Transcript Identity Proofing - Dartmouth College

E-Authentication: What
Technologies Are Effective?
Donna F Dodson
[email protected]
April 21, 2008
Definition
•
Electronic authentication (e-authentication)
is the process of establishing confidence in
identities electronically presented to an
information system.
Authentication
•
•
•
•
A fundamental cyber security service used
by most applications and services.
First line of defense against cyber attacks.
Dates back to user passwords for timesharing systems.
Today, authentication needed for:
o
o
Local & Remote environments,
Humans & Devices
Authentication: The Players
•
•
•
•
•
Claimant - The person, device or application which is
claiming to be a particular person, device or application.
Typically the claimant supplies a set of credentials with
which to be authenticated.
Registration Authority – A trusted entity that establishes
and vouches for the identity of a Subscriber to a CSP.
Credential Service Provider - A trusted entity that issues or
registers Subscriber tokens and issues electronic
credentials to Subscribers.
Verifier – An entity that verifies the Claimant’s identity by
verifying the Claimant’s possession of a token using an
authentication protocol. To do this, the Verifier may also
need to validate credentials that link the token and identity
and check their status.
Relying Party -An entity that relies upon the Subscriber’s
credentials, typically to process a transaction or grant
access to information or a system.
Authentication: The Process
•
Identity proofing, registration and the delivery of credentials which
bind an identity to a token,
•
Credentials and tokens (typically a cryptographic key or password) for
proving identity,
•
Token and Credential Management mechanisms,
•
Authentication mechanisms, that is the combination of credentials,
tokens and authentication protocols used to establish that a Claimant is
in fact the Subscriber he or she claims to be,
•
Assertion mechanisms used to communicate the results of an
authentication to other parties.
E-Authentication Model
Registration and Credential Issuance and
Maintenance
Registration
Authority
Registration
Confirmation
CSP
Identity Proofing
User Registration
tial
e
den suanc
e
r
s
C
I
.
/
on
ken
T o istrat i
Reg
Subscriber /
Claimant
Authenticated Session
Aut
Exc hentic
han at io
nP
ge
ro
Token / Credential
Validation
toc
ol
Relying
Party
Authentication
Assertion
Verifier
E-Authentication using Token and Credential
.
Authentication: Local vs Remote
•
Local Authentication
o
Verifier control and supervision is comparatively easy
•
•
•
•
•
Verifier controls entire authentication system
Claimant may be supervised or unsupervised
Verifier knows claimant’s physical location
Little information flow
Remote Authentication
o
Verifier control and supervision is harder
• Verifier has little control over software or operating platform
• Claimant is generally unsupervised
• Network access: verifier knows only that claimant has network
access
• Often motivated for the flow of sensitive information
Authentication Factors
•
Something you know
o
•
Something you have
o
o
•
Typically some kind of password
For local authentication, typically an ID card
For remote authentication, typically a cryptographic
key
Something you are
o
A biometric
The more factors, the stronger the authentication.
NIST SP800-63-1:
Electronic Authentication Guideline
•
A NIST Recommendation
• Companion to OMB e-authentication guidance
M04-04
o
•
Federal agencies classify electronic transaction into 4
levels needed for authentication assurance according to
the potential consequences of an authentication error
Remote authentication of users across open
networks using conventional secret token based
authentication
• No knowledge based authentication and little
discussion of biometrics
Summary of Four Levels
•
Level 1
o
o
o
•
Single factor: often a password
Can’t send password in the clear
Moderate password guessing difficulty requirements
Level 2
o
o
o
Single factor
Requires secure authentication protocol (like TLS)
Fairly strong password guessing difficulty requirements
Summary of Four Levels (cont.)
•
Level 3
o
o
o
•
Multi-factors required either a single multi-factor token
or multi-token solutions
Must resist eavesdroppers
May be vulnerable to man-in-the-middle attacks
Level 4
o
o
o
Multi-factor hard token
Must resist man-in the middle attacks
Assertions not allowed
E-Auth Tokens
MST
PKT
LUST
OBT
SFOTP
SFCT
MFSCD
MFOTP
MFCD
Memoriz
ed Secret
Token
Preregist
ered
Knowled
ge Token
Look Up
Secret
Token
Out of
Band
Token
SF OTP
Device
SF
Crypto
Token
MF
Software
Crypto
Device
MF OPT
Device
MF
Crypto
Device
Level 2
Level 2
Level 3
Level 3
Level 3
Level 3
Level 3
Level 4
Level 4
Level 2
Level 3
Level 3
Level 3
Level 3
Level 3
Level 4
Level 4
Level 2
Level 2
Level 2
Level 2
Level 3
Level 4
Level 4
Level 2
Level 2
Level 2
Level 3
Level 4
Level 4
Level 2
Level 2
Level 3
Level 4
Level 4
Level 2
Level 3
Level 4
Level 4
Level 3
Level 4
Level 4
Level 4
Level 4
Level 4
FIPS 201-1: Personal Identity Verification
(PIV) of Federal Employees and Contractors
•
Response to Homeland Presidential Directive 12, Policy
for a Common Identification Standard for Federal
Employees and Contractors
•
Secure and reliable forms of personal
identification that is:
o
o
o
o
Based on sound criteria to verify an individual
employee’s identity
Strongly resistant to fraud, tampering, counterfeiting,
and terrorist exploitation
Rapidly verified electronically
Issued only by providers whose reliability has been
established by an official accreditation process
HSPD 12: Requirements (cont.)
o
Applicable to all government organizations and contractors
except identification associated with National Security
Systems
o
Used for access to Federally-controlled facilities and logical
access to Federally-controlled information systems
o
o
Flexible in selecting appropriate security level – includes
graduated criteria from least secure to most secure
Implemented in a manner that protects citizens’ privacy
PIV Electronically Stored Data
Mandatory:
 PIN (used to prove the identity of the cardholder to the card)
 Cardholder Unique Identifier (CHUID)
 PIV Authentication Data (asymmetric key pair and corresponding PKI
certificate)
 Two biometric fingerprints (templates)
Optional:
 An
asymmetric key pair and corresponding certificate for digital signatures
 An
asymmetric key pair and corresponding certificate for key management
 Asymmetric
or symmetric card authentication keys for supporting
additional physical access applications

Symmetric key(s) associated with the card management system
Graduated Assurance Levels for Identity Authentication
Authentication for Physical and Logical Access
Applicable PIV
Authentication
Mechanism
Applicable PIV
Authentication
Mechanism
Applicable PIV
Authentication
Mechanism
Physical Access
Logical Access
Local Workstation
Environment
Logical Access
Remote/Network
System
Environment
SOME confidence
VIS, CHUID
CHUID
PKI
HIGH confidence
BIO
BIO
PKI
VERY HIGH confidence
BIO-A, PKI
BIO-A, PKI
PKI
PIV Assurance Level Required
by Application/Resource
A Look at Knowledge Based Authentication
•
•
Many definitions
Without registration process, difficult to use for the release
of sensitive information
o
o
•
Successful impostor will receive information without user realizing
a fraud occurred
User cannot protect private (not secret) information
May be useful when monetary risks can be evaluated
And Biometrics
•
•
Biometrics tie an identity to a human body
Biometric authentication depends on being sure that you
have a fresh, true biometric capture
o
o
•
•
Easy if attended
Hard when bits come from anywhere on the Internet
Standards still needed
Many biometric technologies coming to the market
Authentication Effectiveness Metrics
•
•
Near term requirements – various
authentication methods exist but no clear
way to compare and evaluate then for
effectiveness
Long term – build a general framework for
evaluating diverse and emerging
authentication methods
Challenges
•
Difficult to quantify authentication
effectiveness or authentication assurance
o
o
•
•
Different configurations
Many environments
New methods continue to emerge
Assessing the effectiveness of one
technology difficult but today multiple
technologies bound in solutions
Summary
•
There is still work to do.
• NIST has established an identity management
systems program within the Information
Technology Lab
o
o
Brings together technologies like cryptography,
biometrics and smart cards
Research and standards in technologies, models,
metrics
Further Information

Computer Security Resource Center


FIPS 201 and related documents


http://csrc.nist.gov/
http://csrc.nist.gov/piv-program/
Draft Special Publication 800-63-1

http://csrc.nist.gov/publications/drafts/800-631/Draft_SP-800-63-1_2008Feb20.pdf