SlideShare a Scribd company logo

Twg 04-04

Hai Nguyen
Hai Nguyen

The document discusses the benefits of exercise for mental health. Regular physical activity can help reduce anxiety and depression and improve mood and cognitive functioning. Exercise causes chemical changes in the brain that may help protect against developing mental illness and improve symptoms for those who already have a condition.

Technology
1 of 34
Download to read offline
NIST E-Authentication Guidance SP 800-63 NIST E-Authentication Guidance SP 800-63 Federal PKI TWG Feb. 18, 2004 Bill Burr william.burr@nist.gov
NIST E-Authentication Tech Guidance OMB Guidance to agencies on E-Authentication — OMB Memorandum M-04-04, E-Authentication Guidance for Federal Agencies, Dec. 16, 2003 • http://www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf — About identity authentication, not authorization or access control NIST SP800-63: Recommendation for Electronic Authentication — Companion to OMB e-Authentication guidance — Draft for comment at: http://csrc.nist.gov/eauth — Comment period ends: March 15 — Covers conventional token based remote authentication • Does not cover Knowledge Based Authentication
Assurance Levels OMB guidance defines 4 assurance levels — Level 1 little or no confidence in asserted identity’s validity — Level 2: Some confidence in asserted identity’s validity — Level 3: High confidence in asserted identity's validity — Level 4: Very high confidence in asserted identity’s validity Needed assurance level determined for each type of transaction by the risks and consequences of authentication error with respect to: — Inconvenience, distress & damage to reputation — Financial loss — Harm to agency programs or reputation — Civil or criminal violations — Personal safety
E-Auth Guidance Process Risk assessment — Potential impacts — likelihood Map risks to assurance level — profile Select technology — NIST Technical E-Authentication Guidance, SP800-63 Validate implemented system Periodically reassess
Max. Potential Impacts Profiles Assurance Level Impact Profiles 1 2 3 4 Inconvenience, distress, reputation Low Mod Mod High Financial loss or agency liability Low Mod Mod High Harm to agency prog. or pub. interests N/A Low Mod High Unauth. release of sensitive info N/A Low Mod High Personal safety N/A N/A Low Mod High Civil or criminal violations N/A Low Mod High Potential Impact Categories for Authentication Errors
Technical Guidance Constraints Technology neutral (if possible) — Required (if practical) by e-Sign, Paperwork Elimination and other laws — Premature to take sides in web services wars — Difficult: many technologies, apples and oranges comparisons Practical with COTS technology — To serve public must take advantage of existing solutions and relationships Only for remote network authentication — Not in person, therefore not about biometrics Only about identity authentication — Not about attributes, authorization, or access control • This is inherited from OMB guidance — Agency owns application & makes access control decisions
Personal Authentication Factors Something you know — A password Something you have: a token — for remote authentication typically a key • Soft token: a copy on a disk drive • Hard token: in a special hardware cryptographic device Something you are — A biometric • But biometrics don’t work well in remote authentication protocols, because you can’t keep a biometric secret
Remote Authentication Protocols Conventional, secure, remote authentication protocols all depend on proving possession of some secret “token” — May result in a shared cryptographic session key, even when token is a only password Remote authentication protocols assume that you can keep a secret — Private key — Symmetric key — Password Can be “secure” against defined attacks if you keep the secret — Amount of work required in attack is known • Make the amount of work impractical — Hard for people to remember passwords that are “strong” enough to make the attack impractical
Multifactor Remote Authentication The more factors, the stronger the authentication Multifactor remote authentication typically relies on a cryptographic key — Key is protected by a password or a biometric — To activate the key or complete the authentication, you need to know the password, or poses the biometric — Works best when the key is held in a hardware device (a “hard token”) • Ideally a biometric reader is built into the token, or a password is entered directly into token
E-Authentication Model A claimant proves his/her identity to a verifier by proving possession of a token, often in conjunction with electronic credentials that bind the identity and the token. The verifier may then inform a relying party of the claimant’s identity with an assertion. The claimant got his/her token and credentials from a Credentials Service Provider (CSP), after proving his identity to a Registration Authority (RA). The roles of the verifier, relying party, CSP and RA may be variously combined in one or more entities. — Claimant: Wants to prove his or her identity — Electronic credentials: Bind an identity or attribute to a token or something associated with a claimant — Token: Secret used in an authentication protocol — Verifier: verifies the claimant’s identity by proof of possession of a token — Relying party: Relies on an identity — Assertion: Passes information about a claimant from a verifier to a relying party — Credentials Service Provider (CSP): Issues electronic credentials and registers or issues tokens — Registration Authority (RA): Identity proofs the subscriber
Tokens Hard token — Cryptographic key in a hardware device — FIPS 140 level 2, with level 3 physical security — Key is unlocked by password or biometrics Soft token — Cryptographic key encrypted under password — FIPS 140 Level 1 or higher crypto module One-time password device (1TPD) — Symmetric key in a hardware device with display - FIPS 140 level 1 — Generates password from key plus time or counter — User typically inputs password through browser Zero Knowledge Password — Strong password used with special “zero knowledge” protocol Password — Password or PIN with conventional protocol
Token Type by Level Allowed Token Types 1 2 3 4 Hard crypto token √ √ √ √ Soft crypto token √ √ √ Zero knowledge password √ √ √ One-time Password Device √ √ √ Strong password √ √ PIN √ Assurance Level
Protections by Level 3 Protection Against Soft/ZKP 1TPD Eavesdropper √ √ √ √ Replay √ √ √ √ √ On-line guessing √ √ √ √ √ Verifier Impersonation √ √ √ Man-in-the-middle √ * √ Session Hijacking √ √ 41 2 Assurance Level * Protection for shared secret only
Auth. Protocol Type by Level Authentication Protocol Types 1 2 3 4 Private key PoP √ √ √ √ Symmetric key PoP √ √ √ √ Zero knowledge password √ √ √ Tunneled password √ √ Challenge-reply password √ Assurance Level
ID Proofing Level 1 — Self assertion, minimal records Level 2 — On-line, more or less instant gratification may be possible •Close the loop by mail, phone or (possibly) e-mail Level 3 — in-person registration not required •Close the loop by mail or phone Level 4 — In person proofing •Record a biometric Can later prove who got the token — Consistent with FICC Common Certificate Policy
Passwords Password is a secret character string you commit to memory. — Secret and memory are the key words here • As a practical matter we often do write our passwords down A password is really a (weak) key — People can’t remember good keys We all live in Password Hell – too many passwords — And they try to make us change them all the time In E-auth we’re only concerned with on-line authentication — Assume that the verifier is secure and can impose rules to detect or limit attacks What is the “strength” of a password?
Attacks on Passwords In-band —Attacker repeatedly tries passwords until he is successful • guessing, dictionary, or brute force exhaustion —Can’t entirely prevent these attacks • can ensure they don’t succeed very often Out of band – everything else —Eavesdropper —Man-in-the-middle —Shoulder surfing —Social engineering
Password Strength Over the life of the password the probability of an attacker with no a priori knowledge of the password finding a given user’s password by an in-band attack shall not exceed — one in 216 (1/65,563) for Level 2 — one in 211 (1/2048) for Level 1 Strength is function of both password entropy, the system and how it limits or throttles in-band guessing attacks Many ways to limit password guessing attack — 3-strikes and reset password, hang up on bad login attempt… — Limited password life, but… — Note that there is not necessarily a time limit — Many things are trade-offs with help desk costs
Password Entropy Entropy of a password is roughly speaking, the uncertainty an attacker has in his knowledge of the password, that is how hard it is to guess it. Easy to compute entropy of random passwords We typically state entropy in bits. A random 32-bit number has 232 values and 32-bits of entropy A password of length l selected at random from the keyboard set of 94 printable (nonblank) characters has 94l values and about 6.55× l bits of entropy. ∑ ==−= x xXPxXPXH )(log)(:)( 2
Password Entropy Entropy is measure of randomness in a password — Stated in bits: a password with 24 bits of entropy is as hard to guess as a 24 bit random number — The more entropy required in the password, the more trials the system can allow It’s easy to calculate the entropy of a system generated random password — But users can’t remember these Much harder to estimate the entropy of user chosen passwords — Composition rules and dictionary rules may increase entropy — NIST estimates of password entropy
Shannon’s Estimate of Entropy Shannon used 26 English letters plus space —Left to their own devices user will choose only lower case letters. Shannon’s method involves knowing the i-1 first letters of a string of English text; how well can we guess the ith letter? Entropy per character decreases for longer strings —1 character 4.7 bits/character —≤ 8 characters 2.3 bits per character —order of 1 bit/char for very long strings
Use Shannon as Estimate Shannonn gives us an estimate of the number of bits needed to represent ordinary English text — Seems intuitive that if it takes n bits to represent a text string, that is related to how hard it is to guess the string It should be as hard to guess or compress passwords as ordinary English text — Users are supposed to pick passwords that don’t look like ordinary English, to make them harder to guess • But, of course, users want to remember passwords — Attacker won’t have a perfect dictionary or learn much by each unsuccessful trial — Surely, the only long passwords that are easy to remember are based on phrases of text that make sense to the person selecting the password Give “bonuses” for composition rules and dictionary
Very Rough Password Entropy Estimate 0 10 20 30 40 50 60 0 10 20 30 password length in characters bitsorequivelententropy no rules composition dictionary both
PKI & E-Auth PKI solutions widely available — Can use TLS with client certs. for levels 3 & 4 May be the predominant solution for levels 3 & 4 in gov. — Federal Identity Credentialing Committee — Common Credential and Federal Identity Card • Common certificate policy and shared service providers • Gov. Smart Card Interoperability Standard (GSC-IS) Fed. Bridge CA and Fed. Policy Authority are PKI vehicle Non-PKI level 3 & 4 solutions — One-time password devices in common use – can meet level 3 • Cell phones could be a good 1TPD platform — Zero knowledge passwords for level 3 – not widely implemented — Level 4 could be done with symmetric key tokens
PKI & E-Auth PKI solutions widely available — Can use TLS with client certs. for levels 3 & 4 May be the predominant solution for levels 3 & 4 in gov. — Federal Identity Credentialing Committee — Common Credential and Federal Identity Card • Common certificate policy and shared service providers • Gov. Smart Card Interoperability Standard (GSC-IS) Fed. Bridge CA and Fed. Policy Authority are PKI vehicle Non-PKI level 3 & 4 solutions — One-time password devices in common use – can meet level 3 • Cell phones could be a good 1TPD platform — Zero knowledge passwords for level 3 – not widely implemented — Level 4 could be done with symmetric key tokens
Federal Employee Credentials Employees & affiliates Primarily levels 3 & 4 — Most will eventually be hard token (CAC card) — Near term a lot will be soft token PKI based — New agency PKIs will be use shared service provider CAs • Common certificate policy framework — Legacy agency operated PKIs will be around for a while — Bridge CA will remain for policy mapping • Legacy agency operated PKIs • States & local government, business, foreign, etc. • Commerce & citizen class
Fed. User Certificate Fed. User Certificate FPKI Architecture FBCA Certificate Policy Bridge Certification Authority Agencies (Legacy agency CA policy) States Foreign Entities Financial Institution Business Utility Private Sector C4 Certification Authority Common Policy Certification Authority E-Auth. Common Policy (Common Policy Root included in browser list of CAs) E-Governance Certification Authorities Assurance Level 1 Assurance Level 2 SSP1 SSP2 SSP3 Other Bridges ACES Fed. User Certificate Fed. User Certificate Fed. User Certificate Fed. User Certificate Fed. User Certificate Fed. User Certificate Fed. User Certificate Fed. User Certificate Fed. User Certificate Shared Service Provider CAs Common Policy Agency User Certs. (Mutual authentication of SAML/SSL Certificates only) Citizen &Commerce Class Certificate Policy (Agencies buy certificate services from SSPs under Common Policy)
Common Policy Framework Applies to Federal Employees, Affiliates (e.g., guest researchers), & Devices (e.g., servers) Three policies — Two user policies •FIPS 140 Level 2 Hardware Cryptomodule Meets e_Auth assurance level 4 •FIPS 140 Level 1 Software Cryptomodule Meets e-Auth assurance level 3 — One device policy (Level 1 Cryptomodule) Assurance comparable to FBCA Medium — More detailed Identity Proofing requirements — Transition strategy to 2048 bit RSA, SHA-256
Identity Proofing of Fed. Applicants A priori request from management required Employees’ employment verified through use of “official agency records” In-person identity proofing — Credentials verified for legitimacy — Biometric recorded for nonrepudiation Trusted Agent may perform proofing — RA still verifies credentials
Cryptographic Transition Strategy Certs and CRLs expiring after 12/31/2008 must be signed using 2048 bit RSA keys User Certs generated after 12/31/2008 must contain 2048 bit RSA keys Certs and CRLs generated after 12/31/2008 must be signed using SHA-256
FPKI Certificate Policies Federal Certificate Policy — Rudimentary, Basic, Medium and High — Federal Policy Authority “maps” agency policy — currently x-certified • Medium: Treasury, DoD, Agriculture (NFC), NASA, DST ACES, Illinois • High: State Dept & Treasury Common Certificate Policy — Shared Service providers Citizen and Commerce Class — Streamlined process based on memo of agreement rather than detailed review of CP & CPS • Does anybody want this?
Knowledge Based Authentication (KBA) Not covered in 800-63 — Symposium on 9-10 Feb. at NIST Can we just ask questions to authenticate users? — People do it now — “Walk-in” customers, real business need • It’s the age of instant gratification Similar to ID proofing process, but without closing the loop Could view KBA as similar to passwords — Only these passwords are not very secret — Valid claimant might not know them all How can we quantify KBA, what are the standards?
KBA: some questions What is a reasonable model for KBA? — What are the functions and features of each component? — What are the security implications of the components? For Users: — How much confidence do you need? Can KBA get there? What are the information sources and how do we evaluate them? — How accurate are the sources? What are the Mechanisms and Metrics? How do we score responses and what does a score mean? What can we standardize?
Questions

Recommended

Ethical hacking
Ethical hackingEthical hacking
Ethical hackingshahhardik27
 
DEFCON 23 - Matteo Becarro Matteo Collura - extracting the painf
DEFCON 23 - Matteo Becarro Matteo Collura - extracting the painfDEFCON 23 - Matteo Becarro Matteo Collura - extracting the painf
DEFCON 23 - Matteo Becarro Matteo Collura - extracting the painfFelipe Prado
 
11.bluetooth security
11.bluetooth security11.bluetooth security
11.bluetooth securityPramod Rathore
 
Ceh v5 module 06 trojans and backdoors
Ceh v5 module 06 trojans and backdoorsCeh v5 module 06 trojans and backdoors
Ceh v5 module 06 trojans and backdoorsVi Tính Hoàng Nam
 
Chapter 2
Chapter 2Chapter 2
Chapter 2shahhardik27
 
Hacking Presentation
Hacking PresentationHacking Presentation
Hacking PresentationAnimesh Behera
 
Information and network security 44 direct digital signatures
Information and network security 44 direct digital signaturesInformation and network security 44 direct digital signatures
Information and network security 44 direct digital signaturesVaibhav Khanna
 
Seucrity in a nutshell
Seucrity in a nutshellSeucrity in a nutshell
Seucrity in a nutshellYahia Kandeel
 

Recommended

Ethical hacking
Ethical hackingEthical hacking
Ethical hackingshahhardik27
 
DEFCON 23 - Matteo Becarro Matteo Collura - extracting the painf
DEFCON 23 - Matteo Becarro Matteo Collura - extracting the painfDEFCON 23 - Matteo Becarro Matteo Collura - extracting the painf
DEFCON 23 - Matteo Becarro Matteo Collura - extracting the painfFelipe Prado
 
11.bluetooth security
11.bluetooth security11.bluetooth security
11.bluetooth securityPramod Rathore
 
Ceh v5 module 06 trojans and backdoors
Ceh v5 module 06 trojans and backdoorsCeh v5 module 06 trojans and backdoors
Ceh v5 module 06 trojans and backdoorsVi Tính Hoàng Nam
 
Chapter 2
Chapter 2Chapter 2
Chapter 2shahhardik27
 
Hacking Presentation
Hacking PresentationHacking Presentation
Hacking PresentationAnimesh Behera
 
Information and network security 44 direct digital signatures
Information and network security 44 direct digital signaturesInformation and network security 44 direct digital signatures
Information and network security 44 direct digital signaturesVaibhav Khanna
 
Seucrity in a nutshell
Seucrity in a nutshellSeucrity in a nutshell
Seucrity in a nutshellYahia Kandeel
 
Module 13 (web based password cracking techniques)
Module 13 (web based password cracking techniques)Module 13 (web based password cracking techniques)
Module 13 (web based password cracking techniques)Wail Hassan
 
Class 8, 9 and 10
Class 8, 9 and 10Class 8, 9 and 10
Class 8, 9 and 10Al Imam University
 
RFID Talk
RFID TalkRFID Talk
RFID Talkmasud80
 
Symmetric encryption and message confidentiality
Symmetric encryption and message confidentialitySymmetric encryption and message confidentiality
Symmetric encryption and message confidentialityCAS
 
One Time Password - A two factor authentication system
One Time Password - A two factor authentication systemOne Time Password - A two factor authentication system
One Time Password - A two factor authentication systemSwetha Kogatam
 
Mobile computing
Mobile computingMobile computing
Mobile computingNeethu Thankappan
 
Cyber securityppt
Cyber securitypptCyber securityppt
Cyber securitypptSachin Roy
 
640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths640-554 IT Certification and Career Paths
640-554 IT Certification and Career Pathshibaehed
 
Session hijacking
Session hijackingSession hijacking
Session hijackingGayatri Kapse
 
Ehical Hacking: Unit no. 1 Information and Network Security
Ehical Hacking: Unit no. 1 Information and Network SecurityEhical Hacking: Unit no. 1 Information and Network Security
Ehical Hacking: Unit no. 1 Information and Network Securityprachi67
 
Extracting the Painful (Blue)Tooth - Presentation
Extracting the Painful (Blue)Tooth - PresentationExtracting the Painful (Blue)Tooth - Presentation
Extracting the Painful (Blue)Tooth - PresentationOpposing Force S.r.l.
 
PLNOG 8: Merike Kaeo - Guide to Building Secure Infrastructures
PLNOG 8: Merike Kaeo - Guide to Building Secure InfrastructuresPLNOG 8: Merike Kaeo - Guide to Building Secure Infrastructures
PLNOG 8: Merike Kaeo - Guide to Building Secure InfrastructuresPROIDEA
 
Authetication ppt
Authetication pptAuthetication ppt
Authetication pptPranav Doshi
 
Ch08 Authentication
Ch08 AuthenticationCh08 Authentication
Ch08 AuthenticationInformation Technology
 
Ethical hacking by shivam
Ethical hacking by shivamEthical hacking by shivam
Ethical hacking by shivamShivam Ðreamchazer
 
Information and network security 45 digital signature standard
Information and network security 45 digital signature standardInformation and network security 45 digital signature standard
Information and network security 45 digital signature standardVaibhav Khanna
 
CS6004 CYBER FORENSICS
CS6004 CYBER FORENSICS CS6004 CYBER FORENSICS
CS6004 CYBER FORENSICS Kathirvel Ayyaswamy
 
One time password(otp)
One time password(otp)One time password(otp)
One time password(otp)Anjali Agrawal
 
Web hacking 1.0
Web hacking 1.0Web hacking 1.0
Web hacking 1.0Q Fadlan
 
cryptographydiksha.pptx
cryptographydiksha.pptxcryptographydiksha.pptx
cryptographydiksha.pptxDIKSHABORKAR8
 
Information and network security 47 authentication applications
Information and network security 47 authentication applicationsInformation and network security 47 authentication applications
Information and network security 47 authentication applicationsVaibhav Khanna
 
Chapter 6Authenticating PeopleChapter 6 OverviewThe th
Chapter 6Authenticating PeopleChapter 6 OverviewThe thChapter 6Authenticating PeopleChapter 6 OverviewThe th
Chapter 6Authenticating PeopleChapter 6 OverviewThe thsamirapdcosden
 

More Related Content

What's hot

Module 13 (web based password cracking techniques)
Module 13 (web based password cracking techniques)Module 13 (web based password cracking techniques)
Module 13 (web based password cracking techniques)Wail Hassan
 
RFID Talk
RFID TalkRFID Talk
RFID Talkmasud80
 
Symmetric encryption and message confidentiality
Symmetric encryption and message confidentialitySymmetric encryption and message confidentiality
Symmetric encryption and message confidentialityCAS
 
One Time Password - A two factor authentication system
One Time Password - A two factor authentication systemOne Time Password - A two factor authentication system
One Time Password - A two factor authentication systemSwetha Kogatam
 
Cyber securityppt
Cyber securitypptCyber securityppt
Cyber securitypptSachin Roy
 
640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths640-554 IT Certification and Career Paths
640-554 IT Certification and Career Pathshibaehed
 
Ehical Hacking: Unit no. 1 Information and Network Security
Ehical Hacking: Unit no. 1 Information and Network SecurityEhical Hacking: Unit no. 1 Information and Network Security
Ehical Hacking: Unit no. 1 Information and Network Securityprachi67
 
Extracting the Painful (Blue)Tooth - Presentation
Extracting the Painful (Blue)Tooth - PresentationExtracting the Painful (Blue)Tooth - Presentation
Extracting the Painful (Blue)Tooth - PresentationOpposing Force S.r.l.
 
PLNOG 8: Merike Kaeo - Guide to Building Secure Infrastructures
PLNOG 8: Merike Kaeo - Guide to Building Secure InfrastructuresPLNOG 8: Merike Kaeo - Guide to Building Secure Infrastructures
PLNOG 8: Merike Kaeo - Guide to Building Secure InfrastructuresPROIDEA
 
Information and network security 45 digital signature standard
Information and network security 45 digital signature standardInformation and network security 45 digital signature standard
Information and network security 45 digital signature standardVaibhav Khanna
 
One time password(otp)
One time password(otp)One time password(otp)
One time password(otp)Anjali Agrawal
 
Web hacking 1.0
Web hacking 1.0Web hacking 1.0
Web hacking 1.0Q Fadlan
 

What's hot (19)

Module 13 (web based password cracking techniques)
Module 13 (web based password cracking techniques)Module 13 (web based password cracking techniques)
Module 13 (web based password cracking techniques)
 
Class 8, 9 and 10
Class 8, 9 and 10Class 8, 9 and 10
Class 8, 9 and 10
 
RFID Talk
RFID TalkRFID Talk
RFID Talk
 
Symmetric encryption and message confidentiality
Symmetric encryption and message confidentialitySymmetric encryption and message confidentiality
Symmetric encryption and message confidentiality
 
One Time Password - A two factor authentication system
One Time Password - A two factor authentication systemOne Time Password - A two factor authentication system
One Time Password - A two factor authentication system
 
Mobile computing
Mobile computingMobile computing
Mobile computing
 
Cyber securityppt
Cyber securitypptCyber securityppt
Cyber securityppt
 
640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths
 
Session hijacking
Session hijackingSession hijacking
Session hijacking
 
Ehical Hacking: Unit no. 1 Information and Network Security
Ehical Hacking: Unit no. 1 Information and Network SecurityEhical Hacking: Unit no. 1 Information and Network Security
Ehical Hacking: Unit no. 1 Information and Network Security
 
Extracting the Painful (Blue)Tooth - Presentation
Extracting the Painful (Blue)Tooth - PresentationExtracting the Painful (Blue)Tooth - Presentation
Extracting the Painful (Blue)Tooth - Presentation
 
PLNOG 8: Merike Kaeo - Guide to Building Secure Infrastructures
PLNOG 8: Merike Kaeo - Guide to Building Secure InfrastructuresPLNOG 8: Merike Kaeo - Guide to Building Secure Infrastructures
PLNOG 8: Merike Kaeo - Guide to Building Secure Infrastructures
 
Authetication ppt
Authetication pptAuthetication ppt
Authetication ppt
 
Ch08 Authentication
Ch08 AuthenticationCh08 Authentication
Ch08 Authentication
 
Ethical hacking by shivam
Ethical hacking by shivamEthical hacking by shivam
Ethical hacking by shivam
 
Information and network security 45 digital signature standard
Information and network security 45 digital signature standardInformation and network security 45 digital signature standard
Information and network security 45 digital signature standard
 
CS6004 CYBER FORENSICS
CS6004 CYBER FORENSICS CS6004 CYBER FORENSICS
CS6004 CYBER FORENSICS
 
One time password(otp)
One time password(otp)One time password(otp)
One time password(otp)
 
Web hacking 1.0
Web hacking 1.0Web hacking 1.0
Web hacking 1.0
 

Similar to Twg 04-04

cryptographydiksha.pptx
cryptographydiksha.pptxcryptographydiksha.pptx
cryptographydiksha.pptxDIKSHABORKAR8
 
Information and network security 47 authentication applications
Information and network security 47 authentication applicationsInformation and network security 47 authentication applications
Information and network security 47 authentication applicationsVaibhav Khanna
 
Chapter 6Authenticating PeopleChapter 6 OverviewThe th
Chapter 6Authenticating PeopleChapter 6 OverviewThe thChapter 6Authenticating PeopleChapter 6 OverviewThe th
Chapter 6Authenticating PeopleChapter 6 OverviewThe thsamirapdcosden
 
implement authentication mechanisms
implement authentication mechanismsimplement authentication mechanisms
implement authentication mechanismsAlireza Ghahrood
 
Introduction to Web Application Security Principles
Introduction to Web Application Security Principles Introduction to Web Application Security Principles
Introduction to Web Application Security Principles Dr. P. Mohana Priya
 
Eds user authenticationuser authentication methods
Eds user authenticationuser authentication methodsEds user authenticationuser authentication methods
Eds user authenticationuser authentication methodslapao2014
 
Mutual Authentication For Wireless Communication
Mutual Authentication For Wireless CommunicationMutual Authentication For Wireless Communication
Mutual Authentication For Wireless Communicationmanish kumar
 
Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...
Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...
Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...Jason Hong
 
network security.pdf
network security.pdfnetwork security.pdf
network security.pdfKIYALIBAN1
 
L4 internet security
L4 internet securityL4 internet security
L4 internet securitylistergc
 
Secure payment systems
Secure payment systemsSecure payment systems
Secure payment systemsAbdulaziz Mohd
 
Secure3 authentication for sensitive data on cloud using textual, chessboard ...
Secure3 authentication for sensitive data on cloud using textual, chessboard ...Secure3 authentication for sensitive data on cloud using textual, chessboard ...
Secure3 authentication for sensitive data on cloud using textual, chessboard ...eSAT Journals
 

Similar to Twg 04-04 (20)

cryptographydiksha.pptx
cryptographydiksha.pptxcryptographydiksha.pptx
cryptographydiksha.pptx
 
Information and network security 47 authentication applications
Information and network security 47 authentication applicationsInformation and network security 47 authentication applications
Information and network security 47 authentication applications
 
Chapter 6Authenticating PeopleChapter 6 OverviewThe th
Chapter 6Authenticating PeopleChapter 6 OverviewThe thChapter 6Authenticating PeopleChapter 6 OverviewThe th
Chapter 6Authenticating PeopleChapter 6 OverviewThe th
 
implement authentication mechanisms
implement authentication mechanismsimplement authentication mechanisms
implement authentication mechanisms
 
IS - User Authentication
IS - User AuthenticationIS - User Authentication
IS - User Authentication
 
Iss lecture 5
Iss lecture 5Iss lecture 5
Iss lecture 5
 
Unit 5
Unit 5Unit 5
Unit 5
 
authentication.ppt
authentication.pptauthentication.ppt
authentication.ppt
 
Introduction to Web Application Security Principles
Introduction to Web Application Security Principles Introduction to Web Application Security Principles
Introduction to Web Application Security Principles
 
Eds user authenticationuser authentication methods
Eds user authenticationuser authentication methodsEds user authenticationuser authentication methods
Eds user authenticationuser authentication methods
 
Mutual Authentication For Wireless Communication
Mutual Authentication For Wireless CommunicationMutual Authentication For Wireless Communication
Mutual Authentication For Wireless Communication
 
Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...
Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...
Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...
 
CyberSecurity101.pdf
CyberSecurity101.pdfCyberSecurity101.pdf
CyberSecurity101.pdf
 
network security.pdf
network security.pdfnetwork security.pdf
network security.pdf
 
L4 internet security
L4 internet securityL4 internet security
L4 internet security
 
Security
SecuritySecurity
Security
 
Secure payment systems
Secure payment systemsSecure payment systems
Secure payment systems
 
Network security
Network securityNetwork security
Network security
 
Secure3 authentication for sensitive data on cloud using textual, chessboard ...
Secure3 authentication for sensitive data on cloud using textual, chessboard ...Secure3 authentication for sensitive data on cloud using textual, chessboard ...
Secure3 authentication for sensitive data on cloud using textual, chessboard ...
 
Week3 lecture
Week3 lectureWeek3 lecture
Week3 lecture
 

More from Hai Nguyen

Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideHai Nguyen
 
Session 7 e_raja_kailar
Session 7 e_raja_kailarSession 7 e_raja_kailar
Session 7 e_raja_kailarHai Nguyen
 
Securing corporate assets_with_2_fa
Securing corporate assets_with_2_faSecuring corporate assets_with_2_fa
Securing corporate assets_with_2_faHai Nguyen
 
Scc soft token datasheet
Scc soft token datasheetScc soft token datasheet
Scc soft token datasheetHai Nguyen
 
Rsa two factorauthentication
Rsa two factorauthenticationRsa two factorauthentication
Rsa two factorauthenticationHai Nguyen
 
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...Hai Nguyen
 
Pg 2 fa_tech_brief
Pg 2 fa_tech_briefPg 2 fa_tech_brief
Pg 2 fa_tech_briefHai Nguyen
 
Ouch 201211 en
Ouch 201211 enOuch 201211 en
Ouch 201211 enHai Nguyen
 
N ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authenticationN ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authenticationHai Nguyen
 
Multiple credentials-in-the-enterprise
Multiple credentials-in-the-enterpriseMultiple credentials-in-the-enterprise
Multiple credentials-in-the-enterpriseHai Nguyen
 
Mobile authentication
Mobile authenticationMobile authentication
Mobile authenticationHai Nguyen
 
Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462Hai Nguyen
 
Identity cues two factor data sheet
Identity cues two factor data sheetIdentity cues two factor data sheet
Identity cues two factor data sheetHai Nguyen
 
Hotpin datasheet
Hotpin datasheetHotpin datasheet
Hotpin datasheetHai Nguyen
 
Ds netsuite-two-factor-authentication
Ds netsuite-two-factor-authenticationDs netsuite-two-factor-authentication
Ds netsuite-two-factor-authenticationHai Nguyen
 
Datasheet two factor-authenticationx
Datasheet two factor-authenticationxDatasheet two factor-authenticationx
Datasheet two factor-authenticationxHai Nguyen
 
Cryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingCryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingHai Nguyen
 

More from Hai Nguyen (20)

Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guide
 
Sms based otp
Sms based otpSms based otp
Sms based otp
 
Session 7 e_raja_kailar
Session 7 e_raja_kailarSession 7 e_raja_kailar
Session 7 e_raja_kailar
 
Securing corporate assets_with_2_fa
Securing corporate assets_with_2_faSecuring corporate assets_with_2_fa
Securing corporate assets_with_2_fa
 
Scc soft token datasheet
Scc soft token datasheetScc soft token datasheet
Scc soft token datasheet
 
Rsa two factorauthentication
Rsa two factorauthenticationRsa two factorauthentication
Rsa two factorauthentication
 
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
 
Pg 2 fa_tech_brief
Pg 2 fa_tech_briefPg 2 fa_tech_brief
Pg 2 fa_tech_brief
 
Ouch 201211 en
Ouch 201211 enOuch 201211 en
Ouch 201211 en
 
N ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authenticationN ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authentication
 
Multiple credentials-in-the-enterprise
Multiple credentials-in-the-enterpriseMultiple credentials-in-the-enterprise
Multiple credentials-in-the-enterprise
 
Mobile authentication
Mobile authenticationMobile authentication
Mobile authentication
 
Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462
 
Identity cues two factor data sheet
Identity cues two factor data sheetIdentity cues two factor data sheet
Identity cues two factor data sheet
 
Hotpin datasheet
Hotpin datasheetHotpin datasheet
Hotpin datasheet
 
Gambling
GamblingGambling
Gambling
 
Ds netsuite-two-factor-authentication
Ds netsuite-two-factor-authenticationDs netsuite-two-factor-authentication
Ds netsuite-two-factor-authentication
 
Datasheet two factor-authenticationx
Datasheet two factor-authenticationxDatasheet two factor-authenticationx
Datasheet two factor-authenticationx
 
Csd6059
Csd6059Csd6059
Csd6059
 
Cryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingCryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for banking
 

Recently uploaded

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 

Recently uploaded (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 

Twg 04-04

  • 1. NIST E-Authentication Guidance SP 800-63 NIST E-Authentication Guidance SP 800-63 Federal PKI TWG Feb. 18, 2004 Bill Burr william.burr@nist.gov
  • 2. NIST E-Authentication Tech Guidance OMB Guidance to agencies on E-Authentication — OMB Memorandum M-04-04, E-Authentication Guidance for Federal Agencies, Dec. 16, 2003 • http://www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf — About identity authentication, not authorization or access control NIST SP800-63: Recommendation for Electronic Authentication — Companion to OMB e-Authentication guidance — Draft for comment at: http://csrc.nist.gov/eauth — Comment period ends: March 15 — Covers conventional token based remote authentication • Does not cover Knowledge Based Authentication
  • 3. Assurance Levels OMB guidance defines 4 assurance levels — Level 1 little or no confidence in asserted identity’s validity — Level 2: Some confidence in asserted identity’s validity — Level 3: High confidence in asserted identity's validity — Level 4: Very high confidence in asserted identity’s validity Needed assurance level determined for each type of transaction by the risks and consequences of authentication error with respect to: — Inconvenience, distress & damage to reputation — Financial loss — Harm to agency programs or reputation — Civil or criminal violations — Personal safety
  • 4. E-Auth Guidance Process Risk assessment — Potential impacts — likelihood Map risks to assurance level — profile Select technology — NIST Technical E-Authentication Guidance, SP800-63 Validate implemented system Periodically reassess
  • 5. Max. Potential Impacts Profiles Assurance Level Impact Profiles 1 2 3 4 Inconvenience, distress, reputation Low Mod Mod High Financial loss or agency liability Low Mod Mod High Harm to agency prog. or pub. interests N/A Low Mod High Unauth. release of sensitive info N/A Low Mod High Personal safety N/A N/A Low Mod High Civil or criminal violations N/A Low Mod High Potential Impact Categories for Authentication Errors
  • 6. Technical Guidance Constraints Technology neutral (if possible) — Required (if practical) by e-Sign, Paperwork Elimination and other laws — Premature to take sides in web services wars — Difficult: many technologies, apples and oranges comparisons Practical with COTS technology — To serve public must take advantage of existing solutions and relationships Only for remote network authentication — Not in person, therefore not about biometrics Only about identity authentication — Not about attributes, authorization, or access control • This is inherited from OMB guidance — Agency owns application & makes access control decisions
  • 7. Personal Authentication Factors Something you know — A password Something you have: a token — for remote authentication typically a key • Soft token: a copy on a disk drive • Hard token: in a special hardware cryptographic device Something you are — A biometric • But biometrics don’t work well in remote authentication protocols, because you can’t keep a biometric secret
  • 8. Remote Authentication Protocols Conventional, secure, remote authentication protocols all depend on proving possession of some secret “token” — May result in a shared cryptographic session key, even when token is a only password Remote authentication protocols assume that you can keep a secret — Private key — Symmetric key — Password Can be “secure” against defined attacks if you keep the secret — Amount of work required in attack is known • Make the amount of work impractical — Hard for people to remember passwords that are “strong” enough to make the attack impractical
  • 9. Multifactor Remote Authentication The more factors, the stronger the authentication Multifactor remote authentication typically relies on a cryptographic key — Key is protected by a password or a biometric — To activate the key or complete the authentication, you need to know the password, or poses the biometric — Works best when the key is held in a hardware device (a “hard token”) • Ideally a biometric reader is built into the token, or a password is entered directly into token
  • 10. E-Authentication Model A claimant proves his/her identity to a verifier by proving possession of a token, often in conjunction with electronic credentials that bind the identity and the token. The verifier may then inform a relying party of the claimant’s identity with an assertion. The claimant got his/her token and credentials from a Credentials Service Provider (CSP), after proving his identity to a Registration Authority (RA). The roles of the verifier, relying party, CSP and RA may be variously combined in one or more entities. — Claimant: Wants to prove his or her identity — Electronic credentials: Bind an identity or attribute to a token or something associated with a claimant — Token: Secret used in an authentication protocol — Verifier: verifies the claimant’s identity by proof of possession of a token — Relying party: Relies on an identity — Assertion: Passes information about a claimant from a verifier to a relying party — Credentials Service Provider (CSP): Issues electronic credentials and registers or issues tokens — Registration Authority (RA): Identity proofs the subscriber
  • 11. Tokens Hard token — Cryptographic key in a hardware device — FIPS 140 level 2, with level 3 physical security — Key is unlocked by password or biometrics Soft token — Cryptographic key encrypted under password — FIPS 140 Level 1 or higher crypto module One-time password device (1TPD) — Symmetric key in a hardware device with display - FIPS 140 level 1 — Generates password from key plus time or counter — User typically inputs password through browser Zero Knowledge Password — Strong password used with special “zero knowledge” protocol Password — Password or PIN with conventional protocol
  • 12. Token Type by Level Allowed Token Types 1 2 3 4 Hard crypto token √ √ √ √ Soft crypto token √ √ √ Zero knowledge password √ √ √ One-time Password Device √ √ √ Strong password √ √ PIN √ Assurance Level
  • 13. Protections by Level 3 Protection Against Soft/ZKP 1TPD Eavesdropper √ √ √ √ Replay √ √ √ √ √ On-line guessing √ √ √ √ √ Verifier Impersonation √ √ √ Man-in-the-middle √ * √ Session Hijacking √ √ 41 2 Assurance Level * Protection for shared secret only
  • 14. Auth. Protocol Type by Level Authentication Protocol Types 1 2 3 4 Private key PoP √ √ √ √ Symmetric key PoP √ √ √ √ Zero knowledge password √ √ √ Tunneled password √ √ Challenge-reply password √ Assurance Level
  • 15. ID Proofing Level 1 — Self assertion, minimal records Level 2 — On-line, more or less instant gratification may be possible •Close the loop by mail, phone or (possibly) e-mail Level 3 — in-person registration not required •Close the loop by mail or phone Level 4 — In person proofing •Record a biometric Can later prove who got the token — Consistent with FICC Common Certificate Policy
  • 16. Passwords Password is a secret character string you commit to memory. — Secret and memory are the key words here • As a practical matter we often do write our passwords down A password is really a (weak) key — People can’t remember good keys We all live in Password Hell – too many passwords — And they try to make us change them all the time In E-auth we’re only concerned with on-line authentication — Assume that the verifier is secure and can impose rules to detect or limit attacks What is the “strength” of a password?
  • 17. Attacks on Passwords In-band —Attacker repeatedly tries passwords until he is successful • guessing, dictionary, or brute force exhaustion —Can’t entirely prevent these attacks • can ensure they don’t succeed very often Out of band – everything else —Eavesdropper —Man-in-the-middle —Shoulder surfing —Social engineering
  • 18. Password Strength Over the life of the password the probability of an attacker with no a priori knowledge of the password finding a given user’s password by an in-band attack shall not exceed — one in 216 (1/65,563) for Level 2 — one in 211 (1/2048) for Level 1 Strength is function of both password entropy, the system and how it limits or throttles in-band guessing attacks Many ways to limit password guessing attack — 3-strikes and reset password, hang up on bad login attempt… — Limited password life, but… — Note that there is not necessarily a time limit — Many things are trade-offs with help desk costs
  • 19. Password Entropy Entropy of a password is roughly speaking, the uncertainty an attacker has in his knowledge of the password, that is how hard it is to guess it. Easy to compute entropy of random passwords We typically state entropy in bits. A random 32-bit number has 232 values and 32-bits of entropy A password of length l selected at random from the keyboard set of 94 printable (nonblank) characters has 94l values and about 6.55× l bits of entropy. ∑ ==−= x xXPxXPXH )(log)(:)( 2
  • 20. Password Entropy Entropy is measure of randomness in a password — Stated in bits: a password with 24 bits of entropy is as hard to guess as a 24 bit random number — The more entropy required in the password, the more trials the system can allow It’s easy to calculate the entropy of a system generated random password — But users can’t remember these Much harder to estimate the entropy of user chosen passwords — Composition rules and dictionary rules may increase entropy — NIST estimates of password entropy
  • 21. Shannon’s Estimate of Entropy Shannon used 26 English letters plus space —Left to their own devices user will choose only lower case letters. Shannon’s method involves knowing the i-1 first letters of a string of English text; how well can we guess the ith letter? Entropy per character decreases for longer strings —1 character 4.7 bits/character —≤ 8 characters 2.3 bits per character —order of 1 bit/char for very long strings
  • 22. Use Shannon as Estimate Shannonn gives us an estimate of the number of bits needed to represent ordinary English text — Seems intuitive that if it takes n bits to represent a text string, that is related to how hard it is to guess the string It should be as hard to guess or compress passwords as ordinary English text — Users are supposed to pick passwords that don’t look like ordinary English, to make them harder to guess • But, of course, users want to remember passwords — Attacker won’t have a perfect dictionary or learn much by each unsuccessful trial — Surely, the only long passwords that are easy to remember are based on phrases of text that make sense to the person selecting the password Give “bonuses” for composition rules and dictionary
  • 23. Very Rough Password Entropy Estimate 0 10 20 30 40 50 60 0 10 20 30 password length in characters bitsorequivelententropy no rules composition dictionary both
  • 24. PKI & E-Auth PKI solutions widely available — Can use TLS with client certs. for levels 3 & 4 May be the predominant solution for levels 3 & 4 in gov. — Federal Identity Credentialing Committee — Common Credential and Federal Identity Card • Common certificate policy and shared service providers • Gov. Smart Card Interoperability Standard (GSC-IS) Fed. Bridge CA and Fed. Policy Authority are PKI vehicle Non-PKI level 3 & 4 solutions — One-time password devices in common use – can meet level 3 • Cell phones could be a good 1TPD platform — Zero knowledge passwords for level 3 – not widely implemented — Level 4 could be done with symmetric key tokens
  • 25. PKI & E-Auth PKI solutions widely available — Can use TLS with client certs. for levels 3 & 4 May be the predominant solution for levels 3 & 4 in gov. — Federal Identity Credentialing Committee — Common Credential and Federal Identity Card • Common certificate policy and shared service providers • Gov. Smart Card Interoperability Standard (GSC-IS) Fed. Bridge CA and Fed. Policy Authority are PKI vehicle Non-PKI level 3 & 4 solutions — One-time password devices in common use – can meet level 3 • Cell phones could be a good 1TPD platform — Zero knowledge passwords for level 3 – not widely implemented — Level 4 could be done with symmetric key tokens
  • 26. Federal Employee Credentials Employees & affiliates Primarily levels 3 & 4 — Most will eventually be hard token (CAC card) — Near term a lot will be soft token PKI based — New agency PKIs will be use shared service provider CAs • Common certificate policy framework — Legacy agency operated PKIs will be around for a while — Bridge CA will remain for policy mapping • Legacy agency operated PKIs • States & local government, business, foreign, etc. • Commerce & citizen class
  • 27. Fed. User Certificate Fed. User Certificate FPKI Architecture FBCA Certificate Policy Bridge Certification Authority Agencies (Legacy agency CA policy) States Foreign Entities Financial Institution Business Utility Private Sector C4 Certification Authority Common Policy Certification Authority E-Auth. Common Policy (Common Policy Root included in browser list of CAs) E-Governance Certification Authorities Assurance Level 1 Assurance Level 2 SSP1 SSP2 SSP3 Other Bridges ACES Fed. User Certificate Fed. User Certificate Fed. User Certificate Fed. User Certificate Fed. User Certificate Fed. User Certificate Fed. User Certificate Fed. User Certificate Fed. User Certificate Shared Service Provider CAs Common Policy Agency User Certs. (Mutual authentication of SAML/SSL Certificates only) Citizen &Commerce Class Certificate Policy (Agencies buy certificate services from SSPs under Common Policy)
  • 28. Common Policy Framework Applies to Federal Employees, Affiliates (e.g., guest researchers), & Devices (e.g., servers) Three policies — Two user policies •FIPS 140 Level 2 Hardware Cryptomodule Meets e_Auth assurance level 4 •FIPS 140 Level 1 Software Cryptomodule Meets e-Auth assurance level 3 — One device policy (Level 1 Cryptomodule) Assurance comparable to FBCA Medium — More detailed Identity Proofing requirements — Transition strategy to 2048 bit RSA, SHA-256
  • 29. Identity Proofing of Fed. Applicants A priori request from management required Employees’ employment verified through use of “official agency records” In-person identity proofing — Credentials verified for legitimacy — Biometric recorded for nonrepudiation Trusted Agent may perform proofing — RA still verifies credentials
  • 30. Cryptographic Transition Strategy Certs and CRLs expiring after 12/31/2008 must be signed using 2048 bit RSA keys User Certs generated after 12/31/2008 must contain 2048 bit RSA keys Certs and CRLs generated after 12/31/2008 must be signed using SHA-256
  • 31. FPKI Certificate Policies Federal Certificate Policy — Rudimentary, Basic, Medium and High — Federal Policy Authority “maps” agency policy — currently x-certified • Medium: Treasury, DoD, Agriculture (NFC), NASA, DST ACES, Illinois • High: State Dept & Treasury Common Certificate Policy — Shared Service providers Citizen and Commerce Class — Streamlined process based on memo of agreement rather than detailed review of CP & CPS • Does anybody want this?
  • 32. Knowledge Based Authentication (KBA) Not covered in 800-63 — Symposium on 9-10 Feb. at NIST Can we just ask questions to authenticate users? — People do it now — “Walk-in” customers, real business need • It’s the age of instant gratification Similar to ID proofing process, but without closing the loop Could view KBA as similar to passwords — Only these passwords are not very secret — Valid claimant might not know them all How can we quantify KBA, what are the standards?
  • 33. KBA: some questions What is a reasonable model for KBA? — What are the functions and features of each component? — What are the security implications of the components? For Users: — How much confidence do you need? Can KBA get there? What are the information sources and how do we evaluate them? — How accurate are the sources? What are the Mechanisms and Metrics? How do we score responses and what does a score mean? What can we standardize?