E-Authentication: What Technologies Are Effective? Donna F Dodson April 21, 2008
Definition Electronic authentication (e-authentication) is the process of establishing confidence in identities electronically presented to an information system.
Authentication A fundamental cyber security service used by most applications and services. First line of defense against cyber attacks. Dates back to user passwords for time- sharing systems. Today, authentication needed for: o Local & Remote environments, o Humans & Devices
Authentication: The Players Claimant - The person, device or application which is claiming to be a particular person, device or application. Typically the claimant supplies a set of credentials with which to be authenticated. Registration Authority – A trusted entity that establishes and vouches for the identity of a Subscriber to a CSP. Credential Service Provider - A trusted entity that issues or registers Subscriber tokens and issues electronic credentials to Subscribers. Verifier – An entity that verifies the Claimant’s identity by verifying the Claimant’s possession of a token using an authentication protocol. To do this, the Verifier may also need to validate credentials that link the token and identity and check their status. Relying Party -An entity that relies upon the Subscriber’s credentials, typically to process a transaction or grant access to information or a system.
Authentication: The Process Identity proofing, registration and the delivery of credentials which bind an identity to a token, Credentials and tokens (typically a cryptographic key or password) for proving identity, Token and Credential Management mechanisms, Authentication mechanisms, that is the combination of credentials, tokens and authentication protocols used to establish that a Claimant is in fact the Subscriber he or she claims to be, Assertion mechanisms used to communicate the results of an authentication to other parties.
E-Authentication Model
Authentication: Local vs Remote Local Authentication o Verifier control and supervision is comparatively easy Verifier controls entire authentication system Claimant may be supervised or unsupervised Verifier knows claimant’s physical location Little information flow Remote Authentication o Verifier control and supervision is harder Verifier has little control over software or operating platform Claimant is generally unsupervised Network access: verifier knows only that claimant has network access Often motivated for the flow of sensitive information
Authentication Factors Something you know o Typically some kind of password Something you have o For local authentication, typically an ID card o For remote authentication, typically a cryptographic key Something you are o A biometric The more factors, the stronger the authentication.
NIST SP : Electronic Authentication Guideline A NIST Recommendation Companion to OMB e-authentication guidance M04-04 o Federal agencies classify electronic transaction into 4 levels needed for authentication assurance according to the potential consequences of an authentication error Remote authentication of users across open networks using conventional secret token based authentication No knowledge based authentication and little discussion of biometrics
Summary of Four Levels Level 1 o Single factor: often a password o Can’t send password in the clear o Moderate password guessing difficulty requirements Level 2 o Single factor o Requires secure authentication protocol (like TLS) o Fairly strong password guessing difficulty requirements
Summary of Four Levels (cont.) Level 3 o Multi-factors required either a single multi-factor token or multi-token solutions o Must resist eavesdroppers o May be vulnerable to man-in-the-middle attacks Level 4 o Multi-factor hard token o Must resist man-in the middle attacks o Assertions not allowed
E-Auth Tokens Memoriz ed Secret Token Preregist ered Knowled ge Token Look Up Secret Token Out of Band Token SF OTP Device SF Crypto Token MF Software Crypto Device MF OPT Device MF Crypto Device MSTLevel 2 Level 3 Level 4 PKTLevel 2Level 3 Level 4 LUSTLevel 2 Level 3Level 4 OBTLevel 2 Level 3Level 4 SFOTPLevel 2 Level 3Level 4 SFCTLevel 2Level 3Level 4 MFSCDLevel 3Level 4 MFOTPLevel 4 MFCDLevel 4
FIPS 201-1: Personal Identity Verification (PIV) of Federal Employees and Contractors Response to Homeland Presidential Directive 12, Policy for a Common Identification Standard for Federal Employees and Contractors Secure and reliable forms of personal identification that is: o Based on sound criteria to verify an individual employee’s identity o Strongly resistant to fraud, tampering, counterfeiting, and terrorist exploitation o Rapidly verified electronically o Issued only by providers whose reliability has been established by an official accreditation process
HSPD 12: Requirements (cont.) o Applicable to all government organizations and contractors except identification associated with National Security Systems o Used for access to Federally-controlled facilities and logical access to Federally-controlled information systems o Flexible in selecting appropriate security level – includes graduated criteria from least secure to most secure o Implemented in a manner that protects citizens’ privacy
PIV Electronically Stored Data Mandatory: PIN (used to prove the identity of the cardholder to the card) Cardholder Unique Identifier (CHUID) PIV Authentication Data (asymmetric key pair and corresponding PKI certificate) Two biometric fingerprints (templates) Optional: An asymmetric key pair and corresponding certificate for digital signatures An asymmetric key pair and corresponding certificate for key management Asymmetric or symmetric card authentication keys for supporting additional physical access applications Symmetric key(s) associated with the card management system
Graduated Assurance Levels for Identity Authentication Authentication for Physical and Logical Access PIV Assurance Level Required by Application/Resource Applicable PIV Authentication Mechanism Physical Access Applicable PIV Authentication Mechanism Logical Access Local Workstation Environment Applicable PIV Authentication Mechanism Logical Access Remote/Network System Environment SOME confidenceVIS, CHUIDCHUIDPKI HIGH confidenceBIO PKI VERY HIGH confidenceBIO-A, PKI PKI
A Look at Knowledge Based Authentication Many definitions Without registration process, difficult to use for the release of sensitive information o Successful impostor will receive information without user realizing a fraud occurred o User cannot protect private (not secret) information May be useful when monetary risks can be evaluated
And Biometrics Biometrics tie an identity to a human body Biometric authentication depends on being sure that you have a fresh, true biometric capture o Easy if attended o Hard when bits come from anywhere on the Internet Standards still needed Many biometric technologies coming to the market
Authentication Effectiveness Metrics Near term requirements – various authentication methods exist but no clear way to compare and evaluate then for effectiveness Long term – build a general framework for evaluating diverse and emerging authentication methods
Challenges Difficult to quantify authentication effectiveness or authentication assurance o Different configurations o Many environments New methods continue to emerge Assessing the effectiveness of one technology difficult but today multiple technologies bound in solutions
Summary There is still work to do. NIST has established an identity management systems program within the Information Technology Lab o Brings together technologies like cryptography, biometrics and smart cards o Research and standards in technologies, models, metrics
Further Information Computer Security Resource Center FIPS 201 and related documents Draft Special Publication 1/Draft_SP _2008Feb20.pdf