federal requirements for credential assessments renee shuey its – penn state february 6, 2007
TRANSCRIPT
Federal Requirements Federal Requirements for Credential for Credential AssessmentsAssessments
Renee ShueyRenee Shuey
ITS – Penn StateITS – Penn State
February 6, 2007February 6, 2007
Higher Ed - eAuthentication Higher Ed - eAuthentication PilotPilot
Organized around Levels of Assurance Organized around Levels of Assurance (LOA)(LOA)– LOA 1 and 2 accept assertion-based credentialsLOA 1 and 2 accept assertion-based credentials
Local authentication followed by identity message to Local authentication followed by identity message to agency applicationagency application
Business and Legal rules imposed on applications and Business and Legal rules imposed on applications and Credential Providers alikeCredential Providers alike
– LOA 3 and 4 imply cryptography-basedLOA 3 and 4 imply cryptography-based PKI dominatesPKI dominates Serviced by Federal PKI Policy Authority and Federal Serviced by Federal PKI Policy Authority and Federal
PKI Operational AuthorityPKI Operational Authority Major growth area for Federal Apps in first roundMajor growth area for Federal Apps in first round
Higher Ed - eAuthentication Higher Ed - eAuthentication PilotPilotWhoWho
Cornell UniversityCornell University Penn StatePenn State University of University of
Maryland at Maryland at Baltimore CountyBaltimore County
University of University of WashingtonWashington
General General Services Services Admin-Admin-istrationistration
Higher Ed - eAuthentication Higher Ed - eAuthentication PilotPilotWhatWhat
Institutional Credential Assessments, Jan Institutional Credential Assessments, Jan '05'05– Identified issues for meeting LOA1 Identified issues for meeting LOA1
requirementsrequirements– Password guessing, strength, expirationPassword guessing, strength, expiration– Authorization to Operate StatementAuthorization to Operate Statement– Stored secret (password resets)Stored secret (password resets)– DocumentationDocumentation– Align policies and practicesAlign policies and practices
Proposed solution for cultural differencesProposed solution for cultural differences– Password guessing/Denial of Service AttacksPassword guessing/Denial of Service Attacks
The Low Hanging Fruit
Higher Ed - eAuthentication Higher Ed - eAuthentication PilotPilot
The Low Hanging FruitThe Low Hanging Fruit NSF FastLaneNSF FastLane
– An interactive, real-time system used to An interactive, real-time system used to conduct NSF business over the Internetconduct NSF business over the Internet
– Used by faculty to submit grant proposals, Used by faculty to submit grant proposals, check proposal status, participate in panels, check proposal status, participate in panels, perform financial transactions and reportsperform financial transactions and reports
– Credential Service Provider assessed as Credential Service Provider assessed as LOA1 LOA1
– Application assessed by GSA as LOA1Application assessed by GSA as LOA1
Higher Ed - eAuthentication Higher Ed - eAuthentication PilotPilot
FindingsFindings
CAP GAP AnalysisCAP GAP Analysis– 48% requirements met by all 3 schools48% requirements met by all 3 schools– 25% requirements met by at least 1 school25% requirements met by at least 1 school– 25% requirements not met by any 25% requirements not met by any – 2% not applicable2% not applicable
EAF Business & Operating Rules not EAF Business & Operating Rules not obtainable/practical for HEobtainable/practical for HE
Institutional credential assessments Institutional credential assessments would be difficult to scale for all of higher would be difficult to scale for all of higher educationeducation
The Next Step - The Next Step - InterfedInterfed
It was determined that a more It was determined that a more scalable and user friendly scalable and user friendly approach would be to establish approach would be to establish trust between the federationstrust between the federations
An initiative established to identify An initiative established to identify issues & propose solutions for issues & propose solutions for linking federationslinking federations
InCommon Participation InCommon Participation RequirementsRequirements
Common descriptive informationCommon descriptive information Software GuidelinesSoftware Guidelines
– http://www.incommonfederation.org/ops/http://www.incommonfederation.org/ops/softguide.htmlsoftguide.html
Transparency of Policy and PracticesTransparency of Policy and Practices– POP (Participant Operational Practices)POP (Participant Operational Practices)
Participation AgreementParticipation Agreement– Minimal “bar” to enterMinimal “bar” to enter– Limited Liability; Limited Liability; No No IndemnificationIndemnification– General Liability InsuranceGeneral Liability Insurance
Modest application and annual feeModest application and annual fee
““The” DemoThe” Demo
Internet2 Fall Member MeetingInternet2 Fall Member Meeting– Demo - POC of interoperability of Demo - POC of interoperability of
InCommon and eAuthentication InCommon and eAuthentication FederationsFederations
– Chest bumps were attempted, goose Chest bumps were attempted, goose bumps were achievedbumps were achieved
Credential Credential Assessment ProfileAssessment Profile
Summary of Assessment Summary of Assessment FactorsFactors
eAuthentication Credential Assessment Profile
Summary of Assessment Factors
eAuthentication Credential Assessment Profile
Summary of Assessment Factors
Credential Credential Assessment ProfileAssessment Profile
Level 1Level 1
Organizational Organizational MaturityMaturityAuthorization to Operate
– 1. The CS shall have completed appropriate authorization to operate (ATO) as required by the CSP policies.
– 2. The CSP shall demonstrate it understands and complies with any legal requirements incumbent on it in connection to the CS.
Organizational Organizational MaturityMaturityGeneral Disclosure
– 1. The CSP shall make the Terms, Conditions, and Privacy Policy for the CS available to the intended user community.
– 2. In addition, the CSP shall notify subscribers in a timely and reliable fashion of any changes to the Terms, Conditions, and Privacy Policy.
Authentication Authentication ProtocolProtocol
Secure Channel – Secrets transmitted across an open
network shall be encrypted.
Authentication Authentication ProtocolProtocol
Stored Secrets – Secrets such as passwords shall not
be stored as plaintext and access to them shall be protected by discretionary access controls that limit access to administrators and applications that require access.
Token Strength
Resistance to Guessing– At this assurance level, the PIN (numeric-only) or
Password, and the controls used to limit on-line guessing attacks shall ensure that an attack targeted against a selected user’s PIN or Password shall have a probability of success of less than 2-14 (1 chance in 16,384) over the life of the PIN or Password.
– The PIN (numeric-only) or Password shall have at least 10 bits of min-entropy (a measure of the difficulty that an attacker has to guess the most commonly chosen password used in a system) to protect against untargeted attack.
Token StrengthToken Strength
Uniqueness – 1. Each subscriber shall self-select at
registration time a unique token (e.g., UserID + Password).
– 2. A user can have more than one token, but a token can only map to one user.
– 3. Unique tokens cannot be recycled after a subscriber leaves the CS.
Credential Credential Assessment ProfileAssessment Profile
Level 2Level 2
Organizational Organizational MaturityMaturity
Documentation – 1. The CSP shall have all security
related policies and procedures documented that are required to demonstrate compliance.
– 2. Undocumented practices will not be considered evidence.
Organizational Organizational MaturityMaturity
Audit – The CSP shall be audited by an
independent auditor every 24 months to ensure the organization’s practices are consistent with the policies and procedures for the CS. At the time of the assessment, the most recent audit shall have been performed within the last 12 months.
Organizational Organizational MaturityMaturity
Risk Mgt – The CSP shall demonstrate a risk
management methodology that adequately identifies and mitigates risks related to the CS.
Organizational Organizational MaturityMaturityCOOP
– 1. The CSP shall have a Continuity of Operations Plan (COOP) that covers disaster recovery and the resilience of the CS.
– 2. Service level agreements are not assessment criteria; they are covered in the licensing arrangements.
– 3. The CS shall employ failure techniques to ensure system failures do not result in false positive authentication errors.
Organizational Organizational MaturityMaturity
Network Security – The CSP shall protect their internal
communications and systems with measures commensurate with Assurance Level 3 when those communications involve open networks.
Registration and Registration and Identity ProofingIdentity ProofingIn Person Proofing
– The Registration Authority (RA) shall establish the applicant’s identity based on possession of a valid current primary Government Picture ID that contains applicant’s picture, and either address of record or nationality (e.g. driver’s license or passport)
– RA inspects photo-ID, compares picture to applicant, records ID number, address and date of birth. If ID appears valid and photo matches applicant then:
– a) If ID confirms address of record, authorize or issue credentials and send notice to address of record, or
– b) If ID does not confirm address of record, issue credentials in a manner that confirms address of record.
Registration and Registration and Identity ProofingIdentity ProofingRemote Proofing
– The RA shall establish the applicant’s identity based on possession of a valid Government ID (e.g. a driver’s license or passport) number and a financial account number (e.g., checking account, savings account, loan or credit card) with confirmation via records of either number.
– RA inspects both ID number and account number supplied by applicant. Verifies information provided by applicant including ID number or account number through record checks either with the applicable agency or institution or through credit bureaus or similar databases, and confirms that: name, date of birth, address other personal information in records are on balance consistent with the application and sufficient to identify a unique individual.
Confirming DeliveryConfirming Delivery
Confirming Delivery The CSP shall issue or renew credentials and tokens in a manner that confirms any one of the applicant’s: – 1. Postal address of record; OR – 2. Fixed-line telephone number of
record.
ReferencesReferences
[FIPS-140-2] “Security Requirements For Cryptographic Modules”, Federal Information Processing Standard Publication 140-2, 1999.
[M-04-04] The OMB E-Authentication Guidance
[SP 800-63] NIST Special Publication 800-63 version 1.0.1