View
215
Download
1
Tags:
Embed Size (px)
Citation preview
E-Authentication: What E-Authentication: What Technologies Are Effective? Technologies Are Effective?
Donna F Dodson
April 21, 2008
DefinitionDefinition
• Electronic authentication (e-authentication) is the process of establishing confidence in identities electronically presented to an information system.
AuthenticationAuthentication
• A fundamental cyber security service used by most applications and services.
• First line of defense against cyber attacks.• Dates back to user passwords for time-
sharing systems. • Today, authentication needed for:
o Local & Remote environments,o Humans & Devices
Authentication: The PlayersAuthentication: The Players• Claimant - The person, device or application which is claiming to be a
particular person, device or application. Typically the claimant supplies a set of credentials with which to be authenticated.
• Registration Authority – A trusted entity that establishes and vouches for the identity of a Subscriber to a CSP.
• Credential Service Provider - A trusted entity that issues or registers Subscriber tokens and issues electronic credentials to Subscribers.
• Verifier – An entity that verifies the Claimant’s identity by verifying the Claimant’s possession of a token using an authentication protocol. To do this, the Verifier may also need to validate credentials that link the token and identity and check their status.
• Relying Party -An entity that relies upon the Subscriber’s credentials, typically to process a transaction or grant access to information or a system.
Authentication: The ProcessAuthentication: The Process
• Identity proofing, registration and the delivery of credentials which bind an identity to a token,
• Credentials and tokens (typically a cryptographic key or password) for proving identity,
• Token and Credential Management mechanisms,
• Authentication mechanisms, that is the combination of credentials, tokens and authentication protocols used to establish that a Claimant is in fact the Subscriber he or she claims to be,
• Assertion mechanisms used to communicate the results of an authentication to other parties.
Authentication: Local vs RemoteAuthentication: Local vs Remote
• Local Authenticationo Verifier control and supervision is comparatively easy
• Verifier controls entire authentication system• Claimant may be supervised or unsupervised• Verifier knows claimant’s physical location• Little information flow
• Remote Authenticationo Verifier control and supervision is harder
• Verifier has little control over software or operating platform• Claimant is generally unsupervised• Network access: verifier knows only that claimant has network
access• Often motivated for the flow of sensitive information
Authentication FactorsAuthentication Factors
• Something you knowo Typically some kind of password
• Something you haveo For local authentication, typically an ID cardo For remote authentication, typically a cryptographic
key• Something you are
o A biometric
The more factors, the stronger the authentication.
NIST SP800-63-1: NIST SP800-63-1: Electronic Authentication GuidelineElectronic Authentication Guideline
• A NIST Recommendation• Companion to OMB e-authentication guidance M04-
04o Federal agencies classify electronic transaction into 4
levels needed for authentication assurance according to the potential consequences of an authentication error
• Remote authentication of users across open networks using conventional secret token based authentication
• No knowledge based authentication and little discussion of biometrics
Summary of Four LevelsSummary of Four Levels
• Level 1o Single factor: often a passwordo Can’t send password in the clearo Moderate password guessing difficulty requirements
• Level 2o Single factoro Requires secure authentication protocol (like TLS)o Fairly strong password guessing difficulty requirements
Summary of Four Levels (cont.)Summary of Four Levels (cont.)
• Level 3o Multi-factors required either a single multi-factor token
or multi-token solutionso Must resist eavesdropperso May be vulnerable to man-in-the-middle attacks
• Level 4o Multi-factor hard token o Must resist man-in the middle attackso Assertions not allowed
E-Auth TokensE-Auth TokensMemorized Secret Token
Preregistered Knowledge Token
Look Up Secret Token
Out of Band Token
SF OTP Device
SF Crypto Token
MF Software Crypto Device
MF OPT Device
MF Crypto Device
MST Level 2 Level 2 Level 3 Level 3 Level 3 Level 3 Level 3 Level 4 Level 4
PKT Level 2 Level 3 Level 3 Level 3 Level 3 Level 3 Level 4 Level 4
LUST Level 2 Level 2 Level 2 Level 2 Level 3 Level 4 Level 4
OBT Level 2 Level 2 Level 2 Level 3 Level 4 Level 4
SFOTP Level 2 Level 2 Level 3 Level 4 Level 4
SFCT Level 2 Level 3 Level 4 Level 4
MFSCD Level 3 Level 4 Level 4
MFOTP Level 4 Level 4
MFCD Level 4
FIPS 201-1: Personal Identity Verification FIPS 201-1: Personal Identity Verification (PIV) of Federal Employees and Contractors(PIV) of Federal Employees and Contractors
• Response to Homeland Presidential Directive 12, Policy for a Common Identification Standard for Federal Employees and Contractors
• Secure and reliable forms of personal identification that is:o Based on sound criteria to verify an individual
employee’s identityo Strongly resistant to fraud, tampering, counterfeiting,
and terrorist exploitationo Rapidly verified electronicallyo Issued only by providers whose reliability has been
established by an official accreditation process
HSPD 12: Requirements (cont.)HSPD 12: Requirements (cont.)
o Applicable to all government organizations and contractors except identification associated with National Security Systems
o Used for access to Federally-controlled facilities and logical access to Federally-controlled information systems
o Flexible in selecting appropriate security level – includes graduated criteria from least secure to most secure
o Implemented in a manner that protects citizens’ privacy
PIV Electronically Stored DataPIV Electronically Stored Data
Mandatory: PIN (used to prove the identity of the cardholder to the card) Cardholder Unique Identifier (CHUID) PIV Authentication Data (asymmetric key pair and corresponding PKI
certificate) Two biometric fingerprints (templates)
Optional:
An asymmetric key pair and corresponding certificate for digital signatures
An asymmetric key pair and corresponding certificate for key management
Asymmetric or symmetric card authentication keys for supporting additional physical access applications
Symmetric key(s) associated with the card management system
Graduated Assurance Levels for Identity AuthenticationGraduated Assurance Levels for Identity Authentication
Authentication for Physical and Logical AccessAuthentication for Physical and Logical Access
PIV Assurance Level Required by Application/Resource
Applicable PIVAuthentication
Mechanism
Physical Access
Applicable PIVAuthentication
Mechanism
Logical Access
Local Workstation Environment
Applicable PIVAuthentication
Mechanism
Logical Access
Remote/Network System
Environment
SOME confidence VIS, CHUID CHUID PKI
HIGH confidence BIO BIO PKI
VERY HIGH confidence BIO-A, PKI BIO-A, PKI PKI
A Look at Knowledge Based Authentication A Look at Knowledge Based Authentication
• Many definitions• Without registration process, difficult to use for the release
of sensitive informationo Successful impostor will receive information without user
realizing a fraud occurredo User cannot protect private (not secret) information
• May be useful when monetary risks can be evaluated
And BiometricsAnd Biometrics
• Biometrics tie an identity to a human body• Biometric authentication depends on being sure that you
have a fresh, true biometric captureo Easy if attendedo Hard when bits come from anywhere on the Internet
• Standards still needed• Many biometric technologies coming to the market
Authentication Effectiveness MetricsAuthentication Effectiveness Metrics
• Near term requirements – various authentication methods exist but no clear way to compare and evaluate then for effectiveness
• Long term – build a general framework for evaluating diverse and emerging authentication methods
ChallengesChallenges
• Difficult to quantify authentication effectiveness or authentication assurance o Different configurationso Many environments
• New methods continue to emerge• Assessing the effectiveness of one
technology difficult but today multiple technologies bound in solutions
SummarySummary
• There is still work to do. • NIST has established an identity management
systems program within the Information Technology Labo Brings together technologies like cryptography,
biometrics and smart cardso Research and standards in technologies, models,
metrics
Further InformationFurther Information
Computer Security Resource Center http://csrc.nist.gov/
FIPS 201 and related documents http://csrc.nist.gov/piv-program/
Draft Special Publication 800-63-1 http://csrc.nist.gov/publications/drafts/800-63-1/
Draft_SP-800-63-1_2008Feb20.pdf