1 / 20

Levels of Assurance in Authentication

Levels of Assurance in Authentication. Tim Polk April 24, 2007. Credits. Bill Burr and Donna Dodson co-authored SP 800-63 and contributed much of the content in this presentation Neither would be possible without them!. Why Levels of Assurance?. Security Commensurate with Need

martin-butler
Download Presentation

Levels of Assurance in Authentication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Levels of Assurance in Authentication Tim Polk April 24, 2007

  2. Credits • Bill Burr and Donna Dodson co-authored SP 800-63 and contributed much of the content in this presentation • Neither would be possible without them!

  3. Why Levels of Assurance? • Security Commensurate with Need • One Size Does Not Fit All!

  4. Overview • A Cautionary Tale: FIPS 112 • Current Events • OMB Memorandum 04-04 • SP 800-63 • The response to 800-63 • Things To Look Forward To…

  5. FIPS 112, Password Usage • Published May 1985 • Established 10 factors and baseline criteria • Factor #1 was length range, and the baseline was four • Included three example systems: • Password system for {Low, Medium. High} protection requirements

  6. Why A Cautionary Tale? • Agencies gravitated to the three example systems • They were intended as examples • Agencies continued using them long after their time had passed • Moderate protection was 4-8 characters (uppercase, lowercase, digits) • Prescriptive standards are easy to use, but don’t always lead to the best security

  7. Current Events • OMB Memorandum 04-04 • SP 800-63: Entity Authentication • Agency & Industry Feedback

  8. OMB Memorandum 04-04 • E-Authentication Guidance for Federal Agencies (12/16/2003) • Agencies classify electronic transactions into four levels of authentication assurance according to the potential consequences of an authentication error • NIST develops complementary authentication technical guidance to help agencies identify appropriate technologies • Agencies req’d to begin implementation in 90 days after NIST issues guidance

  9. SP 800-63 • Scope: technical authentication framework for secret-based remote authentication (06/2004) • token types • registration & identity proofing • authentication protocols

  10. The Players • Token: is a secret, or holds a secret used in a remote authentication protocol • Credential Service Provider (CSP): A trusted authority who issues identity or attribute tokens • Subscriber: A party whose identity or name (and possibly other attributes) is known to some authority • Registration Authority (RA): registers a person with some CSP • Relying party: relies on claimant’s identity or attributes • Verifier: verifies claimant’s identity

  11. Level 1 Authentication • Single factor: typically a password • Can’t send password in the clear • May still be vulnerable to eavesdroppers • Moderate password guessing difficulty requirements

  12. Level 2 Authentication • Single factor: typically a password • Must block eavesdroppers (e.g password tunneled through TLS) • Fairly strong password guessing difficulty requirements • May fall to main-in-the middle attacks, social engineering & phishing attacks

  13. Level 3 Authentication • 2 factors, typically a key encrypted under a password (soft token) • Must resist eavesdroppers • May be vulnerable to man-in-the-middle attacks (e.g. phishing & decoy websites), but must not divulge authentication key

  14. Level 4 Authentication • 2 factors: “hard token” unlocked by a password or biometric • Must resist eavesdroppers • Must resist man-in-the-middle attacks • Critical data transfer must be authenticated with a key bound to authentication

  15. Tokens • Passwords • Soft Cryptographic Tokens • One Time Password Devices • Hard Cryptographic Tokens

  16. The Response • It’s Fantastic • Finally, a basis to compare mechanisms! • It’s Too Prescriptive • What about bingo cards? • What about remote biometrics? • What about knowledge based authentication? • What about combinations of tokens?

  17. Things To Look Forward To… • SP 800-63 Part 1 (Secret Based Authentication) • Goal is distribution for public comment 3Q FY2007 • SP 800-63 Part 2 (KBA) • Goal is distribution for public comment 3Q FY2007 • Research in remote biometrics

  18. SP 800-63 Part 1: Electronic Authentication Guideline • Features more flexibility - and complexity • More classes of tokens • Including bingo cards • Tokens in combination • E.g., memorized secret with simple OTP • More support for assertions • More comprehensive Life Cycle

  19. SP 800-63 Part 2: KBA • The electronic process of establishing confidence in a user’s identity by verifying personal attributes presented to an information system. • KBA process consists of 2 parts: verifying that the identity actually exists and that the user is entitled to that identity.

  20. Questions? http://csrc.nist.gov http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf tim.polk@nist.gov

More Related