Author of Record Digital Identity Management

Sub-Workgroup

October 24, 2012

Meeting Etiquette

• Please announce your name each time prior to making comments or suggestions during the call

• Remember: If you are not speaking keep your phone on mute• Do not put your phone on hold – if you need to take a call, hang up

and dial in again when finished with your other call – Hold = Elevator Music = very frustrated speakers and participants

• This meeting, like all of our meetings, is being recorded– Another reason to keep your phone on mute when not speaking!

• Feel free to use the “Chat” or “Q&A” feature for questions or comments

NOTE: This meeting is being recorded and will be posted on the esMD Wiki page after the

meeting

From S&I Framework to Participants:Hi everyone: remember to keep your phone on mute

2

Agenda

3

Topic Presenter

Authentication Credential Overview Debbie Bucci

Overview of the DEA Interim Rule Debbie Bucci

Authentication Credentials LOA3/LOA4

Oct 24, 2012

• Authentication is the process of establishing confidence that an individual who uses a credential that is known to the system (e.g., login name, digital certificate) is indeed the person to whom the credential was issued– Three types of authenticators:

• Something you know (e.g., password)• Something you have (e.g., smartcard, hard token, mobile phone)• Something you are (e.g., fingerprint)

– Multi-factor authentication requires more than one type– Authentication is performed when a user logs into a system and

may be required again within a given session– Credential – binds the identity to the token

Authentication

800-63-1 Matrix

Memorized Secret Token Pre registered Knowledge

Look-up Secret

Out of Band SF OTP

SF Crypto

MF Software Crypto

MF OTP

MF Crypto

Memorized Secret Token Level 2 Level 2 Level 3 Level 3 Level 3 Level 3 Level 3 Level 4 Level 4

Pre-registered Knowledge Token   X Level 2 Level 3 Level 3 Level 3 Level 3 Level 3 Level 4 Level 4

Look-up Secret Token   X X Level 2 Level 2 Level 2 Level 2 Level 3 Level 4 Level 4

Out of Band Token   X X X Level 2 Level 2 Level 2 Level 3 Level 4 Level 4

SF OTP Device X X X X Level 2 Level 2 Level 3 Level 4 Level 4

SF Cryptographic Device X X X X X Level 2 Level 3 Level 4 Level 4

MF Software Cryptographic Token

X X X X X X Level 3 Level 4 Level 4

MF OTP Device X X X X X X X Level 4 Level 4

MF Cryptographic Device X X X X X X X X Level 4

• Shared secret between user and credential provider• Something you know• Examples

– Active Directory Passwords– WiFi Passphrases– PIN

Memorized Secret Tokens

• Challenge/Response• Pre-registered responses or images• Set of shared secrets• Something you know• Examples

• I forgot my password setup• Transaction information - “what was the amount of your last

payment to your phone company”

Pre Registered Knowledge Tokens

• Electronic or physical set of shared secrets often printed on paper or plastic– the user is asked to provide a subset of characters printed on

the card• Something you have• Examples

• Entrust Grid Cards• DualShield GridID

Look-up secret Tokens

• Physical token that can receive a secret for one time use• Something you have• Examples

• SMS message on a registered cell phone

Out of Band Tokens

• Hardware device• Something you have• Examples

• RSA key fob token• Credit card password generator

Single Factor One-Time Password (OTP) Device

• Hardware device that performs crypto operation on input provided to the device

• Does not require a second factor• Generally a signed message • Something you have• Examples

• PKI certificate

Single Factor Cryptographic Device

• Key is stored on a disk or soft media and requires activation• Does not require a second factor• Generally a signed message • Something you have and something you know• Examples

• PKI certificate + PIN

Multi-Factor Cryptographic Device

• OTP hardware device that requires activation via PIN or biometric• Something you have and something you know /or something you

are• Examples

• Verizon or Symmantec OTP offering• DAON IdentityX

Multi-Factor OTP

• Hardware device that contains protected key that requires activation through a second factor

• Possession of device and control of key• Something you have and something you know or something you are• Examples

• PIV• PIV-I• ATM cards

Multi-Factor Cryptographic Device

• Requires the practitioner to authenticate to the application using an authentication protocol that uses two of the following three factors:

1.Something only the practitioner knows, such as a password or response to a challenge question.

2.Something the practitioner is, biometric data such as a fingerprint or iris scan.

3.Something the practitioner has, a device (hard token) separate from the computer to which the practitioner is gaining access.

DEA Interim Rule

• Biometrics– Consulted extensively with NIST for recommendation– DEA did not specify type as to allow for greatest flexibility and

adaptation for new technologies in the future• Hard token must meet FIPS 140-2

– New hard token or provide credential for an existing token– Must be separate from the machine used to access application– Delivered thru 2 channels (mail, telephone, email)

• Would consider an alternative that does not diminish safety and security of the system

• Not to be confused with certificates needed to dispense controlled substances although that DEA number/certificate information needs to be associated with the signing

DEA Interim Rule