Levels of assurance in authentication
This presentation is the property of its rightful owner.
Sponsored Links
1 / 20

Levels of Assurance in Authentication PowerPoint PPT Presentation


  • 89 Views
  • Uploaded on
  • Presentation posted in: General

Levels of Assurance in Authentication. Tim Polk April 24, 2007. Credits. Bill Burr and Donna Dodson co-authored SP 800-63 and contributed much of the content in this presentation Neither would be possible without them!. Why Levels of Assurance?. Security Commensurate with Need

Download Presentation

Levels of Assurance in Authentication

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Levels of assurance in authentication

Levels of Assurance in Authentication

Tim Polk

April 24, 2007


Credits

Credits

  • Bill Burr and Donna Dodson co-authored SP 800-63 and contributed much of the content in this presentation

    • Neither would be possible without them!


Why levels of assurance

Why Levels of Assurance?

  • Security Commensurate with Need

  • One Size Does Not Fit All!


Overview

Overview

  • A Cautionary Tale: FIPS 112

  • Current Events

    • OMB Memorandum 04-04

    • SP 800-63

    • The response to 800-63

  • Things To Look Forward To…


Fips 112 password usage

FIPS 112, Password Usage

  • Published May 1985

  • Established 10 factors and baseline criteria

    • Factor #1 was length range, and the baseline was four

  • Included three example systems:

    • Password system for {Low, Medium. High} protection requirements


Why a cautionary tale

Why A Cautionary Tale?

  • Agencies gravitated to the three example systems

    • They were intended as examples

  • Agencies continued using them long after their time had passed

    • Moderate protection was 4-8 characters (uppercase, lowercase, digits)

  • Prescriptive standards are easy to use, but don’t always lead to the best security


Current events

Current Events

  • OMB Memorandum 04-04

  • SP 800-63: Entity Authentication

  • Agency & Industry Feedback


Omb memorandum 04 04

OMB Memorandum 04-04

  • E-Authentication Guidance for Federal Agencies (12/16/2003)

    • Agencies classify electronic transactions into four levels of authentication assurance according to the potential consequences of an authentication error

    • NIST develops complementary authentication technical guidance to help agencies identify appropriate technologies

    • Agencies req’d to begin implementation in 90 days after NIST issues guidance


Sp 800 63

SP 800-63

  • Scope: technical authentication framework for secret-based remote authentication (06/2004)

    • token types

    • registration & identity proofing

    • authentication protocols


The players

The Players

  • Token: is a secret, or holds a secret used in a remote authentication protocol

  • Credential Service Provider (CSP): A trusted authority who issues identity or attribute tokens

  • Subscriber: A party whose identity or name (and possibly other attributes) is known to some authority

  • Registration Authority (RA): registers a person with some CSP

  • Relying party: relies on claimant’s identity or attributes

  • Verifier: verifies claimant’s identity


Level 1 authentication

Level 1 Authentication

  • Single factor: typically a password

  • Can’t send password in the clear

    • May still be vulnerable to eavesdroppers

  • Moderate password guessing difficulty requirements


Level 2 authentication

Level 2 Authentication

  • Single factor: typically a password

    • Must block eavesdroppers (e.g password tunneled through TLS)

    • Fairly strong password guessing difficulty requirements

    • May fall to main-in-the middle attacks, social engineering & phishing attacks


Level 3 authentication

Level 3 Authentication

  • 2 factors, typically a key encrypted under a password (soft token)

  • Must resist eavesdroppers

  • May be vulnerable to man-in-the-middle attacks (e.g. phishing & decoy websites), but must not divulge authentication key


Level 4 authentication

Level 4 Authentication

  • 2 factors: “hard token” unlocked by a password or biometric

  • Must resist eavesdroppers

  • Must resist man-in-the-middle attacks

  • Critical data transfer must be authenticated with a key bound to authentication


Tokens

Tokens

  • Passwords

  • Soft Cryptographic Tokens

  • One Time Password Devices

  • Hard Cryptographic Tokens


The response

The Response

  • It’s Fantastic

    • Finally, a basis to compare mechanisms!

  • It’s Too Prescriptive

    • What about bingo cards?

    • What about remote biometrics?

    • What about knowledge based authentication?

    • What about combinations of tokens?


Things to look forward to

Things To Look Forward To…

  • SP 800-63 Part 1 (Secret Based Authentication)

    • Goal is distribution for public comment 3Q FY2007

  • SP 800-63 Part 2 (KBA)

    • Goal is distribution for public comment 3Q FY2007

  • Research in remote biometrics


Sp 800 63 part 1 electronic authentication guideline

SP 800-63 Part 1: Electronic Authentication Guideline

  • Features more flexibility - and complexity

    • More classes of tokens

      • Including bingo cards

    • Tokens in combination

      • E.g., memorized secret with simple OTP

    • More support for assertions

    • More comprehensive Life Cycle


Sp 800 63 part 2 kba

SP 800-63 Part 2: KBA

  • The electronic process of establishing confidence in a user’s identity by verifying personal attributes presented to an information system.

  • KBA process consists of 2 parts: verifying that the identity actually exists and that the user is entitled to that identity.


Questions

Questions?

http://csrc.nist.gov

http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf

[email protected]


  • Login