Upload
gregory-sutton
View
214
Download
1
Embed Size (px)
Citation preview
Author of Record Digital Identity Management
Sub-Workgroup
October 24, 2012
Meeting Etiquette
• Please announce your name each time prior to making comments or suggestions during the call
• Remember: If you are not speaking keep your phone on mute• Do not put your phone on hold – if you need to take a call, hang up
and dial in again when finished with your other call – Hold = Elevator Music = very frustrated speakers and participants
• This meeting, like all of our meetings, is being recorded– Another reason to keep your phone on mute when not speaking!
• Feel free to use the “Chat” or “Q&A” feature for questions or comments
NOTE: This meeting is being recorded and will be posted on the esMD Wiki page after the
meeting
From S&I Framework to Participants:Hi everyone: remember to keep your phone on mute
2
Agenda
3
Topic Presenter
Authentication Credential Overview Debbie Bucci
Overview of the DEA Interim Rule Debbie Bucci
Authentication Credentials LOA3/LOA4
Oct 24, 2012
• Authentication is the process of establishing confidence that an individual who uses a credential that is known to the system (e.g., login name, digital certificate) is indeed the person to whom the credential was issued– Three types of authenticators:
• Something you know (e.g., password)• Something you have (e.g., smartcard, hard token, mobile phone)• Something you are (e.g., fingerprint)
– Multi-factor authentication requires more than one type– Authentication is performed when a user logs into a system and
may be required again within a given session– Credential – binds the identity to the token
Authentication
800-63-1 Matrix
Memorized Secret Token Pre registered Knowledge
Look-up Secret
Out of Band SF OTP
SF Crypto
MF Software Crypto
MF OTP
MF Crypto
Memorized Secret Token Level 2 Level 2 Level 3 Level 3 Level 3 Level 3 Level 3 Level 4 Level 4
Pre-registered Knowledge Token X Level 2 Level 3 Level 3 Level 3 Level 3 Level 3 Level 4 Level 4
Look-up Secret Token X X Level 2 Level 2 Level 2 Level 2 Level 3 Level 4 Level 4
Out of Band Token X X X Level 2 Level 2 Level 2 Level 3 Level 4 Level 4
SF OTP Device X X X X Level 2 Level 2 Level 3 Level 4 Level 4
SF Cryptographic Device X X X X X Level 2 Level 3 Level 4 Level 4
MF Software Cryptographic Token
X X X X X X Level 3 Level 4 Level 4
MF OTP Device X X X X X X X Level 4 Level 4
MF Cryptographic Device X X X X X X X X Level 4
• Shared secret between user and credential provider• Something you know• Examples
– Active Directory Passwords– WiFi Passphrases– PIN
Memorized Secret Tokens
• Challenge/Response• Pre-registered responses or images• Set of shared secrets• Something you know• Examples
• I forgot my password setup• Transaction information - “what was the amount of your last
payment to your phone company”
Pre Registered Knowledge Tokens
• Electronic or physical set of shared secrets often printed on paper or plastic– the user is asked to provide a subset of characters printed on
the card• Something you have• Examples
• Entrust Grid Cards• DualShield GridID
Look-up secret Tokens
• Physical token that can receive a secret for one time use• Something you have• Examples
• SMS message on a registered cell phone
Out of Band Tokens
• Hardware device• Something you have• Examples
• RSA key fob token• Credit card password generator
Single Factor One-Time Password (OTP) Device
• Hardware device that performs crypto operation on input provided to the device
• Does not require a second factor• Generally a signed message • Something you have• Examples
• PKI certificate
Single Factor Cryptographic Device
• Key is stored on a disk or soft media and requires activation• Does not require a second factor• Generally a signed message • Something you have and something you know• Examples
• PKI certificate + PIN
Multi-Factor Cryptographic Device
• OTP hardware device that requires activation via PIN or biometric• Something you have and something you know /or something you
are• Examples
• Verizon or Symmantec OTP offering• DAON IdentityX
Multi-Factor OTP
• Hardware device that contains protected key that requires activation through a second factor
• Possession of device and control of key• Something you have and something you know or something you are• Examples
• PIV• PIV-I• ATM cards
Multi-Factor Cryptographic Device
• Requires the practitioner to authenticate to the application using an authentication protocol that uses two of the following three factors:
1.Something only the practitioner knows, such as a password or response to a challenge question.
2.Something the practitioner is, biometric data such as a fingerprint or iris scan.
3.Something the practitioner has, a device (hard token) separate from the computer to which the practitioner is gaining access.
DEA Interim Rule
• Biometrics– Consulted extensively with NIST for recommendation– DEA did not specify type as to allow for greatest flexibility and
adaptation for new technologies in the future• Hard token must meet FIPS 140-2
– New hard token or provide credential for an existing token– Must be separate from the machine used to access application– Delivered thru 2 channels (mail, telephone, email)
• Would consider an alternative that does not diminish safety and security of the system
• Not to be confused with certificates needed to dispense controlled substances although that DEA number/certificate information needs to be associated with the signing
DEA Interim Rule