NIST E-Authentication Guidance SP 800-63 and Biometrics



Similar documents
Who s There? A Methodology for Selecting Authentication Credentials. VA-SCAN October 5, 2009 Mary Dunker dunker@vt.edu

ARCHIVED PUBLICATION

FINAL Version 1.1 April 13, 2011

Authentication Tokens

Briefly describe the #1 problem you have encountered with implementing Multi-Factor Authentication.

User Authentication Guidance for IT Systems

Identity, Credential, and Access Management. Open Solutions for Open Government

Update on Identity Management Initiatives: What Are Institutions, Agencies and Federations Doing?

NATIONAL MARINE FISHERIES SERVICE INSTRUCTION JUNE 25, 2007

Electronic Authentication Guideline. -- OR --

Best Practice Guideline G07-001

A Method of Risk Assessment for Multi-Factor Authentication

Understanding the Security & Privacy Rules associated with the HITECH and HIPAA Acts

OpenID & Strong Authentication

Device-Centric Authentication and WebCrypto

CSC Network Security. User Authentication Basics. Authentication and Identity. What is identity? Authentication: verify a user s identity

E-Authentication Guidance for Federal Agencies

Department of Veterans Affairs VA DIRECTIVE 6510 VA IDENTITY AND ACCESS MANAGEMENT

Security Levels for Web Authentication using Mobile Phones

Connected from everywhere. Cryptelo completely protects your data. Data transmitted to the server. Data sharing (both files and directory structure)

EECS 588: Computer and Network Security. Introduction

Attestation and Authentication Protocols Using the TPM

Best Practices for Privileged User PIV Authentication

Knowledge Based Authentication (KBA) Metrics

Federal PKI (FPKI) Community Transition to SHA-256 Frequently Asked Questions (FAQ)

E-Authentication Risk Assessment for. Electronic Prescriptions for Controlled Substances

Monalisa P. Kini, Kavita V. Sonawane, Shamsuddin S. Khan

Multi-factor authentication

NIST Cybersecurity White Paper

Multi-Factor Authentication

Security and Operating Systems It s the Application

Information Security. Rick Aldrich, JD, CISSP Booz Allen Hamilton

October 2014 Issue No: 2.0. Good Practice Guide No. 44 Authentication and Credentials for use with HMG Online Services

5 FAM 140 ACCEPTABILITY AND USE OF ELECTRONIC SIGNATURES

Computer and Network Security

Information Security

Cryptography and Key Management Basics

Chapter 1: Introduction

Rich Furr Head, Global Regulatory Affairs and Chief Compliance Officer, SAFE-BioPharma Association. SAFE-BioPharma Association

SECURITY IMPLICATIONS OF NFC IN AUTHENTICATION AND IDENTITY MANAGEMENT

Identity Assurance Framework

Mobile Device as a Platform for Assured Identity for the Federal Workforce

What s it all about? SAFE-BioPharma Association

The Password Problem Will Only Get Worse

Multi-Factor Authentication of Online Transactions

Department of Veteran Affairs VA HANDBOOK 6510 VA IDENTITY AND ACCESS MANAGEMENT

Architecture for Issuing DoD Mobile Derived Credentials. David A. Sowers. Master of Science In Computer Engineering

TIB 2.0 Administration Functions Overview

Identity and Access Management Initiatives in the United States Government

Managed Portable Security Devices

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

Identity Assurance Assessment Framework. February 11, 2013 Version 1.2

INF3510 Information Security. Lecture 8: User Authentication. University of Oslo Spring 2015

Is Consumer-Oriented Strong Authentication Finally Here to Stay? Arshad Noor, CTO, StrongAuth, Inc. Professional Strategies S22

Authentication. Computer Security. Authentication of People. High Quality Key. process of reliably verifying identity verification techniques

A Security Survey of Strong Authentication Technologies

Internet Banking Two-Factor Authentication using Smartphones

Guidance on Multi-factor Authentication

Scalable Authentication

Using Strong Authentication for Preventing Identity Theft

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

Information Security Basic Concepts

EECS 588: Computer and Network Security. Introduction January 14, 2014

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Security Levels for Web Authentication Using Mobile Phones

FIDO Trust Requirements

Digital Identity Management

Alternative authentication what does it really provide?

Authentication, Authorization, and Audit Design Pattern: Internal User Identity Authentication

Forward Secrecy: How to Secure SSL from Attacks by Government Agencies

White Paper 2 Factor + 2 Way Authentication to Criminal Justice Information Services. Table of Contents. 1. Two Factor and CJIS

Enova X-Wall LX Frequently Asked Questions

Security and Privacy Challenges of Biometric Authentication for Online Transactions

Top Authentication & Identification Methods to Protect Your Credit Union

The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions

Subject: Public Key Infrastructure: Examples of Risks and Internal Control Objectives Associated with Certification Authorities

Single Sign-On Secure Authentication Password Mechanism

Authentication, Authorization, and Audit Design Pattern: External User Authentication

A unique biometrics based identifier, such as a fingerprint, voice print, or a retinal scan; or

I N F O R M A T I O N S E C U R I T Y

The Feasibility and Application of using a Zero-knowledge Protocol Authentication Systems

Innovations in Digital Signature. Rethinking Digital Signatures

Randomized Hashing for Digital Signatures

Applying Cryptography as a Service to Mobile Applications

Public Key Infrastructure Defence Public Key Infrastructure Levels of Assurance Requirements Certificate Policy Object Identifiers (OIDs)

Securing Cloud Applications with Two-Factor Authentication

I N F O R M A T I O N S E C U R I T Y

Understanding the Role of Smart Cards for Strong Authentication in Network Systems. Bryan Ichikawa Deloitte Advisory

Implementation of biometrics, issues to be solved

Announcing Approval of Federal Information Processing Standard (FIPS) Publication 201-2,

GOALS (2) The goal of this training module is to increase your awareness of HSPD-12 and the corresponding technical standard FIPS 201.

Economic and Social Council

addressed. Specifically, a multi-biometric cryptosystem based on the fuzzy commitment scheme, in which a crypto-biometric key is derived from

ipad in Business Security

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Sync Security and Privacy Brief

ecommerce Stages of Authentication Dynamic Factor Authentication

Chapter 15 User Authentication

INFORMATION PROCEDURE

IDENTITY MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

Transcription:

NIST E-Authentication Guidance SP 800-63 and Biometrics September 21, 2004 Bill Burr william.burr@nist.gov

OMB M-0404 Guidance on E-Auth Part of E-Government initiative put services online About identity authentication, not authorization or access control http://www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf Four assurance levels Level 1: Little or no confidence in asserted identity s validity Level 2: Some confidence in asserted identity s validity Level 3: High confidence in asserted identity's validity Level 4: Very high confidence in asserted identity s validity Needed assurance level determined for each type of transaction by consequences of authentication error with respect to defined potential impact categories

Max. Potential Impacts Profiles Potential Impact Categories for Authentication Errors Inconvenience, distress, reputation Assurance Level Impact Profiles 1 2 3 4 Low Mod Mod High Financial loss or agency liability Low Mod Mod High Harm to agency prog. or pub. interests N/A Low Mod High Unauth. release of sensitive info N/A Low Mod High Personal safety N/A N/A Low Mod High Civil or criminal violations N/A Low Mod High

E-Auth Guidance Process Risk assessment Potential impacts Likelihood Map risks to assurance level Profile Select technology NIST Technical E-Authentication Guidance, SP800-63 Validate implemented system Periodically reassess

NIST SP800-63: Electronic Authentication Guideline A NIST Recommendation Companion to OMB e-authentication guidance M-0404 Provides technical authentication requirements for levels of authentication assurance defined in M-0404 Posted end of June 04 http://csrc.nist.gov/publications/nistpubs/800-63/sp800-63v6_3_3.pdf Covers conventional secret token based remote authentication Does not cover Knowledge Based Authentication Modest use of biometrics in registration & to unlock keys Fairly well received by network security professionals and cryptographers

Technical Guidance Constraints Technology neutral (if possible) Required (if practical) by e-sign, Paperwork Elimination and other laws Don t want to take sides in web services wars But SAML looks like it s here to stay Difficult: many technologies, apples and oranges comparisons Practical with COTS technology To serve public must take advantage of existing solutions and relationships Only for remote network authentication Other efforts for Fed. Employees/associates credentials for building access Only about identity authentication Not about attributes, authorization, or access control This is inherited from OMB guidance Agency owns application & makes access control decisions

Personal Authentication Factors Something you know A password Something you have: a token For remote authentication typically a key Soft token: a copy on a disk drive Hard token: key in a special hardware cryptographic device Something you are A biometric

Remote Authentication Protocols Conventional, secure, remote authentication protocols all depend on proving possession of some secret token May result in a shared cryptographic session key, even when token is only a password Remote authentication protocols assume that you can keep a secret Private key, Symmetric key or Password Can be secure against defined attacks if you keep the secret Work required for attack can be calculated or estimated Make the amount of work impractical People can t remember passwords strong enough to make offline attacks impractical Good password remote authentication blocks eavesdropper attacks Harder to prevent shoulder surfing or phishing

Multifactor Remote Authentication The more factors, the stronger the authentication Two factors required for Level 3 by 800-63 Multifactor remote authentication typically relies on a cryptographic key Key is protected by a password or a biometric To activate the key or complete the authentication, you need to know the password, or possess the biometric Works best when the key is held in a hardware device (a hard token ) Ideally a biometric reader is built into the token, or a password is entered directly into token Are there other ways? Not yet in 800-63

Biometrics Biometrics tie an identity to a human body Biometric authentication depends on being sure that you have a fresh, true biometric capture, not on keeping the biometric secret Easy when the person is standing in front of you at the capture device Hard when all you have is bits coming from anywhere on the internet NIST plans a workshop on biometrics & remote authentication in the winter Biometrics aren t suitable secrets for remote authentication protocols Hard to keep them secrets Limited number per person Can t change them This is a feature, not a bug, it s why biometrics are so useful Maybe you could revoke them, but would you like the process?

Culture Clash Current remote authentication methods are mainly cryptographic Cryptographers are adversarial Propose a new crypto method and everybody tries to break it Kerchoffs assumption: an adversary will know all the details of the design of your system (only secrets are operational keys) Cryptographers will develop an attack and publish it in enough detail so that others can replicate their work, and think they have done a good thing 5 hash algorithms including MD5 publicly broken at crypto 2004 Fluhrer/Shamir RC4 papers lead to WEPCrack & AirSnort kiddie scripts We do this to crypto & we ll do it to biometrics authentication too Cryptographers believe that a dental technician has the skills and materials to construct a copy of a fingerprint that will fool most fingerprint readers Can biometrics stand up to this kind of public, sustained attack?

Some Workshop Issues We have the model of building a biometric reader into a personal cryptographic token to unlock the user s key in 800-63 now How else can we get strong remote authentication with biometrics? What are acceptable false acceptance rates and how can we measure them? Can we get Level 2 with only a biometric factor? Can we get to 2-14 false acceptance rates? Can we combine a password and a biometric to get to Level 3? For crypto tokens we have FIPS 140 validation testing: how do we get the biometric equivalent? How can a remote verifier know it has a fresh real biometric? Not an old copy of a biometric and not something synthesized What are the privacy implications of large biometric databases? What is the process for working on this?

Questions

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information