See the ID Rules Before Us: FAL IAL AAL eh? Aaaagh!!! How, How, How, How?

Transcription

1 See the ID Rules Before Us: FAL IAL AAL eh? Aaaagh!!! How, How, How, How? Bruce E. Wilson Enterprise Architect May 2018 National Laboratories IT Conference ORNL is managed by UT-Battelle for the US Department of Energy

2 Peter Steiner, 7/5/1993, New Yorker Magazine

3 I might be a dog. Which one? Same dog today as yesterday? How much do you care? Bruce E. Wilson Enterprise Architect May 2018 National Laboratories IT Conference ORNL is managed by UT-Battelle for the US Department of Energy

4 What is Digital Identity? Digital identity is the online persona of a subject, and a single definition is widely debated internationally. Digital identity is hard. NIST Special Publication BEWilson NLIT overview

5 What is Digital Identity? A digital identity is information on an entity used by computer systems to represent an external agent. That agent may be a person, organization, application, or device Wikipedia 5 BEWilson NLIT overview

6 mixes ID with AuthN In-person ID proofing with verification; hardware MFA; FIPS 140-2; very strong security requirements Strong ID proofing with verification; multifactor authentication; fairly strong security requirements Some ID proofing required; strong passwords or other single factor; some security requirements No ID proofing required; weak passwords OK; almost no security requirements 6 BEWilson NLIT overview

7 Rev 3 Separates ID, AuthN, Federation Identity Assurance Level I am Groot Authentication Assurance Level I am (still) Groot Federation Assurance Level They re saying I am Groot 7 BEWilson NLIT overview

8 Identity Assurance Level 3 Strong ID proofing; in-person or supervised remote 2 Evidence of real-world identity; good verification 1 No ID proofing required; attributes are self-asserted 8 BEWilson NLIT overview

9 Identity Assurance Resolution Which (unique) person are we talking about Validation Validate identity exists, validate authenticity of evidence Verification Confirm linkage between applicant and established identity 9 BEWilson NLIT overview

10 Getting to IAL 3 Two pieces of Superior evidence Validation consistent with the evidence Superior verification Trained personnel and verification of crypto All details confirmed by comparison with source info In-Person or Supervised Remote Address confirmation (can be ) Biometric collection Appropriately tailored controls from high baseline 10 BEWilson NLIT overview

11 Authentication Assurance Level MFA with validated hardware cryptography; Very high confidence it s the same person. MFA; approved cryptographic functions; High confidence it s the same person Single factor authentication; Some assurance it s the same person 11 BEWilson NLIT overview

12 Ways to Achieve AAL 3 MF Cryptographic Device SF Cryptographic Device + Memorized Secret MF OTP Authenticator + SF Cryptographic Device MF HW OTP Device + SF Cryptographic Authenticator SF HW OTP Device + MF Cryptographic Authenticator SF HW OTP Device + SF Cryptographic Authenticator + Memorized Secret 12 BEWilson NLIT overview

13 Additional Authenticators AAL 3 Multifactor Cryptographic Device Authenticator Authentication allows binding of additional authenticator at same or lower AAL Additional AAL 3 Authenticator (certificate mode) Additional AAL 2 Authenticator (One time password mode) 13 BEWilson NLIT overview

14 VSC and etoken have always required badge (Yubikey will as well) Prepare Device Verify using supported hardware Delete existing certificates Authenticate User User authenticates with badge (PIV or LSSO) Verify account is standard user Get PIN for new cert Issue Certificate Generate signing request Write certificate to device Verify user PIN Record Send fingerprint to AD Verify logs written to database 14 BEWilson NLIT overview

15 Disallowed & Restricted Authenticators Disallowed Methods that do not prove possession of a specific device , VOIP call ( ) Knowledge based authenticators, unless only known to verifier Restricted Expected to be disallowed in next version Public Switched Telephone Network (PSTN; ) Include SMS for Out of Band Risk Assessment for use required Alternatives are required (5.2.10) 15 BEWilson NLIT overview

16 What is a Credential? An object or data structure that authoritatively binds an identity -via an identifier or identifiers - and (optionally) additional attributes, to at least one authenticator possessed and controlled by a subscriber. 16 BEWilson NLIT overview

17 A Certificate is a Credential 17 BEWilson NLIT overview

18 except when it s not MSDN blog [1] documents 8 ways to map certs to an AD account [1] /06/18/howto-map-a-user-to-acertificate-via-all-the-methods-available-inthe-altsecurityidentities-attribute/ 18 BEWilson NLIT overview

19 ORNL MFA under Rev 2 PIV: Required for priv accounts; works with all accounts LSSO: Interim for priv accounts; works with all accounts etoken: Use badge to get; primary account only; 1/user; FIPS validated Virtual Smart Card: Use badge to get; primary account only; 1/computer SecurID: Non-organizational users (including OLCF); VPN, VDI, some Linux (generally behind jump server) 19 BEWilson NLIT overview

20 ORNL MFA under Rev 3 PIV: Required for priv accounts; works with all accounts LSSO: Interim for priv accounts; works with all accounts etoken: Use badge to get; primary account only; 1/user; FIPS validated (use for devices with TPM issues) Virtual Smart Card: Use badge to get; primary account only; 1/computer; FIPS Validated TPMs Yubikey: Use badge to get; primary account only; FIPS validation soon SecurID: Non-organizational users (including OLCF); VPN, VDI, some Linux (generally behind jump server) 20 BEWilson NLIT overview

21 Federation Assurance Level Context Browser AKA Morass of problems. 21 BEWilson NLIT overview

22 Federation Assurance Level Holder of key assertion, signed by IdP and encrypted to RP; RP validates subscriber controls the specified key Bearer assertion, signed by IdP and encrypted to Relying Party (RP) Bearer assertion, signed by Identity Provider (IdP) 22 BEWilson NLIT overview

23 Federation Assurance Level Context Confidence in assertion integrity Verification of Authentication Intent Artifact binding discussed some AAL and IAL can be specified as attributes 23 BEWilson NLIT overview

24 Conclusions Very high level of 200+ pages Lots of new options IAL 3 is hard Where are the credentials? Consider additional authenticators 24 BEWilson NLIT overview

25 Backup slides

26 Let s Kill Password Rules These password rules were failed attempts to fix the user. Better we fix the security systems. - Bruce Schneier 10/10/17 26 BEWilson NLIT overview

27 Let s Kill Password Rules Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator. 27 BEWilson NLIT overview