Author of Record

erosjellySecurity

Feb 23, 2014 (3 years and 5 months ago)

112 views

Author of Record

Digital Identity Management

Sub
-
Workgroup



October 24, 2012

Meeting Etiquette


Please announce your name each time prior to making comments or
suggestions during the call


Remember: If you are not speaking keep your phone on mute


Do not put your phone on hold


if you need to take a call, hang up
and dial in again when finished with your other call


Hold = Elevator Music = very frustrated speakers and participants


This meeting, like all of our meetings, is being recorded


Another reason to keep your phone on mute when not speaking!


Feel free to use the “Chat” or “Q&A” feature for questions or
comments




NOTE: This meeting is being recorded and will
be posted on the esMD Wiki page after the
meeting

From S&I Framework to Participants:

Hi everyone: remember to keep your
phone on mute


2

Agenda

3

Topic

Presenter

Authentication Credential Overview

Debbie
Bucci

Overview

of the DEA Interim Rule

Debbie
Bucci

Authentication Credentials
LOA3/LOA4

Oct 24, 2012



Authentication is the process of establishing confidence that an
individual who uses a credential that is known to the system (e.g.,
login name, digital certificate) is indeed the person to whom the
credential was issued


Three types of authenticators:


Something you know (e.g., password)


Something you have (e.g., smartcard, hard token, mobile
phone)


Something you are (e.g., fingerprint)


Multi
-
factor authentication requires more than one type


Authentication is
performed when
a user logs
into a system and
may be required again within a given session


Credential


binds the identity to the token



Authentication

800
-
63
-
1 Matrix

Memorized Secret Token

Pre
registered
Knowledge

Look
-
up
Secret

Out of
Band


SF
OTP

SF
Crypto

MF
Softwar
e
Crypto

MF
OTP

MF
Crypto


Memorized Secret
Token


Level 2

Level 2

Level 3

Level 3

Level 3

Level 3

Level 3

Level 4

Level 4

Pre
-
registered
Knowledge Token


X

Level 2

Level 3

Level 3

Level 3

Level 3

Level 3

Level 4

Level 4

Look
-
up Secret
Token


X

X

Level 2

Level 2

Level 2

Level 2

Level 3

Level 4

Level 4

Out of Band Token


X

X

X

Level 2

Level 2

Level 2

Level 3

Level 4

Level 4

SF OTP Device

X

X

X

X

Level 2

Level 2

Level 3

Level 4

Level 4

SF Cryptographic
Device

X

X

X

X

X

Level 2

Level 3

Level 4

Level 4

MF Software
Cryptographic
Token

X

X

X

X

X

X

Level 3

Level 4

Level 4

MF OTP Device

X

X

X

X

X

X

X

Level 4

Level 4

MF Cryptographic
Device

X

X

X

X

X

X

X

X

Level 4


Shared secret between user and credential provider


Something you know


Examples


Active Directory Passwords


WiFi

Passphrases


PIN




Memorized Secret Tokens


Challenge/Response


Pre
-
registered responses or images


Set of shared secrets


Something you know


Examples


I forgot my password setup


Transaction information
-

“what was the amount of your last
payment to your phone company”





Pre Registered Knowledge Tokens


Electronic or physical set of
shared secrets often printed on paper or
plastic


the
user is asked to provide a subset of characters printed on the
card


Something you have


Examples


Entrust Grid Cards


DualShield

GridID





Look
-
up secret Tokens


Physical token that can receive a secret for one time use


Something you have


Examples


SMS message on a registered cell phone





Out of Band Tokens


Hardware device


Something you have


Examples


RSA key fob token


Credit card password generator





Single Factor One
-
Time

Password (OTP) Device


Hardware device that performs crypto operation on input provided to
the device


Does not require a second factor


Generally a signed message


Something you have


Examples


PKI certificate





Single Factor Cryptographic
Device


Key is stored on a disk or soft media and requires activation


Does not require a second factor


Generally a signed message


Something you have and something you know


Examples


PKI certificate + PIN





Multi
-
Factor Cryptographic
Device


OTP hardware device that requires activation via PIN or biometric


Something you have and something you know /or something you
are


Examples


Verizon or
Symmantec

OTP offering


DAON
IdentityX





Multi
-
Factor OTP


Hardware device that contains protected key that requires activation
through a second factor


Possession of device and control of key


Something you have and something you know or something you are


Examples


PIV


PIV
-
I


ATM cards





Multi
-
Factor Cryptographic
Device



Requires the practitioner
to authenticate to the
application using an authentication protocol that
uses two of the following three factors:

1.
Something
only the practitioner knows, such as a
password or response to a challenge question.

2.
Something
the practitioner is, biometric data such
as a fingerprint or iris scan.

3.
Something
the practitioner has, a device (hard
token) separate from the computer to which the
practitioner is gaining access
.

DEA Interim Rule


Biometrics


Consulted extensively with NIST for recommendation


DEA did not specify type as to allow for greatest flexibility and
adaptation for new technologies in the future


Hard token must meet FIPS 140
-
2


New hard token or provide credential for an existing token


Must be separate from the machine used to access application


Delivered thru 2 channels (mail, telephone, email)


Would consider an alternative that does not diminish safety and
security of the system


Not to be confused with certificates needed to dispense controlled
substances although that DEA number/certificate information needs
to be associated with the signing


DEA Interim Rule