Measuring Authentication: NIST and Vectors of Trust

Similar documents
Digital Identity Guidelines aka NIST SP March 1, 2017 Ken Klingenstein, Internet2

Dissecting NIST Digital Identity Guidelines

See the ID Rules Before Us: FAL IAL AAL eh? Aaaagh!!! How, How, How, How?

Internet Engineering Task Force (IETF) October 2018

FedRAMP Digital Identity Requirements. Version 1.0

USER AUTHENTICATION GUIDANCE FOR INFORMATION TECHNOLOGY SYSTEMS

FIPS and NIST Special Publications Update. Smart Card Alliance Webinar November 6, 2013

Stop sweating the password and learn to love public key cryptography. Chris Streeks Solutions Engineer, Yubico

PRACTICAL PASSWORD AUTHENTICATION ACCORDING TO NIST DRAFT B

Digital Identity Guidelines

PKI and FICAM Overview and Outlook

HITPC Stage 3 Request for Comments Smart Card Alliance Comments January, 14, 2013

NIST E-Authentication Guidance SP

Next Generation Physical Access Control Systems A Smart Card Alliance Educational Institute Workshop

Formal Methods for Assuring Security of Computer Networks

FPKIPA CPWG Antecedent, In-Person Task Group

Hong Kong Access Federation (HKAF) Identity Management Practice Statement (IMPS)

DigitalPersona Altus. Solution Guide

U.S. E-Authentication Interoperability Lab Engineer

SWAMID Identity Assurance Level 2 Profile

Adobe Sign and 21 CFR Part 11

Identity Proofing Standards and Beyond

Introduction of the Identity Assurance Framework. Defining the framework and its goals

FiXs - Federated and Secure Identity Management in Operation

Assuring Identity. The Identity Assurance Framework CTST Conference, New Orleans, May-09

Network Security Essentials

SWAMID Person-Proofed Multi-Factor Profile

DirectTrust Governmental Trust Anchor Bundle Standard Operating Procedure

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy's NNSA

ORC ECA Subscriber Instructions for Individual Identity and Encryption Certificates

Mobile: Purely a Powerful Platform; Or Panacea?

Enterprise Adoption Best Practices

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Interagency Advisory Board Meeting Agenda, December 7, 2009

Leveraging HSPD-12 to Meet E-authentication E

e-sign and TimeStamping

Levels of Assurance. Tabea Born and Maxime Peyrard. TU Darmstadt

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

Federated authentication for e-infrastructures

egov & PKI By: Alaa Eldin Mahmoud Aly YOUR LOGO

Identity Assurance Profiles Bronze and Silver. January 14, 2013 Version 1.2 Rev. 5 Release Candidate

Federated Authentication for E-Infrastructures

Managed Access Gateway One-Time Password Guide Version 1.0 February 2017

Indeed Card Management Smart card lifecycle management system

ITU-T SG 17 Q10/17. Trust Elevation Frameworks

INTEGRATED SECURITY SYSTEM FOR E-GOVERNMENT BASED ON SAML STANDARD

Security Strategy for Mobile ID GSMA Mobile Connect Summit

UNIT - IV Cryptographic Hash Function 31.1

Leveraging the LincPass in USDA

Copyright

FIPS and Mobility (SP Derived PIV Credentials) Sal Francomacaro FIPS201/PIV Team NIST ITL Computer Security Division

Chapter 3: User Authentication

Strategies for the Implementation of PIV I Secure Identity Credentials

Next Gen Security Technologies for Healthcare Authentication

Interagency Advisory Board HSPD-12 Insights: Past, Present and Future. Carol Bales Office of Management and Budget December 2, 2008

ORC ACES Subscriber Instructions. Component/Server Certificates

Interagency Advisory Board Meeting Agenda, Wednesday, May 23, 2012

TPM v.s. Embedded Board. James Y

Identity Proofing Blinding the Eye of Sauron

eidas Regulation eid and assurance levels Outcome of eias study

State of Colorado Cyber Security Policies

Public Key Infrastructure PKI. National Digital Certification Center Information Technology Authority Sultanate of Oman

Securing Federal Government Facilities A Primer on the Why, What and How of PIV Systems and PACS

HOST Authentication Overview ECE 525

Enterprise Adoption Best Practices

4TRESS AAA. Out-of-Band Authentication (SMS) and Juniper Secure Access Integration Handbook. Document Version 2.3 Released May hidglobal.

SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Cyberspace security Identity management. Entity authentication assurance framework

Authentication Methods

Trust Services for Electronic Transactions

CSU Enterprise Identity Management Trust- Level Framework

Interagency Advisory Board Meeting Agenda, February 2, 2009

2 Electronic Passports and Identity Cards

Transportation Worker Identification Credential (TWIC) Steve Parsons Deputy Program Manager, TWIC July 27, 2005

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

(2½ hours) Total Marks: 75

Public-key Cryptography: Theory and Practice

Cryptologic and Cyber Systems Division

KEY DISTRIBUTION AND USER AUTHENTICATION

Derived Personal Identity Verification (PIV) Credentials (DPC) Proof of Concept Research

ECA Trusted Agent Handbook

Authentication Technology for a Smart eid Infrastructure.

Federated Access. Identity & Privacy Protection

Certification Practice Statement of the Federal Reserve Banks Services Public Key Infrastructure

Canadian Access Federation: Trust Assertion Document (TAD)

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Entity authentication assurance framework

Certificateless Public Key Cryptography

Registration and Authentication

OneID An architectural overview

AIM Enterprise Platform Software IBM z/transaction Processing Facility Enterprise Edition 1.1.0

SAML-Based SSO Solution

CERN Certification Authority

Deprecating the Password: A Progress Report. Dr. Michael B. Jones Identity Standards Architect, Microsoft May 17, 2018

DFARS Requirements for Defense Contractors Must Be Satisfied by DECEMBER 31, 2017

Digital Solutions. January, 2016

Revision 2 of FIPS 201 and its Associated Special Publications

Warm Up to Identity Protocol Soup

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

PKI Credentialing Handbook

SAML-Based SSO Solution

Evaluating Alternatives to Passwords

Transcription:

SESSION ID: IDY-F01 Measuring Authentication: NIST 800-63 and Vectors of Trust auth Sarah Squire Senior Identity Solution Architect Engage Identity @SarahKSquire

Eyewitness News 3

A Play in Five Acts What is authentication, and why are we measuring it? Levels of Assurance Vectors of Trust NIST Digital Identity Guidelines How to help 4

What is authentication, and why are we measuring it? Act I

What is authentication, and why are we measuring it? ELI5 version: Making sure that a person or thing is the same person or thing you saw last time (which is different from them being who they say they are!) 8

Levels of Assurance Act II

Levels of Assurance 10

Levels of Assurance LoA 1 LoA 2 LoA 3 LoA 4 Little or no confidence Some confidence High confidence Very high confidence 11

Levels of Assurance LoA 4 Very high confidence Strong cryptographic authentication 12

Levels of Assurance LoA 4 Very high confidence Strong cryptographic authentication Strong man-in-the-middle resistance 13

Levels of Assurance LoA 4 Very high confidence Strong cryptographic authentication Strong man-in-the-middle resistance No bearer tokens 14

Levels of Assurance LoA 4 Very high confidence Strong cryptographic authentication Strong man-in-the-middle resistance No bearer tokens Account owner has physically appeared and a government-issued photo-identification document has been verified by the relevant agency. 15

Vectors of Trust Act III

Vectors of Trust P C M A Identity Proofing Primary Credential Usage Primary Credential Management Assertion Presentation 17

Vectors of Trust P Identity Proofing P0: No proofing, not consistent across sessions 18

Vectors of Trust P Identity Proofing P0: No proofing, not consistent across sessions P1: Self-asserted, possibly pseudonymous 19

Vectors of Trust P Identity Proofing P0: No proofing, not consistent across sessions P1: Self-asserted, possibly pseudonymous P2: Identity has been proofed remotely or in-person 20

Vectors of Trust P Identity Proofing P0: No proofing, not consistent across sessions P1: Self-asserted, possibly pseudonymous P2: Identity has been proofed remotely or in-person P3: Binding relationship (employee, customer, student, etc.) 21

Vectors of Trust C Primary Credential Usage C0 No credential 22

Vectors of Trust C Primary Credential Usage C0 No credential Ca Session cookies 23

Vectors of Trust C Primary Credential Usage C0 No credential Ca Session cookies Cb Known device 24

Vectors of Trust C Primary Credential Usage C0 No credential Ca Session cookies Cb Known device Cc Shared secret such as a username and password combination 25

Vectors of Trust C Primary Credential Usage C0 No credential Ca Session cookies Cb Known device Cc Shared secret such as a username and password combination Cd Cryptographic proof of key possession using shared key Ce Cryptographic proof of key possession using asymmetric key 26

Vectors of Trust C Primary Credential Usage C0 No credential Ca Session cookies Cb Known device Cc Shared secret such as a username and password combination Cd Cryptographic proof of key possession using shared key Ce Cryptographic proof of key possession using asymmetric key Cf Sealed hardware token / trusted biometric / TPM-backed keys 27

Vectors of Trust M Primary Credential Management Ma Self-asserted primary credentials / no additional verification for primary credential issuance or rotation 28

Vectors of Trust M Primary Credential Management Ma Self-asserted primary credentials / no additional verification for primary credential issuance or rotation Mb Remote issuance and rotation / use of backup recover credentials (such as email verification) / deletion on user request 29

Vectors of Trust M Primary Credential Management Ma Self-asserted primary credentials / no additional verification for primary credential issuance or rotation Mb Remote issuance and rotation / use of backup recover credentials (such as email verification) / deletion on user request Mc Full proofing required for each issuance and rotation / revocation on suspicious activity 30

Vectors of Trust A Assertion Presentation Aa No protection / unsigned assertion 31

Vectors of Trust A Assertion Presentation Aa No protection / unsigned assertion Ab Signed and verifiable assertion, passed through the browser 32

Vectors of Trust A Assertion Presentation Aa No protection / unsigned assertion Ab Signed and verifiable assertion, passed through the browser Ac Signed and verifiable assertion, passed through a back channel 33

Vectors of Trust A Assertion Presentation Aa No protection / unsigned assertion Ab Signed and verifiable assertion, passed through the browser Ac Signed and verifiable assertion, passed through a back channel Ad Assertion encrypted to the relying party s key and audience protected 34

Vectors of Trust Example: Whistleblower P? 35

Vectors of Trust Example: Whistleblower P1 36

Vectors of Trust Example: Whistleblower P1.C? 37

Vectors of Trust Example: Whistleblower P1.Cb.Cc 38

Vectors of Trust Example: Whistleblower P1.Cb.Cc.M? 39

Vectors of Trust Example: Whistleblower P1.Cb.Cc.Ma 40

Vectors of Trust Example: Whistleblower P1.Cb.Cc.Ma.A? 41

Vectors of Trust Example: Whistleblower P1.Cb.Cc.Ma.Ac 42

NIST Digital Identity Guidelines Act IV

NIST Digital Identity Guidelines IAL AAL FAL Identity Assurance Level Authenticator Assurance Level Federation Assurance Level 44

NIST Digital Identity Guidelines IAL Identity Assurance Level Level 1: Pseudonymous 45

NIST Digital Identity Guidelines IAL Identity Assurance Level Level 1: Pseudonymous Level 2: Remote or In-person identity proofing 46

NIST Digital Identity Guidelines IAL Identity Assurance Level Level 1: Pseudonymous Level 2: Remote or In-person identity proofing Level 3: In-person identity proofing with biometric collection for the purpose of non-repudiation 47

NIST Digital Identity Guidelines AAL Authenticator Assurance Level Level 1: Single factor authentication 48

NIST Digital Identity Guidelines AAL Authenticator Assurance Level Level 1: Single factor authentication Level 2: Two-factor authentication 49

NIST Digital Identity Guidelines AAL Authenticator Assurance Level Level 1: Single factor authentication Level 2: Two-factor authentication Level 3: Two-factor authentication with cryptographic device and verifier impersonation resistance 50

NIST Digital Identity Guidelines FAL Federation Assurance Level Level 1: Signed bearer assertion 51

NIST Digital Identity Guidelines FAL Federation Assurance Level Level 1: Signed bearer assertion Level 2: Signed and encrypted bearer assertion 52

NIST Digital Identity Guidelines FAL Federation Assurance Level Level 1: Signed bearer assertion Level 2: Signed and encrypted bearer assertion Level 3: Signed and encrypted holder-of-key assertion 53

NIST Digital Identity Guidelines Example: Secretary of State Identity Assurance Level? 54

NIST Digital Identity Guidelines Example: Secretary of State Identity Assurance Level: 3 55

NIST Digital Identity Guidelines Example: Secretary of State Identity Assurance Level: 3 Authenticator Assurance Level? 56

NIST Digital Identity Guidelines Example: Secretary of State Identity Assurance Level: 3 Authenticator Assurance Level: 3 57

Vectors of Trust Example: Secretary of State Identity Assurance Level: 3 Authenticator Assurance Level: 3 Federation Assurance Level? 58

NIST Digital Identity Guidelines Example: Secretary of State Identity Assurance Level: 3 Authenticator Assurance Level: 3 Federation Assurance Level: 2 59

How to Help Act V

How to Help 61

Q & A 62

Resources Me: @SarahKSquire or sarah@engageidentity.com Vectors of Trust: https://datatracker.ietf.org/doc/draft-richer-vectors-of-trust/ NIST Federal Authentication Guidelines: https://pages.nist.gov/800-63-3/ 63

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback