Levels of Assurance in Authentication Tim Polk April 24, 2007.

Slides:



Advertisements
Similar presentations
PKI and LOA Establishing a Basis for Trust David L. Wasley PKI Deployment Forum April 2008.
Advertisements

Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.
Multi-factor Authentication Methods Taxonomy Abbie Barbir.
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
SPEKE S imple Password-authenticated Exponential Key Exchange Robert Mol Phoenix Technologies.
15June’061 NASA PKI and the Federal Environment 13th Fed-Ed PKI Meeting 15 June ‘06 Presenter: Tice DeYoung.
NIST Cryptographic Standards Process Review Tim Polk NIST November 7, 2013.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
Identity Assurance at Virginia Tech CSG January 13, 2010 Mary Dunker
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
Functional component terminology - thoughts C. Tilton.
The SAFE-BioPharma Identity Proofing Process Author of Record SWG (Digital Credentials) October 3, 2012 Peter Alterman, Ph.D. Chief Operating Officer,
Authentication & Kerberos
Technical Issues with Establishing Levels of Assurance Zephyr McLaughlin Lead, Security Middleware Computing & Communications University of Washington.
Information Security Policies and Standards
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
Federal Information Processing Standard (FIPS) 201, Personal Identity Verification for Federal Employees and Contractors Tim Polk May.
EDUCAUSE Fed/Higher ED PKI Coordination Meeting
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
CSI 400/500 Operating Systems Spring 2009 Lecture #20 – Security Measures Wednesday, April 29 th.
E-Authentication: What Technologies Are Effective? Donna F Dodson April 21, 2008.
User Authentication Recommendations Transport & Security Standards Workgroup December 10, 2014.
Intra-ASEAN Secure Transactions Framework Project Progress Report
NIST E-Authentication Guidance SP Fed-Ed Meeting June 16, 2004 Bill Burr
CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz.
Federal Requirements for Credential Assessments Renee Shuey ITS – Penn State February 6, 2007.
Security systems need to be able to distinguish the “white hats” from the “black hats”. This all begins with identity. What are some common identifiers.
Russ Housley IETF Chair Founder, Vigil Security, LLC 8 June 2009 NIST Key Management Workshop Key Management in Internet Security Protocols.
Policy, Trust and Technology Mitigating Risk in the Digital World David L. Wasley Camp 2006 © David L. Wasley, 2006.
Author of Record Digital Identity Management Sub-Workgroup October 24, 2012.
Privacy and Security Tiger Team Meeting Discussion Materials Today’s Topic Recommendations on Trusted Identities for Providers in Cyberspace August 20,
Functional Model Workstream 1: Functional Element Development.
Electronic Submission of Medical Documentation (esMD) Digital Signature and Author of Record Pre-Discovery Wednesday May 9,
EuroPKI 2008 Manuel Sánchez Óscar Cánovas Gabriel López Antonio F. Gómez Skarmeta University of Murcia Levels of Assurance and Reauthentication in Federated.
Privacy and Security Tiger Team Trusted Identity of Providers in Cyberspace Follow-Up Recommendations September 6, 2012.
Solutions for Secure and Trustworthy Authentication Ramesh Kesanupalli
5 th Annual Conference on Technology & Standards April 28 – 30, 2008 Hyatt Regency Washington on Capitol Hill
Identity Assurance Services For Preventing Identity Theft Bob Pinheiro Robert Pinheiro Consulting LLC
Workgroup Discussion on RESTful Application Programming Interface (API) Security Transport & Security Standards Workgroup January 12, 2014.
ITU-T X.1254 | ISO/IEC An Overview of the Entity Authentication Assurance Framework.
E-Authentication: Simplifying Access to E-Government Presented at the PESC 3 rd Annual Conference on Technology and Standards May 1, 2006.
Ning Zhang, the University of Manchester, UK David Groep, National Institute for Nuclear and High Energy Physics, NL Blair Dillaway, OGF Security Area.
Privacy and Security Tiger Team Meeting Discussion Materials Today’s Topic Recommendations on Trusted Identities for Providers in Cyberspace August 6,
Identity Assurance: When it Matters David L. Wasley Internet2 / InCommon.
Credentialing in Higher Education Michael R Gettes Duke University CAMP, June 2005, Denver Michael R Gettes Duke University
Ingredients of Information Security. - Who has access the asset? - Is the asset correct? - Is the asset accessible? …uncorrupted? …authentic?
NIST E-Authentication Technical Guidance Bill Burr Manager, Security Technology Group National Institute of Standards and Technology
E-Authentication Overview & Technical Approach Scott Lowery Technical Track Session.
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
1 Federal Identity Management Initiatives Federal Identity Management Initatives David Temoshok Director, Identity Policy and Management GSA Office of.
Information Security IBK3IBV01 College 2 Paul J. Cornelisse.
Attribute Delivery - Level of Assurance Jack Suess, VP of IT
Electronic Security and PKI Richard Guida Chair, Federal PKI Steering Committee Chief Information Officers Council
User Authentication  fundamental security building block basis of access control & user accountability  is the process of verifying an identity claimed.
 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.
The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.
E-Authentication Guidance Jeanette Thornton, Office of Management and Budget “Getting to Green with E-Authentication” February 3, 2004 Executive Session.
LoA In Electronic Identity Jasig Dallas Levels of Assurance In Electronic Identity Considerations for Implementation Benjamin Oshrin Rutgers University.
Technical Approach Chris Louden Enspier
E-Authentication: What Technologies Are Effective?
Federal Requirements for Credential Assessments
The main cause for that are the famous phishing attacks, in which the attacker directs users to a fake web page identical to another one and steals the.
HIMSS National Conference New Orleans Convention Center
Global Authentication: Liberty Alliance Identity Assurance Framework
Module 2 OBJECTIVE 14: Compare various security mechanisms.
Appropriate Access InCommon Identity Assurance Profiles
WEQ-012 PKI Overview March 19, 2019
Presentation transcript:

Levels of Assurance in Authentication Tim Polk April 24, 2007

Credits Bill Burr and Donna Dodson co- authored SP and contributed much of the content in this presentation –Neither would be possible without them!

Why Levels of Assurance? Security Commensurate with Need One Size Does Not Fit All!

Overview A Cautionary Tale: FIPS 112 Current Events –OMB Memorandum –SP –The response to Things To Look Forward To…

FIPS 112, Password Usage Published May 1985 Established 10 factors and baseline criteria –Factor #1 was length range, and the baseline was four Included three example systems: –Password system for {Low, Medium. High} protection requirements

Why A Cautionary Tale? Agencies gravitated to the three example systems –They were intended as examples Agencies continued using them long after their time had passed –Moderate protection was 4-8 characters (uppercase, lowercase, digits) Prescriptive standards are easy to use, but don’t always lead to the best security

Current Events OMB Memorandum SP : Entity Authentication Agency & Industry Feedback

OMB Memorandum E-Authentication Guidance for Federal Agencies (12/16/2003) –Agencies classify electronic transactions into four levels of authentication assurance according to the potential consequences of an authentication error –NIST develops complementary authentication technical guidance to help agencies identify appropriate technologies –Agencies req’d to begin implementation in 90 days after NIST issues guidance

SP Scope: technical authentication framework for secret-based remote authentication (06/2004) –token types –registration & identity proofing –authentication protocols

The Players Token: is a secret, or holds a secret used in a remote authentication protocol Credential Service Provider (CSP): A trusted authority who issues identity or attribute tokens Subscriber: A party whose identity or name (and possibly other attributes) is known to some authority Registration Authority (RA): registers a person with some CSP Relying party: relies on claimant’s identity or attributes Verifier: verifies claimant’s identity

Level 1 Authentication Single factor: typically a password Can’t send password in the clear –May still be vulnerable to eavesdroppers Moderate password guessing difficulty requirements

Level 2 Authentication Single factor: typically a password –Must block eavesdroppers (e.g password tunneled through TLS) –Fairly strong password guessing difficulty requirements –May fall to main-in-the middle attacks, social engineering & phishing attacks

Level 3 Authentication 2 factors, typically a key encrypted under a password (soft token) Must resist eavesdroppers May be vulnerable to man-in-the-middle attacks (e.g. phishing & decoy websites), but must not divulge authentication key

Level 4 Authentication 2 factors: “hard token” unlocked by a password or biometric Must resist eavesdroppers Must resist man-in-the-middle attacks Critical data transfer must be authenticated with a key bound to authentication

Tokens Passwords Soft Cryptographic Tokens One Time Password Devices Hard Cryptographic Tokens

The Response It’s Fantastic –Finally, a basis to compare mechanisms! It’s Too Prescriptive –What about bingo cards? –What about remote biometrics? –What about knowledge based authentication? –What about combinations of tokens?

Things To Look Forward To… SP Part 1 (Secret Based Authentication) –Goal is distribution for public comment 3Q FY2007 SP Part 2 (KBA) –Goal is distribution for public comment 3Q FY2007 Research in remote biometrics

SP Part 1: Electronic Authentication Guideline Features more flexibility - and complexity –More classes of tokens Including bingo cards –Tokens in combination E.g., memorized secret with simple OTP –More support for assertions –More comprehensive Life Cycle

SP Part 2: KBA The electronic process of establishing confidence in a user ’ s identity by verifying personal attributes presented to an information system. KBA process consists of 2 parts: verifying that the identity actually exists and that the user is entitled to that identity.

Questions? /SP800-63V1_0_2.pdf

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.