TG-008 DARK LAVAENDAR - A Guide to Understanding Trusted Distribution in Trusted Systems

• NCSC-TG-009 VENICE BLUE - Computer Security Subsystem Interpretation of the TCSEC

• NCSC-TG-010 AQUA - A Guide to Understanding Security Modeling in Trusted Systems

• NCSC-TG-011 RED - Trusted Network Interpretation Environments Guideline (TNI)

• NCSC-TG-013 PINK - Rating Maintenance Phase Program

• NCSC-TG-013 PINK version 2 - Rating Maintenance Phase Program

• NCSC-TG-014 PURPLE - Guidelines for Formal Verification Systems

• NCSC-TG-015 BROWN - Guide to Understanding Trusted Facility Management

• NCSC-TG-016 YELLOW GREEN - Guidelines for Writing Trusted Facility Manuals

• NCSC-TG-017 LIGHT BLUE - Identification and Authentication in Trusted Systems

• NCSC-TG-018 LIGHT BLUE - Object Reuse in Trusted Systems

• NCSC-TG-019v2 BLUE - Trusted Product Evaluation Questionnaire

• NCSC-TG-020-A SILVER - Trusted UNIX Working Group (TRUSIX) Rationale for Selecting Access Control List Features for the UNIX System

• NCSC-TG-021 PURPLE - Trusted Database Management System Interpretation of the TCSEC (TDI)

• NCSC-TG-022 YELLOW - Trusted Recovery in Trusted Systems

• NCSC-TG-023 BRIGHT ORANGE - Security Testing and Test Documentation in Trusted Systems

• NCSC-TG-024-1 PURPLE - Procurement of Trusted Systems: An Introduction to Procurement Initiators on Computer Security Requirements

• NCSC-TG-024-2 PURPLE - Procurement of Trusted Systems: Language for RFP Specifications and Statements of Work

• NCSC-TG-024-3 PURPLE - Procurement of Trusted Systems: Computer Security Contract Data Requirements List and Data Item Description

• NCSC-TG-025v2 FOREST GREEN - Guide to Understanding Data Remanence in Automated Information Systems.

• NCSC-TG-026 HOT PEACH - Writing the Security Features User's Guide for Trusted Systems

• NCSC-TG-027 TURQUOISE - Information System Security Officer Responsibilities for Automated Information Systems

• NCSC-TG-028 VIOLET - Assessing Controlled Access Protection

• NCSC-TG-029 BLUE - Certification and Accreditation Concepts

• NCSC-TG-030 LIGHT PINK - Covert Channel Analysis of Trusted Systems

• NCSC-TR-002 - USE OF THE TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA(TCSEC) FOR COMPLEX, EVOLVING, MULTIPOLICY SYSTEMS

• NCSC-TR-003 - TURNING MULTIPLE EVALUATED PRODUCTS INTO TRUSTED SYSTEMS

• NCSC-TR-004 - A GUIDE TO PROCUREMENT OF SINGLE AND CONNECTED SYSTEMS

• NCSC-TR-005-1 - Inference and Aggregation Issues In Secure Database Management Systems

• NCSC-TR-005-2 - Entity and Referential Integrity Issues In Multilevel Secure Database Management

• NCSC-TR-005-3 - Polyinstantiation Issues In Multilevel Secure Database Management Systems

• NCSC-TR-005-4 - Auditing Issues In Secure Database Management Systems

• NCSC-TR-005-5 - Discretionary Access Control Issues In High Assurance Secure Database Management Systems

Other Documents

• XTS-300 eval report

• PDD-63 ( NSC-63) Critical Infrastructure Protection

• Trusted Software Program Demonstration, Assessment, and Refinement Volume 1

• Trusted Software Program Demonstration, Assessment, and Refinement Volume 2

• Intelligence Community Information Technology Systems Security Risk Management, Certification, and Accreditation

• DCID 6/3 - Protecting Sensitive Compartmented Information Within Information Systems Policy

• DCID 6/3 - Protecting Sensitive Compartmented Information Within Information Systems Manual

• DCID 6/3 - Protecting Sensitive Compartmented Information Within Information Systems Appendices

• DCID 6/9 - Physical Security Standards for Sensitive Compartmented Information Facilities

Example Cryptographic Output

The following is a list of algorithms with example values for each algorithm. These samples were taken from the NIST website on April 6, 2009

• FIPS 197 - Advanced Encryption Standard (AES) AES-AllSizes

• SP 800-67 - Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher TDES

• FIPS 185 - Escrowed Encryption Standard containing the Skipjack algorithm Skipjack

• SP 800-38A - Recommendation for Block Cipher Modes of Operation: Methods and Techniques AES

• SP 800-38A - Recommendation for Block Cipher Modes of Operation: Methods and Techniques TDES

• SP 800-38B - Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication CMAC-AES

• SP 800-38B - Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication CMAC-TDES

• SP 800-38C - Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality CCM-AES

• SP 800-38D - Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC (Draft) GCM-AES

• FIPS 186-3 - Digital Signature Standard DSA All Domain Parameter Sizes

• FIPS 186-3 - Digital Signature Standard ECDSA All Prime Curves

• FIPS 186-3 - Digital Signature Standard ECDSA All Characteristic2 Curves

• FIPS 180-2 - Secure Hash Standard All Digest Sizes

• FIPS 180-2 - Secure Hash Standard Additional data for SHA2 algorithms (without intermediate values)

• SP 800-56A - Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logorithm Cryptography Finite Field Cryptography based Samples All Domain Parameter Sizes

• SP 800-56A - Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logorithm Cryptography Elliptic Curve Cryptography All Curves

• FIPS 186-2 - Digital Signature Standard, Appendices 3.1 and 3.2 and Change Notice #1

• ANSI X9.31 Digital Signatures Using Reversible Public Key Cryptography for the Financial Services Industry, Appendix A.2.4

• ANSI X9.62-1998 Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm(ECDSA), Annex A.4

• SP 800-90 - Recommendation for Random Number Generation Using Deterministic Random Bit Generators All algorithms

• FIPS 198 - The Keyed-Hash Message Authentication Code (HMAC) All Hash Sizes

Common Criteria

• Common Criteria v 3.1 Part 1

• Common Criteria v 3.1 Part 2 (with marked changes)

• Common Criteria v 3.1 Part 3 (with marked changes)

• Common Methodology for Information Technology Security Evaluation (with marked changes)

NIST FIPS (Federal Information Processing Standards)

Security Requirements for Cryptographic Modules

• FIPS 140-2 (current)

• FIPS 140-2 annex a (current)

• FIPS 140-2 annex b (current)

• FIPS 140-2 annex c (current)

• FIPS 140-2 annex d (current)

• FIPS 140-1 (obsolete)

• FIPS 140-3 (draft, as of Jul 13, 2007)

Minimum Security Requirements for Federal Information and Information Systems

• FIPS 200

Standards for Security Categorization of Federal Information and Information Systems

• FIPS 199

The Keyed-Hash Message Authentication Code (HMAC)

• FIPS 198

Advanced Encryption Standard

• FIPS 197

Entity Authentication Using Public Key Cryptography

• FIPS 196

Guideline for The Analysis of Local Area Network Security

• FIPS 191

Guideline for the Use of Advanced Authentication Technology Alternatives

• FIPS 190

Standard Security Label for Information Transfer

• FIPS 188

Digital Signature Standard (DSS)

• FIPS 186-2 (current)

• FIPS 186-3 (DRAFT)

Escrowed Encryption Standard

• FIPS 185

Automated Password Generator

• FIPS 181

Secure Hash Standard (SHS)

• FIPS 180-3

Information Security Training Requirements: A Role and Performance-Based Model

• SP 800-16 Rev. 1 (DRAFT)

Directions in Security Metrics Research

• NIST IR-7564 (DRAFT)

Secure Domain Name System (DNS) Deployment Guide

• SP 800-81 Rev. 1 (DRAFT)

The Common Misuse Scoring System (CMSS): Metrics for Software Feature Misuse Vulnerabilities

• NIST IR-7517 (DRAFT)

Guide to Enterprise Telework and Remote Access Security

• SP 800-46 Rev. 1 (DRAFT)

Recommended Security Controls for Federal Information Systems and Organizations

• SP 800-53 Rev. 3 (DRAFT)

• SP 800-53 Rev. 3 (marked changes)

Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)

• SP 800-122 (DRAFT)

Security Architecture Design Process for Health Information Exchanges (HIEs)

• NIST IR-7497 (DRAFT)

Recommendation for EAP Methods Used in Wireless Network Access Authentication

• SP 800-120 (DRAFT)

• SP 800-120 (COMMENTS)

Electronic Authentication Guideline

• SP 800-63 Rev. 1 (DRAFT)

Recommendation for Pair-Wise Key Establishment Using Integer Factorization Cryptography

• SP 800-56 B (DRAFT)

Recommendation for Digital Signature Timeliness

• SP 800-102 (DRAFT)

Recommendation for Key Management, Part 3 Application-Specific Key Management Guidance

• SP 800-57 Part 3 (DRAFT)

Guide to Industrial Control Systems (ICS) Security

• SP 800-82 (DRAFT)

National Checklist Program for IT Products--Guidelines for Checklist Users and Developers

• SP 800-70 Rev. 1 (DRAFT)

Guide for Security Authorization of Federal Information Systems: A Security Lifecycle Approach

• SP 800-37 Rev. 1 (DRAFT)

Security Content Automation Protocol (SCAP) Validation Program Test Requirements

• NIST IR-7511 (DRAFT)

Guidelines on Firewalls and Firewall Policy

• SP 800-41 Rev. 1 (DRAFT)

The Common Configuration Scoring System (CCSS)

• NIST IR-7502 (DRAFT)

Managing Risk from Information Systems: An Organizational Perspective

• SP 800-39 (DRAFT)

Security Assessment Provider Requirements and Customer Responsibilities: Building a Security Assessment Credentialing Program for Federal Information Systems

• NIST IR-7328 (DRAFT)

An Ontology of Identity Credentials, Part I: Background and Formulation

• SP 800-103 (DRAFT)