Scribd
Upload
142 views

Final Project

This document proposes cryptographic security measures for ACME Inc. to comply with HIPAA standards. It recommends encrypting data at rest using AES 128-192 bit encryption and data in transit using TLS 1.2-1.3. Additionally, it suggests implementing public key infrastructure with digital certificates, network security controls, and Kerberos authentication to ensure confidentiality, integrity, and availability of electronic healthcare records as required by HIPAA. The biggest internal and external threats to ACME Inc. are also addressed.

Uploaded by

api-480230170
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
142 views

Final Project

This document proposes cryptographic security measures for ACME Inc. to comply with HIPAA standards. It recommends encrypting data at rest using AES 128-192 bit encryption and data in transit using TLS 1.2-1.3. Additionally, it suggests implementing public key infrastructure with digital certificates, network security controls, and Kerberos authentication to ensure confidentiality, integrity, and availability of electronic healthcare records as required by HIPAA. The biggest internal and external threats to ACME Inc. are also addressed.

Uploaded by

api-480230170
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 13

Final Project: Cryptographic Techniques 1

Micah Geertson
CSOL 510
04/26/2019

Final Project:
Cryptographic Techniques
Final Project: Cryptographic Techniques 2

Table of Contents
Executive Summary .................................................................................................................................... 3
Relevant Laws, Regulations and Standards ............................................................................................. 4
What Security Standards & Policies Are Being Enforced ...................................................................... 4
Data-at-Rest & Data-in-Flight Encryption (CONFIDENTIALITY) ..................................................... 5
Data-at-Rest & Data-in-Flight Encryption (INTEGRITY) .................................................................... 6
Network Security Configuration Standards ............................................................................................. 7
Secure Key Distribution – Cryptography (CONFIDENTIALITY) ....................................................... 8
Network Authentication (CONFIDENTIALITY/INTEGRITY/AVAILABILITY) ............................. 9
Public Key Infrastructure – Certificates (Integrity) .............................................................................. 10
Threat Environment ................................................................................................................................. 11
Conclusion ................................................................................................................................................. 11
References ............................................................................................................................................. 12-13

Table of Figures
Figure 1 – ACME INC Network Diagram .............................................................................................. 11
Final Project: Cryptographic Techniques 3

Executive Summary
The purpose of this document is to describe, in depth, the cryptographic security
measures that ACME Inc. should deploy in order to adhere to the standards and Federal laws
imposed by the Health Insurance Portability and Accountability Act (HIPAA). In addition to
being held accountable for the security of all electronic healthcare documents, the following
security attributes should be maintained at all times:

• Confidentiality – Ensuring that information is only accessible to the intended recipients.


• Integrity – Ensuring that transmitted and received information intact, in its original form
and is free of manipulation by unauthorized third parties.
• Availability – Ensuring that the records are available when needed, as needed.

This document will outline several cryptographic security features that should be implemented as
soon as possible to not only adhere to HIPAA but also ensure that the impact is minimal should
an attack against ACME Inc. occur. Each cryptographic system has been selected based on
standards released by several security organizations such as the National Institute of Standards
and Technology (NIST), Center for Internet Security (CIS), and the Federal Information
Processing Standards (FIPS). With this being said, the proposed systems include the use of
cryptography to encrypt data using the Advanced Encryption Standard (AES) protocol, Public
Key Infrastructure to utilize digital certificates to allow verification of all parties in
communication, network security measures to ensure the prevention of outside attackers from
accessing the corporate network, and Kerberos authentication and authorization measures to
ensure that those attempting to access data are actual users on the network and are also allowed
to access the data. As the biggest threat to ACME Inc. and its data come from internal users,
either intentionally malicious or incidental, it is vital that we deploy these systems to preserve
our records and have adequate backup and recovery efforts for data.
Final Project: Cryptographic Techniques 4

Relevant Laws, Regulations and Standards


Given that ACME INC. is part of the Health Insurance industry, extra care must be taken
to ensure adequate security measures are implemented to protect the confidentiality of claims
made by clients as well as other pertinent case information. As such, this information is subject
to the Health Insurance Portability and Accountability Act (HIPAA) security rule to ensure that
all electronic health information documents adhere to the security triad of confidentiality,
integrity and availability. To better understand this triad, each term is defined as such:

• Confidentiality – Ensuring that information is only accessible to the intended recipients.


• Integrity – Ensuring that transmitted and received information intact, in its original form
and is free of manipulation by unauthorized third parties.
• Availability – Ensuring that the records are available when needed, as needed.

While these are the requirements of HIPAA, the law does not outline how to accomplish this
security triad. For this, we defer to several security frameworks and standards released by
organizations such as the National Institute of Standards and Technology (NIST), Center for
Internet Security (CIS), and the Federal Information Processing Standards (FIPS). A brief
overview of these documents reveals the minimum-security standards for several security system
implementations. Some of these standards include account password policies, network security
configurations and minimum bits required for use in cryptographic functions.

What Security Standards & Policies Are Being Enforced


By following the aforementioned standards and policies provided by NIST, CIS, FIPS,
etc., several security efforts have been decided upon to ensure that ACME INC. not only
complies with but also excels at meeting the requirements outlined in HIPAA. The following
section will present a compilation of past reports to describe and justify the suggested
implementations.
Final Project: Cryptographic Techniques 5

Data-at-Rest & Data-in-Flight Encryption (CONFIDENTIALITY)


This section serves to outline the minimum cryptographic standards for use in a medical
record environment in accordance with the Health Insurance Portability and Accountability Act of
1996 (HIPAA) to enforce confidentiality. Guidance for cryptographic standards can be found using
several of the National Institute of Standards and Technology (NIST) Special Publications and
Federal Information Processing Standards (FIPS) documents. The following publications were used
in this document:
Technology Standards Document
Data at Rest FIPS 199 - Standards for Security Categorization of
Federal Information and Information Systems
NIST SP 800-57 Part 1 rev 4 – Recommendation for
Key Management
NIST SP 800-175B - Guideline for Using
Cryptographic Standards in the Federal Government:
Cryptographic Mechanisms
Data in Transit NIST SP 800-52 rev 2 - Guidelines for the Selection, 3
Configuration, and Use of Transport 4 Layer Security
(TLS) Implementations
VPNs NIST SP 800-77 - Guide to IPsec VPNs
Firewalls NIST SP 800-41 - Guidelines on Firewalls and
Firewall Policy
Routers NIST Network Infrastructure Router L3 Switch
Version 8, Release 29
Wireless Access Points NIST SP 800-153 - Guidelines for Securing Wireless
Local Area Networks (WLANs)
Data at Rest – Minimum Standards
Per FIPS 199, data where unauthorized disclosure would have serious adverse effects on the
organization shall be rated as MODERATE. Unauthorized disclosure with severe or catastrophic
adverse effect shall be rated as HIGH. Based on this writing criteria, NIST SP 800-175B requires a
minimum-security strength of 128-bits for MODERATE and 192-bits for HIGH-impact information.
Referencing NIST SP 800-57 Part 1 rev 4, using the selected key-size, an adequate cryptographic
algorithm would be Full Disk Encryption (FDE) using Advanced Encryption Standard (AES) 128 or
AES-192.
Data in Transit – Minimum Standards
Per FIPS 199, data classifications remain the same as data at rest. NIST SP 800-52 rev 2
advises that network communications shall use TLS 1.2 but should use TLS 1.3. All connections
prior to TLS 1.3 shall use the bad_record_mac option to detect padding errors. Additionally, all
employee TLS connections should utilize Client Authentication with Personal Identify Verification
(PIV). The recommended cryptographic functions for Data in Transit are:
MODERATE: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 and
HIGH: TLS_ECDHE_ECDSA_WITH_AES_192_GCM_SHA256
VPNs, Firewalls, Routers, and Wireless Access Points
Non-cryptographic specific. Configure each in accordance with above table.
Justifications
Due to the sensitive nature of the information available in client health insurance claims, all
records should be considered confidential and accessible only by authorized parties, to include
company employees. The biggest threat comes from unauthorized 3rd party disclosure and should be
prevented. While the internal networks can be considered relatively safe, transmission of data should
still adhere to the minimum standards outlined by NIST. The costs of implementing secure
communications and storage is far less than data breach/unauthorized disclosure recovery costs.
Final Project: Cryptographic Techniques 6

Data-at-Rest & Data-in-Flight Encryption (INTEGRITY)


This section serves to outline the minimum cryptographic standards for use in a medical
record environment in accordance with the Health Insurance Portability and Accountability Act of
1996 (HIPAA) to enforce integrity. Guidance for cryptographic standards can be found using several
of the National Institute of Standards and Technology (NIST) Special Publications and Federal
Information Processing Standards (FIPS) documents. The following publications were used in this
document:
Technology Standards Document
Data in Transit NIST SP 800-52 rev 2 - Guidelines for the Selection, 3
Configuration, and Use of Transport 4 Layer Security
(TLS) Implementations
NIST SP 800-175B - Guideline for Using Cryptographic
Standards in the Federal Government: Cryptographic
Mechanisms
NIST SP 800-107 rev 2 – Recommendation for
Applications Using Approved Hash Algorithms
FIPS PUB 199 - Standards for Security Categorization
of Federal Information and Information Systems
FIPS PUB 198-1 – The Keyed-Hash Message
Authentication Code (HMAC)
Data in Transit – Minimum Standards
Per FIPS 199, data where loss of message integrity would have serious adverse effects on the
organization shall be rated as MODERATE. Loss of message integrity with severe or catastrophic
adverse effect shall be rated as HIGH. Based on this writing criteria, NIST SP 800-175B requires a
minimum-security strength of 128-bits for MODERATE and 192-bits for HIGH-impact information.
Referencing NIST SP 800-107 rev 2, using the selected key-size, an adequate message authentication
code algorithm would be SHA-384 or SHA-512/256 to ensure the integrity of data in transit. The
recommended cryptographic functions supporting Hashed Message Authentication Code for Data in
Transit are:
MODERATE: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA384
HIGH: TLS_ECDHE_ECDSA_WITH_AES_192_GCM_SHA512
Justifications
Due to the critical nature of the information being disclosed within client health insurance
claims, all records should ensure message and data integrity. The biggest threat comes from
unauthorized 3rd party modification of data-in-transit while data is transmitted outside of the
corporate network. While it is assumed that the internal networks can be considered relatively safe,
transmission of data should still adhere to the minimum standards outlined by NIST.
Final Project: Cryptographic Techniques 7

Network Security Configuration Standards


This section serves to outline the minimum standards for non-cryptographic security controls
for use in a medical record environment in accordance with the Health Insurance Portability and
Accountability Act of 1996 (HIPAA) to enforce integrity. Guidance for these secure configuration
standards can be found using several of the Center for Internet Security (CIS), Defense Information
Systems Agency (DISA), and National Institute of Standards and Technology (NIST) Special
Publications documents. The following publications were used in this document:
Technology Standards Document
Secure Configuration Standards - Hardware CIS Microsoft Windows 10 Enterprise Release 1803
Benchmark (1.5.0)
Windows 10 STIG Version 1, Release 16 Checklist
NIST SP 800-36 – Guide to Selecting Information
Technology Security Products (Reference ONLY)
NIST SP 800-123 – Guide to General Server Security
NIST SP 800-153 – Guidelines for Securing Wireless
Local Area Networks
Secure Configuration Standards – Minimum Standards
Per NIST SP 800-36, security should be comprised of layered defense with no reliance on an
individual product that can serve as a single point of failure. A secure environment should consist of
identification/authentication protocols (such as a Kerberos/LDAP combination), access controls to
data, Intrusion Detection and Prevention products, both software and hardware-based firewall
solutions, malicious code protection (Anti-Virus), and vulnerability scanners (Nessus/Qualys).
Optionally, there should be both forensics and media sanitizing options for completeness.
Justifications
Due to the continuous access to sensitive data by both personnel and customers, it is critical
that proper authentication and authorization measures be put in place to ensure that the data being
accessed is actually meant for that recipient. With the potential for exploitable vulnerabilities found
in unmaintained systems, standards enforcement should include restriction of network access for
workstations that are improperly configured or do not have proper security measures in place (such
as host-based antivirus or firewalls). These secure configuration standards should be mandatory for
all remote employees to VPN to the network as they are considered to be directly on the network. By
having a properly configured layered-defense model in place, a single point of failure can be avoided
that might other disclose sensitive information. An example of this being the web server in which
sensitive data resides. Should that machine become compromised, a hardware-based firewall or
Intrusion Detection/Prevention system may be able to alert or prevent data exfiltration. Once again,
cost-association for a layered-defense model is significantly cheaper than the costs associated with a
data breach.
Final Project: Cryptographic Techniques 8

Secure Key Distribution – Cryptography (CONFIDENTIALITY)


This section serves to outline the minimum standards for a Key Distribution Center (KDC)
implementation for use in a medical record environment in accordance with the Health Insurance
Portability and Accountability Act of 1996 (HIPAA) to enforce confidentiality and integrity.
Guidance for these secure configuration standards can be found using several of the National
Institute of Standards and Technology (NIST) Special Publications documents. The following
publications were used in this document:
Technology Standards Document
Secure Key Distribution Center Standards NIST SP 800-57 – Recommendation for Key Management
NIST SP 800-71 (DRAFT) – Recommendation for Key
Establishment Using Symmetric Block Ciphers
NIST SP 800-123 – Guide to General Server Security
NIST SP 800-152 – A Profile for U.S. Federal
Cryptographic Key Management Systems
Key Distribution Center – Minimum Standards
Per NIST SP 800-71, due to the computational efficiency of symmetric key encryption, it is
preferred over the use of asymmetric key protocols. Furthermore, the distribution of these symmetric
keys should be handled through a Key Distribution Center. The Special Publication is not inherent to
any individual KDC technology but the chosen technology must possess several minimum
configuration requirements to include: control of keying materials to prevent unauthorized
disclosure, modification or substitution, recovery in case of key-establishment process failure due to
questionable integrity, and auditing the key-management process.
Justifications
Due to the continuous access to sensitive data by both personnel and customers, it is critical
that proper authentication and authorization measures be put in place to ensure that the data being
accessed is actually meant for that recipient. By requiring authentication to a Key Distribution
Center to receive symmetric key access, it ensures that the accessing party is truly who they present
themselves as. Authentication of this nature is validated through the account registration process
during employment or consumer registration. Due to the high amount of key generation required for
symmetric key encryption, management of these keys through a service such as Kerberos is required.
By utilizing Kerberos, the KDC can easily be integrated into the already adopted Microsoft Active
Directory services used to provide account management and authentication for employees to allow
for access to encrypted data within the network and in remote data stores.
Final Project: Cryptographic Techniques 9

Network Authentication (CONFIDENTIALITY/INTEGRITY/AVAILABILITY)


This section serves to outline the minimum standards for a Key Distribution Center (KDC)
implementation for use in a medical record environment in accordance with the Health Insurance
Portability and Accountability Act of 1996 (HIPAA) to enforce confidentiality and integrity.
Guidance for these secure configuration standards can be found using several of the CISCO and
Oracle configuration guideline documents. The following publications were used in this document:
Technology Standards Document
Kerberos Secure Configuration Standards CISCO – User Security Configuration Guide Kerberos
NIST SP 800-57 – Recommendation for Key Management
NIST SP 800-71 (DRAFT) – Recommendation for Key
Establishment Using Symmetric Block Ciphers
NIST SP 800-123 – Guide to General Server Security
NIST SP 800-152 – A Profile for U.S. Federal
Cryptographic Key Management Systems
ORACLE – Increasing Security on Kerberos Servers
Kerberos – Minimum Standards
Per both the CISCO and Oracle configuration documents, Kerberos would be installed on the
corporate Domain Controller and integrate with Active Directory services to provide user authentication.
Kerberos works by storing the passwords of all the users on the network and performing authentication
based on a series of encryption techniques. The entire premise for Kerberos is that only the user and itself
knows the password of the account attempting to authenticate. To begin, the user will attempt to
authenticate to the Key Distribution Center (KDC) by constructing an authentication packet with a
timestamp and encrypt a portion of the packet using their password. Once the KDC receives the packet, it
looks at the username (in plain-text) included with the packet. The KDC retrieves the password it has for
that user and attempts to decrypt the ciphertext of the packet. If successful, the client is authenticated and
receives a Ticket Granting Ticket (TGT) that is encrypted using Kerberos’ key. When the authenticated
user attempts to access network resources, the client resends the TGT back to the Kerberos server along
with the network resource request. If Kerberos can successfully decrypt the TGT from the user, it will
send back a secondary ticket that allows access to the network resource that is encrypted using the
network resource’s private key. This secondary ticket is sent to the network resource and the network
resource attempts to decrypt the ticket using its private key. If successful, it is implied that the user is
who they say they are and are authorized to access the resource (based on the network resource’s ACLs).
By having a reliable KDC, this alleviates the concerns for authentication found with access being granted
to providers and remote users.
Final Project: Cryptographic Techniques 10

Public Key Infrastructure – Certificates (Integrity)


This section serves to outline the minimum standards for a Public Key Infrastructure
(PKI) implementation for use in a medical record environment in accordance with the Health
Insurance Portability and Accountability Act of 1996 (HIPAA) to enforce confidentiality and
integrity. Guidance for these secure configuration standards can be found using several of the
National Institute of Standards and Technology (NIST) Special Publications documents. The
following publications were used in this document:

Technology Standards Document


Kerberos Secure Configuration Standards NIST SP 800-32 – Introduction to Public Key Technology and the
Federal PKI Infrastructure
NIST SP 800-57 – Recommendation for Key Management
NIST SP 800-71 (DRAFT) – Recommendation for Key
Establishment Using Symmetric Block Ciphers
NIST SP 800-152 – A Profile for U.S. Federal
Cryptographic Key Management Systems

Public Key Infrastructure – Minimum Standards


Per the NIST Special Publications standards, Public Key Infrastructure technology should
be utilized wherever client to client and client to server communications occur. As such, each of
the servers and endpoints (providers, remote workers and customers) shall utilize TLS
connections that reference signed certificates with a valid Root, Intermediate and Issuance
certificate. For external communications, Entrust shall be the primary issuer of Root certificates.
Internal resource communications will utilize the self-signed ACME Inc. Root and Intermediate
certificates. Each certificate will be valid for two (2) years from date of issuance and must be
renewed for continuity of network access. Certificates will be issued through certificate requests
made on ServiceNow through IT. Should any certificate become invalid or revoked, it will be
added to the Online Certificate Status Protocol (OCSP) revocation list which shall be disbursed
to all clients and servers. At present time, the biggest security risks come from compromise of
either Entrust’s Certificate Authority private key used to sign certificates or the private key of
ACME Inc. used to sign internal certificates.
Final Project: Cryptographic Techniques 11

Threat Environment
Based on the level of layered security implemented within the ACME INC corporate
network, it is speculated that any significantly impactful threat will come from within the
company, whether be an intentional malicious attack conducted by a disgruntled employee or
accidentally by an unsuspecting user. Based on this assumption, several security measures have
been taken to provide continued preservation of data as seen in the following figure:

Figure 1 – ACME INC Network Diagram


In addition to segmented user, provider and corporate data, scheduled backups are routinely
stored and tested at the off-site backup facility. Should an attacker attempt to access the network
from the internet, all web traffic is segmented in a DMZ protected by two firewalls which will
provide additional layers of security should the web servers become compromised.

Conclusion
Ultimately, the Health Insurance Portability and Accountability Act (HIPAA) is United
States Federal law and must be adhered to accordingly. The biggest threats to the company have
been evaluated to be insider threats followed by external threats. By strategically deploying
cryptographic systems to ensure confidentiality, integrity, and availability of electronic health
records using NIST, FIPS, CIS or anyone of the other publicly recognized security configuration
standards available, ACME INC. can be reasonably assured that health claims information is
secure.
Final Project: Cryptographic Techniques 12

References
Barker, E. (2016, August). NIST Special Publication 800-175B Guideline for Using Cryptographic Standards in the Federal Government:

Barker, E. (2016, January). NIST Special Publication 800-57 Part 1 Revision 4. Retrieved March 17, 2019, from
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf

Barker, E. (2016, January). NIST Special Publication 800-57 Part 1 Revision 4 - Recommendation for Key Management. Retrieved April 07,
2019, from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf

Barker, E., & Barker, W. C. (2018, June). Draft NIST Special Publication 800-71 - Recommendation for Key Establishment Using Symmetric
Block Ciphers. Retrieved April 07, 2019, from https://csrc.nist.gov/CSRC/media/Publications/sp/800-71/draft/documents/sp800-71-draft.pdf

Barker, E., Smid, M., & Branstad, D. (2015, October). NIST Special Publication 800-152 - A Profile for U.S. Federal Cryptographic Key
Management Systems. Retrieved April 07, 2019, from https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-152.pdf

CIS. (2019, March 07). CIS Microsoft Windows 10 Enterprise Release 1803 Benchmark 1.5.0 Checklist Details. Retrieved March 30, 2019, from
https://nvd.nist.gov/ncp/checklist/899

CISCO. (2016, February 15). User Security Configuration Guide - Configuring Kerberos [Cisco Cloud Services Router 1000V Series]. Retrieved
April 12, 2019, from https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/xe-16/sec-usr-cfg-xe-16-book/sec-cfg-
kerberos.html

Dang, Q. (2016, August). NIST Special Publication 800-107 Revision 1 Recommendation for Applications Using Approved Hash Algorithms.
Retrieved March 22, 2019, from https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-107r1.pdf

DISA. (2017, April 28). Windows 10 STIG Version 1, Release 16 Checklist Details. Retrieved March 30, 2019, from
https://nvd.nist.gov/ncp/checklist/629

FIPS. (2004, February). FIPS PUB 198-1 The Keyed-Hash Message Authentication Code (HMAC). Retrieved March 22, 2019, from
https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.198-1.pdf

FIPS. (2004, February). FIPS PUB 199 Standards for Security Categorization of Federal Information and Information Systems. Retrieved March
17, 2019, from https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf

Frankel, S. (2005, December). NIST Special Publication 800-77 Guide to IPsec VPNs. Retrieved March 17, 2019, from
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-77.pdf

Grace, T. (2003, October). NIST Special Publication 800-36 - Guide to Selecting Information Technology Security Products. Retrieved March
30, 2019, from https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-36.pdf

HHS Office of the Secretary,Office for Civil Rights, & Ocr. (2016, February 23). NIST-Security-HIPAA-Crosswalk. Retrieved March 17, 2019,
from https://www.hhs.gov/hipaa/for-professionals/security/nist-security-hipaa-crosswalk/index.html

HHS Office of the Secretary,Office for Civil Rights, & Ocr. (2016, February). HIPAA Security Rule Crosswalk to NIST Cybersecurity
Framework. Retrieved from https://www.hhs.gov/sites/default/files/nist-csf-to-hipaa-security-rule-crosswalk-02-22-2016-final.pdf

HHS Office of the Secretary,Office for Civil Rights, & Ocr. (2016, February 23). NIST-Security-HIPAA-Crosswalk. Retrieved March 22, 2019,
from https://www.hhs.gov/hipaa/for-professionals/security/nist-security-hipaa-crosswalk/index.html

HHS Office of the Secretary,Office for Civil Rights, & Ocr. (2016, February). HIPAA Security Rule Crosswalk to NIST Cybersecurity
Framework. Retrieved from https://www.hhs.gov/sites/default/files/nist-csf-to-hipaa-security-rule-crosswalk-02-22-2016-final.pdf

HHS Office of the Secretary,Office for Civil Rights, & Ocr. (2018, October 31). Security Rule Guidance Material. Retrieved March 17, 2019,
from https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html

Kuhn, R. (2001, February 26). NIST Special Publication 800-32 - Introduction to Public Key Technology and the Federal PKI Infrastructure.
Retrieved April 20, 2019, from https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-32.pdf

McKay, K., & Cooper, D. (2018, October). NIST Special Publication 800-52 2 Revision 2 Guidelines for the Selection, 3 Configuration, and Use
of Transport 4 Layer Security (TLS) Implementations. Retrieved March 17, 2019, from https://csrc.nist.gov/CSRC/media/Publications/sp/800-
52/rev-2/draft/documents/sp800-52r2-draft2.pdf

NIST. (2008, October). An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA)
Security Rule. Retrieved March 17, 2019, from
https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/nist80066.pdf?language=es
Final Project: Cryptographic Techniques 13

NIST. (2017, April 28). Network Infrastructure Router L3 Switch Version 8, Release 29 Checklist Details. Retrieved March 17, 2019, from
https://nvd.nist.gov/ncp/checklist/382

NIST. (2017, February 15). National Checklist Program. Retrieved March 30, 2019, from https://csrc.nist.gov/Projects/National-Checklist-
Program

Oracle. (2012, March 01). Increasing Security on Kerberos Servers. Retrieved April 12, 2019, from
https://docs.oracle.com/cd/E23824_01/html/821-1456/setup-280.html

Scarfone, K. (2008, July). NIST Special Publication 800-123 - Guide to General Server Security. Retrieved March 30, 2019, from
https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-123.pdf

Scarfone, K., & Hoffman, P. (2009, September). NIST Special Publication 800-41 Revision 1 Guidelines on Firewalls and Firewall Policy.
Retrieved March 17, 2019, from https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf

Souppaya, M. (2012, February). NIST Special Publication 800-153 - Guidelines for Securing Wireless Local Area Networks (WLANs).
Retrieved March 30, 2019, from https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-153.pdf

Souppaya, M., & Scarfone, K. (2012, February). NIST Special Publication 800-153 Guidelines for Securing Wireless Local Area Networks
(WLANs). Retrieved March 17, 2019, from https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-153.pdf

You might also like