Standards for Identity & Authentication Catherine J. Tilton 17 September 2014
Purpose of these standards Wide deployment of authentication technologies that may be used in a global context is heavily dependent on standards, both de facto and de jure. Standards aim at consolidating requirements of suppliers, users, relying parties and government legislative bodies into frameworks that may be used for coordinated implementation of authentication schemes. OECD on Electronic Authentication 2
Buckets of standards Interoperability Identity management Identity authentication (security) Identity federation Sector specific Biometrics (& other technology specific) Testing Conformance... 3
Where is this work being done? JTC1 SC27, SC37, SC17; TC68 Trust Framework Providers Consortia Government Agencies 4
Identity Management (IdM) ISO/IEC 24760, A framework for identity management ISO/IEC TR 29144:2014, The use of biometric technology in commercial Identity Management applications and processes Discusses concepts, considerations, and implementation issues ISO/IEC 29003 - Identity proofing (WD) ANSI/NASPO-IDPV-2014, Requirements and Implementation Guidelines for Assertion, Resolution, Evidence, and Verification of Personal Identity ITU-T X.125x series Study Period (SP) on a privacy-respecting identity management scheme using attribute-based credentials has been initiated in SC27. 5
ISO/IEC 24760 ISO/IEC 24760, A framework for identity management Part 1 (Terminology & concepts) published (free) Part 2 (Reference architecture & requirements) at DIS Part 3 (Practice) at CD Specifies a framework for the issuance, administration, and use of data that serves to characterize individuals, organizations or information technology components which operate on behalf of individuals or organizations. Specifies fundamental concepts and operational structures of identity management 6
ISO/IEC TR 29144 ISO/IEC TR 29144:2014, The use of biometric technology in commercial Identity Management applications and processes Discusses concepts, considerations, and implementation issues Complements ISO/IEC 24760 TR = Technical Report (recommendations) Addresses: Capture processes Biometric identifiers Binding of biometrics to identity data Exceptions Database considerations 7
ISO/IEC 29003 ISO/IEC 29003 - Information technology Security techniques Identity Proofing (WD) Identity proofing and verification (IPV) processes Provides best practices and guidance on required processes for initial establishment and subsequent confirmation of an entity s identity Complements ISO/IEC IS 29115 (normative) Meant to provide greater confidence in an entity s identity prior to delivery of a service to that entity Requirements mapped to LoAs (levels of assurance) Covers in-person and remote proofing Includes controls for enrollment, verification and threats 8
NASPO IDPV ANSI/NASPO-IDPV-2014, Requirements and Implementation Guidelines for Assertion, Resolution, Evidence, and Verification of Personal Identity Scope: Establishes an Identity Proofing process to be used by the Identity Proofer to meet the needs of 3 parties the individual, relying parties, and the proofer Establishes a 4-step methodology for identity proofing: Select an identity assurance level Assertion of unique identity Verification of asserted identity Determination Public review of v5.3.1 closed 8 Sep 9
ITU-T SG17 X.1250 - Baseline capabilities for enhanced global identity management and interoperability X.1251 - A framework for user control of digital identity X.1252 - Baseline identity management terms and definitions X.1253 - Security guidelines for identity management systems X.1255 - Framework for discovery of identity management information 10
Identity Authentication SP800-63-2, Electronic Authentication Guideline ISO/IEC 29115:2013 (ITU-T X.1254) - Entity Authentication Assurance Framework (published) OECD Recommendation on Electronic Authentication and OECD Guidance for Electronic Authentication NIST SP 800-118, Guide to Enterprise Password Management ISO/IEC 24761:2013 - Authentication context for biometrics (published) ITU-T X.1085 / ISO/IEC 17922 - Telebiometric authentication framework using biometric hardware security module (in progress, CD) ISO/IEC 29146 - A framework for access management (CD) 11
Identity Authentication ISO/IEC 29191:2012 - Requirements for partially anonymous, partially unlinkable authentication (published) OASIS Identity in the Cloud TC Trust Elevation TC Identity Based Attestation and Open Exchange Protocol Specification (IBOPS) Recently proposed within OASIS (new TC) TLS (RFC 5246) Used in proof-of-possession & device authentication Kerberos (RFC 2140 & related) Computer network authentication protocol based on tickets SC17 smartcards / identity cards 12
NIST SP 800-63-2 Provides technical guidelines for Federal agencies implementing electronic authentication Covers remote authentication of users (such as employees, contractors, or private individuals) interacting with government IT systems over open networks. Defines technical requirements for each of four levels of assurance in the areas of identity proofing, registration, tokens, management processes, authentication protocols and related assertions. 13
ISO/IEC 24761 ISO/IEC 24761:2013 - Authentication context for biometrics (published) Defines the structure and the data elements of Authentication Context for Biometrics (ACBio), which is used for checking the validity of the result of a biometric verification process executed at a remote site. Specifies cryptographic syntax based on an abstract Cryptographic Message Syntax (CMS) schema Recognizing that the result of a biometric verification process is dependent upon Security level of the process executed Performance level of the devices used It uses PKI to provide this information at each step of the process to the validator Biometric Processing Unit (BPU) certificates 14
Identity Federation SAML OpenID 2 & OpenID Connect Shibboleth An open-source project that provides Single Sign-On capabilities and allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner. IMI (Identity Metasystem Interoperability) Enables the use of Information Cards to universally manage personal digital identities. A Web 2.0-friendly method for shared light authentication, Information Cards let people authenticate themselves on multiple web sites without maintaining passwords for each site. Trust Framework specifications* Kantara, SAFE BioPharma, InCommon, FICAM FIDO (emerging) 15
Identity Federation SCIM Simple Cloud Identity Management UMA User Managed Access (Kantara) access control by third parties to protected web resources Oauth (RFC 6749/6750) - user-authorized access by an API client to a web API Used by SCIM, OpenID Connect, and UMA IETF RFC 6711, An IANA Registry for Level of Assurance (LoA) Profiles Intended as an aid to discovering LoA definitions in protocols that use an LoA concept, including Security Assertion Markup Language (SAML) 2.0 and OpenID Connect. X.1154 - General framework of combined authentication on multiple identity service provider environments XACML (Access Control Markup Language WS-Security 16
SAML OASIS Security Assertion Markup Language, v2.0 Defines the syntax and processing semantics of assertions made about a subject by a system entity (structure, protocol, rules) Series of related standards Used for WebSSO 17
SAML Authentication Method Identifiers Ver 2.0 Auth Context Classes IP Address IP Address + Password Kerberos Mobile 1/2 Factor Unregistered Mobile 1/2 Factor Contract Password Password protected transport Previous session Public Key - X.509/PGP/SPKI Public Key, XML Digital Signature Smartcard Smartcard + PKI Software PKI Telephony Nomadic, Personalized, Authenticated Secure Remote Password (SRP) (RFC 2945) SSL/TLS Certificate Based Client Authentication Time Sync Token Unspecified 18
OpenID Connect OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It enables Clients (relying parties) to verify the identity of the End-User based on the authentication performed by an Authorization Server (OpenID Provider), as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner. 19
FIDO Fast IDentity Online Developing technical specifications that define an open, scalable, interoperable set of mechanisms that reduce the reliance on passwords to authenticate users 2 Protocol Specifications (draft) Universal Authentication Framework (UAF) Universal Second Factor (U2F) 20
Sector specific Financial FFIEC Authentication in an Internet Banking Environment, Supplement to reinforce the Guidance s risk management framework and update the Agencies expectations regarding customer authentication, layered security, or other controls in the increasingly hostile online environment. ANSI X9.84-2010, Biometric Information Management and Security ISO 19092, Financial Services Biometrics Part 1: Security framework Developed by ISO TC68, based on ANSI X9.84 describes adequate controls and proper procedures for using biometrics as an authentication mechanism for secure remote electronic access or local physical access controls Includes specific control objective across biometric life cycle Also includes annex of attacks/countermeasures Healthcare (?) 21
ISO 19092 ISO 19092-1:2006, Financial Services Biometrics Part 1: Security framework Developed by ISO TC68, based on ANSI X9.84 describes adequate controls and proper procedures for using biometrics as an authentication mechanism for secure remote electronic access or local physical access controls Includes specific control objective across biometric life cycle Also includes annex of attacks/countermeasures Part 2 is Message syntax and cryptographic requirements, not complete 22
Core requirements of ISO 19092 1. Mechanisms shall be in place to maintain the integrity of biometric data and authentication results between any two components using: Cryptographic mechanisms such as a digital signature. Physical protection where no transmission is involved and all components reside within the same tamper resistant unit. 2. Mechanisms shall be in place to mutually authenticate the source and destination of the biometric data and authentication results, between the sender and receiver component, using: Cryptographic mechanisms such as a digital signature Physical protections where no transmission is involved and all components reside within the same tamper resistant unit 3. If desired, mechanisms may be in place to ensure the confidentiality of the biometric data between any two components and within any component, using: Cryptographic encryption Physical protections where no transmission is involved and all components reside within the same tamper resistant unit 23
Sector specific Law enforcement ANSI/NIST ITL1-20xx, Data Format for the Interchange of Fingerprint, Facial, & Other Biometric Information & related profiles) Border management ICAO 9303, Machine Readable Travel Documents Federal FIPS 201, Personal Identity Verification (PIV) of Federal Employees and Contractors (& associated SPs) 24
Related work of interest ISO/IEC 30107, Presentation Attack Detection Part 1, Framework (CD) Part 2, Data formats (WD) Part 3, Testing & reporting (WD) Addresses anti-spoofing and liveness detection (related to attacks at the biometric sensor) Pertinent to confident use of biometric authentication Also, SC27 project on security evaluation of anti spoofing techniques for biometrics (moving from study to NWIP) 25
Final note IDESG Standards Coordination Committee (SCC) Standards Inventory Meant to be a compilation of known identity-related standards - a survey of the identity standards landscape. https://www.idecosystem.org/wiki/category:standards Good resource + Please contribute! 26
Contact Info: Catherine Tilton, CBP VP, Stds & Tech, Daon 11325 Random Hills Dr, Suite 650 Fairfax, VA 22030 703-984-4080 cathy.tilton@daon.com 27