Presentation is loading. Please wait.

Presentation is loading. Please wait.

E-Authentication: What Technologies Are Effective? Donna F Dodson April 21, 2008.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "E-Authentication: What Technologies Are Effective? Donna F Dodson April 21, 2008."— Presentation transcript:

1 E-Authentication: What Technologies Are Effective? Donna F Dodson donna.dodson@nist.gov April 21, 2008

2 Definition Electronic authentication (e-authentication) is the process of establishing confidence in identities electronically presented to an information system.

3 Authentication A fundamental cyber security service used by most applications and services. First line of defense against cyber attacks. Dates back to user passwords for time- sharing systems. Today, authentication needed for: o Local & Remote environments, o Humans & Devices

4 Authentication: The Players Claimant - The person, device or application which is claiming to be a particular person, device or application. Typically the claimant supplies a set of credentials with which to be authenticated. Registration Authority – A trusted entity that establishes and vouches for the identity of a Subscriber to a CSP. Credential Service Provider - A trusted entity that issues or registers Subscriber tokens and issues electronic credentials to Subscribers. Verifier – An entity that verifies the Claimant’s identity by verifying the Claimant’s possession of a token using an authentication protocol. To do this, the Verifier may also need to validate credentials that link the token and identity and check their status. Relying Party -An entity that relies upon the Subscriber’s credentials, typically to process a transaction or grant access to information or a system.

5 Authentication: The Process Identity proofing, registration and the delivery of credentials which bind an identity to a token, Credentials and tokens (typically a cryptographic key or password) for proving identity, Token and Credential Management mechanisms, Authentication mechanisms, that is the combination of credentials, tokens and authentication protocols used to establish that a Claimant is in fact the Subscriber he or she claims to be, Assertion mechanisms used to communicate the results of an authentication to other parties.

6 E-Authentication Model

7 Authentication: Local vs Remote Local Authentication o Verifier control and supervision is comparatively easy Verifier controls entire authentication system Claimant may be supervised or unsupervised Verifier knows claimant’s physical location Little information flow Remote Authentication o Verifier control and supervision is harder Verifier has little control over software or operating platform Claimant is generally unsupervised Network access: verifier knows only that claimant has network access Often motivated for the flow of sensitive information

8 Authentication Factors Something you know o Typically some kind of password Something you have o For local authentication, typically an ID card o For remote authentication, typically a cryptographic key Something you are o A biometric The more factors, the stronger the authentication.

9 NIST SP800-63-1: Electronic Authentication Guideline A NIST Recommendation Companion to OMB e-authentication guidance M04-04 o Federal agencies classify electronic transaction into 4 levels needed for authentication assurance according to the potential consequences of an authentication error Remote authentication of users across open networks using conventional secret token based authentication No knowledge based authentication and little discussion of biometrics

10 Summary of Four Levels Level 1 o Single factor: often a password o Can’t send password in the clear o Moderate password guessing difficulty requirements Level 2 o Single factor o Requires secure authentication protocol (like TLS) o Fairly strong password guessing difficulty requirements

11 Summary of Four Levels (cont.) Level 3 o Multi-factors required either a single multi-factor token or multi-token solutions o Must resist eavesdroppers o May be vulnerable to man-in-the-middle attacks Level 4 o Multi-factor hard token o Must resist man-in the middle attacks o Assertions not allowed

12 E-Auth Tokens Memoriz ed Secret Token Preregist ered Knowled ge Token Look Up Secret Token Out of Band Token SF OTP Device SF Crypto Token MF Software Crypto Device MF OPT Device MF Crypto Device MSTLevel 2 Level 3 Level 4 PKTLevel 2Level 3 Level 4 LUSTLevel 2 Level 3Level 4 OBTLevel 2 Level 3Level 4 SFOTPLevel 2 Level 3Level 4 SFCTLevel 2Level 3Level 4 MFSCDLevel 3Level 4 MFOTPLevel 4 MFCDLevel 4

13 FIPS 201-1: Personal Identity Verification (PIV) of Federal Employees and Contractors Response to Homeland Presidential Directive 12, Policy for a Common Identification Standard for Federal Employees and Contractors Secure and reliable forms of personal identification that is: o Based on sound criteria to verify an individual employee’s identity o Strongly resistant to fraud, tampering, counterfeiting, and terrorist exploitation o Rapidly verified electronically o Issued only by providers whose reliability has been established by an official accreditation process

14 HSPD 12: Requirements (cont.) o Applicable to all government organizations and contractors except identification associated with National Security Systems o Used for access to Federally-controlled facilities and logical access to Federally-controlled information systems o Flexible in selecting appropriate security level – includes graduated criteria from least secure to most secure o Implemented in a manner that protects citizens’ privacy

15 PIV Electronically Stored Data Mandatory:  PIN (used to prove the identity of the cardholder to the card)  Cardholder Unique Identifier (CHUID)  PIV Authentication Data (asymmetric key pair and corresponding PKI certificate)  Two biometric fingerprints (templates) Optional:  An asymmetric key pair and corresponding certificate for digital signatures  An asymmetric key pair and corresponding certificate for key management  Asymmetric or symmetric card authentication keys for supporting additional physical access applications  Symmetric key(s) associated with the card management system

16 Graduated Assurance Levels for Identity Authentication Authentication for Physical and Logical Access PIV Assurance Level Required by Application/Resource Applicable PIV Authentication Mechanism Physical Access Applicable PIV Authentication Mechanism Logical Access Local Workstation Environment Applicable PIV Authentication Mechanism Logical Access Remote/Network System Environment SOME confidenceVIS, CHUIDCHUIDPKI HIGH confidenceBIO PKI VERY HIGH confidenceBIO-A, PKI PKI

17 A Look at Knowledge Based Authentication Many definitions Without registration process, difficult to use for the release of sensitive information o Successful impostor will receive information without user realizing a fraud occurred o User cannot protect private (not secret) information May be useful when monetary risks can be evaluated

18 And Biometrics Biometrics tie an identity to a human body Biometric authentication depends on being sure that you have a fresh, true biometric capture o Easy if attended o Hard when bits come from anywhere on the Internet Standards still needed Many biometric technologies coming to the market

19 Authentication Effectiveness Metrics Near term requirements – various authentication methods exist but no clear way to compare and evaluate then for effectiveness Long term – build a general framework for evaluating diverse and emerging authentication methods

20 Challenges Difficult to quantify authentication effectiveness or authentication assurance o Different configurations o Many environments New methods continue to emerge Assessing the effectiveness of one technology difficult but today multiple technologies bound in solutions

21 Summary There is still work to do. NIST has established an identity management systems program within the Information Technology Lab o Brings together technologies like cryptography, biometrics and smart cards o Research and standards in technologies, models, metrics

22 Further Information  Computer Security Resource Center  http://csrc.nist.gov/ http://csrc.nist.gov/  FIPS 201 and related documents  http://csrc.nist.gov/piv-program/ http://csrc.nist.gov/piv-program/  Draft Special Publication 800-63-1  http://csrc.nist.gov/publications/drafts/800-63- 1/Draft_SP-800-63-1_2008Feb20.pdf

Download ppt "E-Authentication: What Technologies Are Effective? Donna F Dodson April 21, 2008."

Similar presentations

June 27, 2005 Preparing your Implementation Plan.

June 27, 2005 Preparing your Implementation Plan.
PKI and LOA Establishing a Basis for Trust David L. Wasley PKI Deployment Forum April 2008.

PKI and LOA Establishing a Basis for Trust David L. Wasley PKI Deployment Forum April 2008.
Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.

Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.
Overview of US Federal Identity Management Initiatives Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH.

Overview of US Federal Identity Management Initiatives Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH.
1 HSPD-12 Compliance: The Role of Federal PKI Judith Spencer Chair, Federal Identity Credentialing Office of Governmentwide Policy General Services Administration.

1 HSPD-12 Compliance: The Role of Federal PKI Judith Spencer Chair, Federal Identity Credentialing Office of Governmentwide Policy General Services Administration.
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
15June’061 NASA PKI and the Federal Environment 13th Fed-Ed PKI Meeting 15 June ‘06 Presenter: Tice DeYoung.

15June’061 NASA PKI and the Federal Environment 13th Fed-Ed PKI Meeting 15 June ‘06 Presenter: Tice DeYoung.
1 1 A Synopsis of Federal Information Processing Standard (FIPS) 201 for Personal Identity Verification (PIV) of Federal Employees and Contractors Presentation.

1 1 A Synopsis of Federal Information Processing Standard (FIPS) 201 for Personal Identity Verification (PIV) of Federal Employees and Contractors Presentation.
Department of Health and Human Services Personal Identity Verification Training APPLICANT.

Department of Health and Human Services Personal Identity Verification Training APPLICANT.
9/11/2012Pomcor 1 Techniques for Implementing Derived Credentials Francisco Corella Karen Lewison Pomcor (http://pomcor.com/)

9/11/2012Pomcor 1 Techniques for Implementing Derived Credentials Francisco Corella Karen Lewison Pomcor (
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Functional component terminology - thoughts C. Tilton.

Functional component terminology - thoughts C. Tilton.
“Personal Identity Verification (PIV) of Federal Employees and Contractors” October 27, 2005 Homeland Security Presidential Directive 12 (HSPD-12)

“Personal Identity Verification (PIV) of Federal Employees and Contractors” October 27, 2005 Homeland Security Presidential Directive 12 (HSPD-12)
Department of Labor HSPD-12

Department of Labor HSPD-12
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
2003 1 Increased Security, while protecting Privacy ? True or False ? Christer Bergman, President and CEO, Precise Biometrics.

Increased Security, while protecting Privacy ? True or False ? Christer Bergman, President and CEO, Precise Biometrics.
Information Security Policies and Standards

Information Security Policies and Standards
Federal Information Processing Standard (FIPS) 201, Personal Identity Verification for Federal Employees and Contractors Tim Polk May.

Federal Information Processing Standard (FIPS) 201, Personal Identity Verification for Federal Employees and Contractors Tim Polk May.
EDUCAUSE Fed/Higher ED PKI Coordination Meeting

EDUCAUSE Fed/Higher ED PKI Coordination Meeting

Similar presentations

Ads by Google