Technologies Are Effective?

dashingincestuousSecurity

Feb 22, 2014 (3 years and 5 months ago)

59 views

E
-
Authentication: What
Technologies Are Effective?

Donna F Dodson

donna.dodson@nist.gov

April 21, 2008

Definition


Electronic authentication (e
-
authentication)
is the process of establishing confidence in
identities electronically presented to an
information system.

Authentication


A fundamental cyber security service used
by most applications and services.


First line of defense against cyber attacks.


Dates back to user passwords for time
-
sharing systems.


Today, authentication needed for:

o
Local & Remote environments,

o
Humans & Devices

Authentication: The Players


Claimant
-

The person, device or application which is
claiming to be a particular person, device or application.
Typically the claimant supplies a set of credentials with
which to be authenticated.



Registration Authority


A trusted entity that establishes
and vouches for the identity of a Subscriber to a CSP.


Credential Service Provider
-

A trusted entity that issues or
registers Subscriber tokens and issues electronic
credentials to Subscribers.


Verifier


An entity that verifies the Claimant’s identity by
verifying the Claimant’s possession of a token using an
authentication protocol. To do this, the Verifier may also
need to validate credentials that link the token and identity
and check their status.


Relying Party
-
An entity that relies upon the Subscriber’s
credentials, typically to process a transaction or grant
access to information or a system.

Authentication: The Process


Identity proofing, registration and the delivery of credentials which
bind an identity to a token,



Credentials and tokens (typically a cryptographic key or password) for
proving identity,



Token and Credential Management mechanisms,



Authentication mechanisms, that is the combination of credentials,
tokens and authentication protocols used to establish that a Claimant is
in fact the Subscriber he or she claims to be,



Assertion mechanisms used to communicate the results of an
authentication to other parties.

E
-
Authentication Model


.
Subscriber /
Claimant
Registration
Authority
CSP
Relying
Party
Verifier
Identity Proofing
User Registration
Registration
Confirmation
Token . Credential
Registration / Issuance
Authentication
Assertion
Authentication Protocol
Exchange
Authenticated Session
Token / Credential
Validation
Registration and Credential Issuance and
Maintenance
E
-
Authentication using Token and Credential
Authentication: Local vs Remote


Local Authentication

o
Verifier control and supervision is comparatively easy


Verifier controls entire authentication system


Claimant may be supervised or unsupervised


Verifier knows claimant’s physical location


Little information flow


Remote Authentication

o
Verifier control and supervision is harder


Verifier has little control over software or operating platform


Claimant is generally unsupervised


Network access: verifier knows only that claimant has network
access


Often motivated for the flow of sensitive information

Authentication Factors


Something you know

o
Typically some kind of password


Something you have

o
For local authentication, typically an ID card

o
For remote authentication, typically a cryptographic
key


Something you are

o
A biometric

The more factors, the stronger the authentication.

NIST SP800
-
63
-
1:

Electronic Authentication Guideline


A NIST Recommendation


Companion to OMB e
-
authentication guidance
M04
-
04

o
Federal agencies classify electronic transaction into 4
levels needed for authentication assurance according to
the potential consequences of an authentication error


Remote authentication of users across open
networks using conventional secret token based
authentication


No knowledge based authentication and little
discussion of biometrics

Summary of Four Levels


Level 1

o
Single factor: often a password

o
Can’t send password in the clear

o
Moderate password guessing difficulty requirements


Level 2

o
Single factor

o
Requires secure authentication protocol (like TLS)

o
Fairly strong password guessing difficulty requirements

Summary of Four Levels (cont.)


Level 3

o
Multi
-
factors required either a single multi
-
factor token
or multi
-
token solutions

o
Must resist eavesdroppers

o
May be vulnerable to man
-
in
-
the
-
middle attacks


Level 4

o
Multi
-
factor hard token

o
Must resist man
-
in the middle attacks

o
Assertions not allowed

E
-
Auth Tokens

Memoriz
ed Secret
Token

Preregist
ered
Knowled
ge Token

Look Up
Secret
Token


Out of
Band
Token


SF OTP
Device

SF
Crypto
Token

MF
Software
Crypto
Device

MF OPT
Device

MF
Crypto
Device

MST

Level 2

Level 2

Level 3

Level 3

Level 3

Level 3

Level 3

Level 4

Level 4

PKT

Level 2

Level 3

Level 3

Level 3

Level 3

Level 3

Level 4

Level 4

LUST

Level 2

Level 2

Level 2

Level 2

Level 3

Level 4

Level 4

OBT

Level 2

Level 2

Level 2

Level 3

Level 4

Level 4

SFOTP

Level 2

Level 2

Level 3

Level 4

Level 4

SFCT

Level 2

Level 3

Level 4

Level 4

MFSCD

Level 3

Level 4

Level 4

MFOTP

Level 4

Level 4

MFCD

Level 4

FIPS 201
-
1: Personal Identity Verification
(PIV) of Federal Employees and Contractors


Response to Homeland Presidential Directive 12,
Policy
for a Common Identification Standard for Federal
Employees and Contractors


Secure and reliable forms of personal
identification that is:

o
Based on sound criteria to verify an individual
employee’s identity

o
Strongly resistant to fraud, tampering, counterfeiting,
and terrorist exploitation

o
Rapidly verified
electronically

o
Issued only by providers whose reliability has been
established by an official accreditation process

HSPD 12: Requirements (cont.)

o

Applicable to
all

government organizations and contractors
except identification associated with National Security
Systems


o

Used for access to Federally
-
controlled facilities and logical
access to Federally
-
controlled information systems


o

Flexible in selecting appropriate security level


includes
graduated criteria from
least

secure to
most

secure


o

Implemented in a manner that protects citizens’ privacy

PIV Electronically Stored Data

Mandatory:


PIN (
used to prove the identity of the cardholder to the card)



Cardholder Unique Identifier (CHUID)


PIV Authentication Data (asymmetric key pair and corresponding PKI
certificate)


Two biometric fingerprints (templates)

Optional
:



An asymmetric key pair and corresponding certificate for digital signatures



An asymmetric key pair and corresponding certificate for key management



Asymmetric or symmetric card authentication keys for supporting
additional physical access application
s



Symmetric key(s) associated with the card management system



Graduated Assurance Levels for Identity Authentication


Authentication for Physical and Logical Access



PIV Assurance Level Required
by Application/Resource


Applicable PIV

Authentication
Mechanism


Physical Access

Applicable PIV

Authentication
Mechanism


Logical Access

Local Workstation
Environment


Applicable PIV

Authentication
Mechanism


Logical Access

Remote/Network
System
Environment

SOME confidence

VIS, CHUID


CHUID


PKI

HIGH confidence


BIO


BIO

PKI

VERY HIGH confidence


BIO
-
A, PKI


BIO
-
A, PKI


PKI

A Look at Knowledge Based Authentication


Many definitions


Without registration process, difficult to use for the release
of sensitive information

o
Successful impostor will receive information without user realizing
a fraud occurred

o
User cannot protect private (not secret) information


May be useful when monetary risks can be evaluated



And Biometrics


Biometrics tie an identity to a human body


Biometric authentication depends on being sure that you
have a fresh, true biometric capture

o
Easy if attended

o
Hard when bits come from anywhere on the Internet


Standards still needed


Many biometric technologies coming to the market


Authentication Effectiveness Metrics


Near term requirements


various
authentication methods exist but no clear
way to compare and evaluate then for
effectiveness


Long term


build a general framework for
evaluating diverse and emerging
authentication methods

Challenges


Difficult to quantify authentication
effectiveness or authentication assurance

o
Different configurations

o
Many environments


New methods continue to emerge


Assessing the effectiveness of one
technology difficult but today multiple
technologies bound in solutions

Summary


There is still work to do.


NIST has established an identity management
systems program within the Information
Technology Lab

o
Brings together technologies like cryptography,
biometrics and smart cards

o
Research and standards in technologies, models,
metrics


Further Information



Computer Security Resource Center


http://csrc.nist.gov/



FIPS 201 and related documents


http://csrc.nist.gov/piv
-
program/



Draft Special Publication 800
-
63
-
1


http://csrc.nist.gov/publications/drafts/800
-
63
-
1/Draft_SP
-
800
-
63
-
1_2008Feb20.pdf