Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

2019 | Navigating NIST SP 800-63-3 | Identiverse | Day 1, June 25

126 views

Published on

Trust. Trust is the most fundamental notion in every one of our business interactions, whatever our needs are: low or high assurance.

Vector of Trust is a promising means to convey it through third parties and NIST SP-800-63-3 is a fantastic framework for defining your Trust capabilities. But, sometimes, you may find it difficult to map xAL requirements to real life evidence and authenticators.

This session should help you with that.
-------------------------------------------------
Do you know that, by the time of Identiverse 2019, NIST SP-800-63-3 will celebrate its second birthday? It is a framework that improved lots of points over the previous LoA scale and gained a lot of maturity thanks to implementers, researchers, and confrontations to other Trust frameworks.
Still you may find it hard to find your way wherever you try to be a compliant IAL2 compliant CSP to ensure a third party that your users are IAL3 proofed or authenticated through an AAL2 authenticator, etc.
Surely you know that you enrolled this user thanks to a photocopied electricity bill and authenticated him/her based on an Out-of-Band single factor device generating OATH compliant OTP tokens. Those are real life examples but you will have to find in which xAL box this may fit.
This specific situation was raised within IDPro and we formalized some cheat sheets for you to navigate the inherent difficulties such as:
•Main differences between levels of assurance;
•Differences and ways to categorized WEAK, LOW, STRONG, and SUPERIOR real-life identity evidences;
•Differences and ways to categorize real-life authenticators;
•Ways to map NIST xALs to other Trust frameworks categories.
By attending this session you will get a clearer, simpler, and more actionable picture of NIST SP-800-63-3 that will ease your path for your Vector of Trust journey.

Published in: Technology
  • Be the first to comment

2019 | Navigating NIST SP 800-63-3 | Identiverse | Day 1, June 25

  1. 1. ® NAVIGATING NIST SP 800-63-3 THANKS TO PRACTICAL xAL CHEAT SHEETS
  2. 2. Navigating NIST SP 800-63-3 Thanks to Practical xAL Cheat Sheets
  3. 3. ® 14 years of expertise in Data Protection 40+ projects establishing trusted ecosystems:  Strong Authentication,  Identity Management,  Access Governance,  Information Protection. Security specialist @ EXFO, R&D To keep in touch: https://twitter.com/IdentityMonk https://ca.linkedin.com/in/jflombardo https://x-iam.com Or as a member/supporter of:
  4. 4. ® References for this talk: • NIST SP 800-63-3: https://pages.nist.gov/800-63-3/ • November 2018 IDPro newsletter: https://idpro.org
  5. 5. ® Trust is ensuring what one ships is what the other expects
  6. 6. ® Usually, we rely on standards as common language… https://tools.ietf.org/html/rfc6919
  7. 7. ® Or we use help from peers for better guidance
  8. 8. ® To not feel lost at sea when implementing
  9. 9. ® At IDPro we also got the questions
  10. 10. ® Assurance Level SP 800-63-3
  11. 11. ® Identity IAL SP 800-63-3A Authentication AAL SP 800-63-3B Federation FAL SP 800-63-3C Assurance Level SP 800-63-3
  12. 12. ® Identity IAL SP 800-63-3A Authentication AAL SP 800-63-3B Federation FAL SP 800-63-3C Strength of proof Strength of control Strength of conveyance Assurance Level SP 800-63-3
  13. 13. ® Identity IAL SP 800-63-3A Authentication AAL SP 800-63-3B Federation FAL SP 800-63-3C 1 1 2 2 3 3 1. Single-factor 1. Multi-factor 2. Cryptographic function 1. Multi-factor 2. Cryptographic hardware Assurance Level SP 800-63-3
  14. 14. ® Identity IAL SP 800-63-3A Authentication AAL SP 800-63-3B Federation FAL SP 800-63-3C Assurance Level SP 800-63-3 Strength of proof Strength of control Strength of conveyance
  15. 15. ®
  16. 16. ® Resolve Validate Verify
  17. 17. ® Resolve Validate Verify Collection of Identity Evidence is performed Trustfulness of Identity Evidence is established Link between the Identity Evidence and the claimant is assured
  18. 18. ® Resolve Validate Verify IAL1 IAL2 IAL3 0 or more self- attribute can be collected • 1x SUPERIOR • 1x IAL2 STRONG • 2x STRONG • 1x STRONG + 2x FAIR • 2x SUPERIOR • 1x SUPERIOR + 1x IAL2 STRONG • 2x STRONG + 1 FAIR Should include biometric enrolment Must include biometric enrolment • Use process matching IV • Confirm Address of record • Use process matching IV • Confirm Address of record • On site or remote • AoR validation to be adapted to the situation Strong Verify Superior Verify • On site • AoR cannot be self asserted • AoR validation using OTP
  19. 19. ®
  20. 20. ® Biometrics Ensured it has been delivered to me in-person with high confidence Security feature KBV Lifetime
  21. 21. ® 3 families of Identity evidence to help
  22. 22. ®
  23. 23. ®
  24. 24. ®
  25. 25. ®
  26. 26. ® (USA) NIST SP800-63-3 (Canada)(Australia) NeAF (UK) (Norway) FANR (EU) IDABC STORK2.0 eIDAS (ISO) 29003 / 29115 (USA) M-04-04 IAL 1 AAL 1 AAL 2 IAL 2 AAL 2 IAL 3 AAL 3 Low Substans ial High LOA 1 LOA 2 LOA 3 LOA 4 LOA 1 LOA 2 LOA 3 LOA 4 QAA 1 QAA 2 QAA 3 QAA 4 IAL/CAL 1 IAL/CAL 2 IAL/CAL 3 IAL/CAL 4 Lvl1 Lv2 Lvl 3 Lvl 4 Lvl 1 Lvl 2 Lvl 3 Minimal Low Moderate High 4 2/3 1 Substans ial High Minimal Low Moderate High Little Low References: NIST SP-800-63-3 Section 2 Table 1 Improving Usability of Password Management with Standardized Password Policies by Bander AlFayyadh, Per Thorsheim, Audun Jøsang and Henning Klevjer Matrix of Trust is given as generalizing guidance devil is in the details, use with caution GPG45/RSDOPS
  27. 27. ® Taxonomy proposal as a guide to VoT(*) P C M A Identity Proofing Credential Usage Credential Management Assertion Presentation .N633 .N633 .N633 .N633 Level Reference (*)Reference: https://tools.ietf.org/html/rfc8485
  28. 28. Navigating NIST SP-800-63-3 Thanks to Practical xAL Cheat Sheets
  29. 29. ®

×