E-Authentication: What E-Authentication: What Technologies Are Effective? Technologies Are Effective?

Donna F Dodson

donna.dodson@nist.gov

April 21, 2008

DefinitionDefinition

• Electronic authentication (e-authentication) is the process of establishing confidence in identities electronically presented to an information system.

AuthenticationAuthentication

• A fundamental cyber security service used by most applications and services.

• First line of defense against cyber attacks.• Dates back to user passwords for time-

sharing systems. • Today, authentication needed for:

o Local & Remote environments,o Humans & Devices

Authentication: The PlayersAuthentication: The Players• Claimant - The person, device or application which is claiming to be a

particular person, device or application. Typically the claimant supplies a set of credentials with which to be authenticated.

• Registration Authority – A trusted entity that establishes and vouches for the identity of a Subscriber to a CSP.

• Credential Service Provider - A trusted entity that issues or registers Subscriber tokens and issues electronic credentials to Subscribers.

• Verifier – An entity that verifies the Claimant’s identity by verifying the Claimant’s possession of a token using an authentication protocol. To do this, the Verifier may also need to validate credentials that link the token and identity and check their status.

• Relying Party -An entity that relies upon the Subscriber’s credentials, typically to process a transaction or grant access to information or a system.

Authentication: The ProcessAuthentication: The Process

• Identity proofing, registration and the delivery of credentials which bind an identity to a token,

• Credentials and tokens (typically a cryptographic key or password) for proving identity,

• Token and Credential Management mechanisms,

• Authentication mechanisms, that is the combination of credentials, tokens and authentication protocols used to establish that a Claimant is in fact the Subscriber he or she claims to be,

• Assertion mechanisms used to communicate the results of an authentication to other parties.

E-Authentication ModelE-Authentication Model

Authentication: Local vs RemoteAuthentication: Local vs Remote

• Local Authenticationo Verifier control and supervision is comparatively easy

• Verifier controls entire authentication system• Claimant may be supervised or unsupervised• Verifier knows claimant’s physical location• Little information flow

• Remote Authenticationo Verifier control and supervision is harder

• Verifier has little control over software or operating platform• Claimant is generally unsupervised• Network access: verifier knows only that claimant has network

access• Often motivated for the flow of sensitive information

Authentication FactorsAuthentication Factors

• Something you knowo Typically some kind of password

• Something you haveo For local authentication, typically an ID cardo For remote authentication, typically a cryptographic

key• Something you are

o A biometric

The more factors, the stronger the authentication.

NIST SP800-63-1: NIST SP800-63-1: Electronic Authentication GuidelineElectronic Authentication Guideline

• A NIST Recommendation• Companion to OMB e-authentication guidance M04-

04o Federal agencies classify electronic transaction into 4

levels needed for authentication assurance according to the potential consequences of an authentication error

• Remote authentication of users across open networks using conventional secret token based authentication

• No knowledge based authentication and little discussion of biometrics

Summary of Four LevelsSummary of Four Levels

• Level 1o Single factor: often a passwordo Can’t send password in the clearo Moderate password guessing difficulty requirements

• Level 2o Single factoro Requires secure authentication protocol (like TLS)o Fairly strong password guessing difficulty requirements

Summary of Four Levels (cont.)Summary of Four Levels (cont.)

• Level 3o Multi-factors required either a single multi-factor token

or multi-token solutionso Must resist eavesdropperso May be vulnerable to man-in-the-middle attacks

• Level 4o Multi-factor hard token o Must resist man-in the middle attackso Assertions not allowed

E-Auth TokensE-Auth TokensMemorized Secret Token

Preregistered Knowledge Token

Look Up Secret Token

Out of Band Token

SF OTP Device

SF Crypto Token

MF Software Crypto Device

MF OPT Device

MF Crypto Device

MST Level 2 Level 2 Level 3 Level 3 Level 3 Level 3 Level 3 Level 4 Level 4

PKT Level 2 Level 3 Level 3 Level 3 Level 3 Level 3 Level 4 Level 4

LUST Level 2 Level 2 Level 2 Level 2 Level 3 Level 4 Level 4

OBT Level 2 Level 2 Level 2 Level 3 Level 4 Level 4

SFOTP Level 2 Level 2 Level 3 Level 4 Level 4

SFCT Level 2 Level 3 Level 4 Level 4

MFSCD Level 3 Level 4 Level 4

MFOTP Level 4 Level 4

MFCD Level 4

FIPS 201-1: Personal Identity Verification FIPS 201-1: Personal Identity Verification (PIV) of Federal Employees and Contractors(PIV) of Federal Employees and Contractors

• Response to Homeland Presidential Directive 12, Policy for a Common Identification Standard for Federal Employees and Contractors

• Secure and reliable forms of personal identification that is:o Based on sound criteria to verify an individual

employee’s identityo Strongly resistant to fraud, tampering, counterfeiting,

and terrorist exploitationo Rapidly verified electronicallyo Issued only by providers whose reliability has been

established by an official accreditation process

HSPD 12: Requirements (cont.)HSPD 12: Requirements (cont.)

o Applicable to all government organizations and contractors except identification associated with National Security Systems

o Used for access to Federally-controlled facilities and logical access to Federally-controlled information systems

o Flexible in selecting appropriate security level – includes graduated criteria from least secure to most secure

o Implemented in a manner that protects citizens’ privacy

PIV Electronically Stored DataPIV Electronically Stored Data

Mandatory: PIN (used to prove the identity of the cardholder to the card) Cardholder Unique Identifier (CHUID) PIV Authentication Data (asymmetric key pair and corresponding PKI

certificate) Two biometric fingerprints (templates)

Optional:

An asymmetric key pair and corresponding certificate for digital signatures

An asymmetric key pair and corresponding certificate for key management

Asymmetric or symmetric card authentication keys for supporting additional physical access applications

Symmetric key(s) associated with the card management system

Graduated Assurance Levels for Identity AuthenticationGraduated Assurance Levels for Identity Authentication

Authentication for Physical and Logical AccessAuthentication for Physical and Logical Access

PIV Assurance Level Required by Application/Resource

Applicable PIVAuthentication

Mechanism

Physical Access

Applicable PIVAuthentication

Mechanism

Logical Access

Local Workstation Environment

Applicable PIVAuthentication

Mechanism

Logical Access

Remote/Network System

Environment

SOME confidence VIS, CHUID CHUID PKI

HIGH confidence BIO BIO PKI

VERY HIGH confidence BIO-A, PKI BIO-A, PKI PKI

A Look at Knowledge Based Authentication A Look at Knowledge Based Authentication

• Many definitions• Without registration process, difficult to use for the release

of sensitive informationo Successful impostor will receive information without user

realizing a fraud occurredo User cannot protect private (not secret) information

• May be useful when monetary risks can be evaluated

And BiometricsAnd Biometrics

• Biometrics tie an identity to a human body• Biometric authentication depends on being sure that you

have a fresh, true biometric captureo Easy if attendedo Hard when bits come from anywhere on the Internet

• Standards still needed• Many biometric technologies coming to the market

Authentication Effectiveness MetricsAuthentication Effectiveness Metrics

• Near term requirements – various authentication methods exist but no clear way to compare and evaluate then for effectiveness

• Long term – build a general framework for evaluating diverse and emerging authentication methods

ChallengesChallenges

• Difficult to quantify authentication effectiveness or authentication assurance o Different configurationso Many environments

• New methods continue to emerge• Assessing the effectiveness of one

technology difficult but today multiple technologies bound in solutions

SummarySummary

• There is still work to do. • NIST has established an identity management

systems program within the Information Technology Labo Brings together technologies like cryptography,

biometrics and smart cardso Research and standards in technologies, models,

metrics

Further InformationFurther Information

Computer Security Resource Center http://csrc.nist.gov/

FIPS 201 and related documents http://csrc.nist.gov/piv-program/

Draft Special Publication 800-63-1 http://csrc.nist.gov/publications/drafts/800-63-1/

Draft_SP-800-63-1_2008Feb20.pdf