Presentation is loading. Please wait.

Presentation is loading. Please wait.

Levels of Assurance in Authentication Tim Polk April 24, 2007.

Published byJoan Hoover Modified over 8 years ago

Similar presentations

Presentation on theme: "Levels of Assurance in Authentication Tim Polk April 24, 2007."— Presentation transcript:

1 Levels of Assurance in Authentication Tim Polk April 24, 2007

2 Credits Bill Burr and Donna Dodson co- authored SP 800-63 and contributed much of the content in this presentation –Neither would be possible without them!

3 Why Levels of Assurance? Security Commensurate with Need One Size Does Not Fit All!

4 Overview A Cautionary Tale: FIPS 112 Current Events –OMB Memorandum 04-04 –SP 800-63 –The response to 800-63 Things To Look Forward To…

5 FIPS 112, Password Usage Published May 1985 Established 10 factors and baseline criteria –Factor #1 was length range, and the baseline was four Included three example systems: –Password system for {Low, Medium. High} protection requirements

6 Why A Cautionary Tale? Agencies gravitated to the three example systems –They were intended as examples Agencies continued using them long after their time had passed –Moderate protection was 4-8 characters (uppercase, lowercase, digits) Prescriptive standards are easy to use, but don’t always lead to the best security

7 Current Events OMB Memorandum 04-04 SP 800-63: Entity Authentication Agency & Industry Feedback

8 OMB Memorandum 04-04 E-Authentication Guidance for Federal Agencies (12/16/2003) –Agencies classify electronic transactions into four levels of authentication assurance according to the potential consequences of an authentication error –NIST develops complementary authentication technical guidance to help agencies identify appropriate technologies –Agencies req’d to begin implementation in 90 days after NIST issues guidance

9 SP 800-63 Scope: technical authentication framework for secret-based remote authentication (06/2004) –token types –registration & identity proofing –authentication protocols

10 The Players Token: is a secret, or holds a secret used in a remote authentication protocol Credential Service Provider (CSP): A trusted authority who issues identity or attribute tokens Subscriber: A party whose identity or name (and possibly other attributes) is known to some authority Registration Authority (RA): registers a person with some CSP Relying party: relies on claimant’s identity or attributes Verifier: verifies claimant’s identity

11 Level 1 Authentication Single factor: typically a password Can’t send password in the clear –May still be vulnerable to eavesdroppers Moderate password guessing difficulty requirements

12 Level 2 Authentication Single factor: typically a password –Must block eavesdroppers (e.g password tunneled through TLS) –Fairly strong password guessing difficulty requirements –May fall to main-in-the middle attacks, social engineering & phishing attacks

13 Level 3 Authentication 2 factors, typically a key encrypted under a password (soft token) Must resist eavesdroppers May be vulnerable to man-in-the-middle attacks (e.g. phishing & decoy websites), but must not divulge authentication key

14 Level 4 Authentication 2 factors: “hard token” unlocked by a password or biometric Must resist eavesdroppers Must resist man-in-the-middle attacks Critical data transfer must be authenticated with a key bound to authentication

15 Tokens Passwords Soft Cryptographic Tokens One Time Password Devices Hard Cryptographic Tokens

16 The Response It’s Fantastic –Finally, a basis to compare mechanisms! It’s Too Prescriptive –What about bingo cards? –What about remote biometrics? –What about knowledge based authentication? –What about combinations of tokens?

17 Things To Look Forward To… SP 800-63 Part 1 (Secret Based Authentication) –Goal is distribution for public comment 3Q FY2007 SP 800-63 Part 2 (KBA) –Goal is distribution for public comment 3Q FY2007 Research in remote biometrics

18 SP 800-63 Part 1: Electronic Authentication Guideline Features more flexibility - and complexity –More classes of tokens Including bingo cards –Tokens in combination E.g., memorized secret with simple OTP –More support for assertions –More comprehensive Life Cycle

19 SP 800-63 Part 2: KBA The electronic process of establishing confidence in a user ’ s identity by verifying personal attributes presented to an information system. KBA process consists of 2 parts: verifying that the identity actually exists and that the user is entitled to that identity.

20 Questions? http://csrc.nist.gov http://csrc.nist.gov/publications/nistpubs/ 800-63/SP800-63V1_0_2.pdf tim.polk@nist.gov

Download ppt "Levels of Assurance in Authentication Tim Polk April 24, 2007."

Similar presentations

PKI and LOA Establishing a Basis for Trust David L. Wasley PKI Deployment Forum April 2008.

PKI and LOA Establishing a Basis for Trust David L. Wasley PKI Deployment Forum April 2008.
Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.

Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.
Multi-factor Authentication Methods Taxonomy Abbie Barbir.

Multi-factor Authentication Methods Taxonomy Abbie Barbir.
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
SPEKE S imple Password-authenticated Exponential Key Exchange Robert Mol Phoenix Technologies.

SPEKE S imple Password-authenticated Exponential Key Exchange Robert Mol Phoenix Technologies.
15June’061 NASA PKI and the Federal Environment 13th Fed-Ed PKI Meeting 15 June ‘06 Presenter: Tice DeYoung.

15June’061 NASA PKI and the Federal Environment 13th Fed-Ed PKI Meeting 15 June ‘06 Presenter: Tice DeYoung.
NIST Cryptographic Standards Process Review Tim Polk NIST November 7, 2013.

NIST Cryptographic Standards Process Review Tim Polk NIST November 7, 2013.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
Identity Assurance at Virginia Tech CSG January 13, 2010 Mary Dunker

Identity Assurance at Virginia Tech CSG January 13, 2010 Mary Dunker
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
Functional component terminology - thoughts C. Tilton.

Functional component terminology - thoughts C. Tilton.
The SAFE-BioPharma Identity Proofing Process Author of Record SWG (Digital Credentials) October 3, 2012 Peter Alterman, Ph.D. Chief Operating Officer,

The SAFE-BioPharma Identity Proofing Process Author of Record SWG (Digital Credentials) October 3, 2012 Peter Alterman, Ph.D. Chief Operating Officer,
Authentication & Kerberos

Authentication & Kerberos
Technical Issues with Establishing Levels of Assurance Zephyr McLaughlin Lead, Security Middleware Computing & Communications University of Washington.

Technical Issues with Establishing Levels of Assurance Zephyr McLaughlin Lead, Security Middleware Computing & Communications University of Washington.
Information Security Policies and Standards

Information Security Policies and Standards
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
Federal Information Processing Standard (FIPS) 201, Personal Identity Verification for Federal Employees and Contractors Tim Polk May.

Federal Information Processing Standard (FIPS) 201, Personal Identity Verification for Federal Employees and Contractors Tim Polk May.
EDUCAUSE Fed/Higher ED PKI Coordination Meeting

EDUCAUSE Fed/Higher ED PKI Coordination Meeting
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

Similar presentations

Ads by Google