Cybertelecom :: Identity and Authentication

Cybertelecom
Federal Internet Law & Policy
An Educational Project

Identity & Authentication

Cybersecurity
- Agencies
- - White House
- - DHS
- - NIST
- - NTIA
- - FCC
- Reference
- Cryptography

Crimes Against Network
- Worms, Viruses, Attacks
- Hackers
- DOS
- WiFi Security
- Cyberwar
- Network Reliability
- Infrastructure Protection
- - Kill Switch

Crimes Over Network
- CyberStalking
- Fraud
- - Auctions
- - Phishing
- Gambling
- ID Theft
- Offensive Words

Info Gathering
- Wiretaps
- CALEA
- ECPA
- FISA
- Forensics
- Carnivore
- Patriot Act
- Data Retention
- Safe Web Act

Emergency
- EAS
- Assessment
- Reliability
- Vulnerabilities

Authentication

Definition

"Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system." Security and Privacy Controls for Federal Information Systems and Organizations, NIST Special Publication 800-53 Page B-2 (April 2013); Minimum Security Requirements for Federal Information and Information Systems, Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, Appendix !, March 2006

Authentication: The process of establishing confidence in the identity of users or information systems. [NIST 800-63-3]

See also authorization; anonymity

History

The Internet historically was designed as a closed trusted system. The Internet was originally perceived as a small experimental research network amongst a closed community. "Trust" was not a problem that needed to be solved in this system, because it was thought of as a small closed community. Therefore authentication of individuals was not built into the design. For example, to travel through the network, a packet needs an accurate TO address; however the FROM address was not essential and could be entirely ficticious. This is true of IP packets as well as things like email. The failure to authenticate the send has resulted in all sorts of problems, such as SPAM. This "Trust" design of the network reflects what is known as the "End-to-End" design of the Internet, where, to the extent that such things as security and authentication are necessary, these will be handled by the end computers and not the network itself. This is divergent from previous communications networks, such as the Public Telephone Network, where in order to communicate the sender must first be authenticated (after all, the telephone service has to know who to bill).

Policy Considerations

Privacy

Systems designed to increase assurance of the identity of the individual interacting with the system likewise decrease privacy and the ability to engage anonymously.

Chilling Effect - where logging on requires higher authentication, end user may perceive that online activities are being monitored and tied to that authentication identity

Properly designed authentication system could place in control of the individual the ability to reveal only that information which is necessary. During authentication, the information is revealed that is necessary for the transaction, not all PII [Poller]

For example, with age verification, when authenticating that an individual is old enough for the transaction, the authentication process would simple answer "yes, the individual is old enough." The process would not reveal the actual age of the individual or the date of birth.

Includes potential to interact anonymously or with pseudonymity

Identity Theft

Increased reliance on specific factors for authentication creates a risk that if that factor is compromised, it can result in identity theft. The big example of this vulnerability is the exaggerated reliance on social security numbers, an open and public identifier, for identity authentication. Other examples include reliance on mobile phones or text messages for authentication, where the mobile phone is subject to cloning or spoofing. [Poller 4]

Reduce exposure of personal information, reducing opportunities for identity theft [White House at 7 2011]

What identity information should be associated with the authentication? See FIPPS [White House at 12 2011]

Security of the authentication system / process [White House at 12 2011]

Authentication Errors [Draft 800-63-3]

Process for correcting errors

Credential Misuse

Impersonation

ID Theft

Dictionary Attack

Compromised infrastructure

Man in the Middle Attack

Interoperability of authentication system [White House at 13 2011]

Cost and east of use [White House at 14 2011]

Improved transactions

Efficiency: Improved authentication of individuals to transactions can make those transactions more efficient and promote online commmerce. [White House at 5 2011]

Improved Trust in Transactions in order to promote online transactions [White House at 5 2011]

See Kevin Werbach testimony that in order for cloud computing to succeed, users of the cloud services must trust the services

Consider 2016 "trust" in the presidential election (plethora of accusations that the election process was compromised or rigged)

Decreased costs associated with fraud and theft of service [White House at 5 2011]

Purposes

Fraud Detection / Prevention [Hogg] [White House at 5 2011]

Fighting Counterfeiting

Authentication of individual to transaction [White House at 5, 8 2011]

Fighting Identity Theft

Government services

Ecommerce

Both of consumer and of vendor

Financial / Banking

Federal Financial Institutions Examination Council (2008). "Authentication in an Internet Banking Environment"

EO - Improving the Security of Consumer Financial Transactions, The White House (Oct. 17, 2014) ("To help ensure that sensitive data are shared only with the appropriate person or people, within 90 days of the date of this order, the National Security Council staff, the Office of Science and Technology Policy, and OMB shall present to the President a plan, consistent with the guidance set forth in the 2011 National Strategy for Trusted Identities in Cyberspace, to ensure that all agencies making personal data accessible to citizens through digital applications require the use of multiple factors of authentication and an effective identity proofing process, as appropriate.")

BASU, A, and Steve Muylle. 2003. “Authentication in E-commerce.” Communications of the Acm 46 (12): 159–166.

European Central Bank. "Recommendations for the Security of Internet Payments" (PDF). European Central Bank. Retrieved 9 August 2016.

eSignatures

Email

Meng Weng Wong and Jim Lyon, "Sender ID: Authenticating E-Mail," RFC 4406, April 2006.

Wayne Schlitt and Meng Weng Wong, "Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail, Version 1," RFC 4408, April 2006.

Miles Libbey, Michael Thomas, and Mark Delany, "DomainKeys Identified Mail (DKIM) Signatures," RFC 4871, May 2007.

DNS

Forward-confirmed reverse DNS (FCrDNS)

D. Senie, A. Sullivan, Considerations for the use of DNS Reverse Mapping, IETF Internet Draft (Sept. 12, 2008)

Access control

Example: access to an online library; access to copyright content licensed on a regional basis

Age Verification [Poller 4]

Security (restricting access to authorized individuals; monitoring and track access) [White House at 6 2011]

Example: Keycard access to property

Vincent Hu, David Ferraiolo, Rick Kuhn, Adam Schnitzer, Kenneth Sandlin, Robert Miller, Karen Scarfone, Guide to Attribute Based Access Congrol (ABAC) Definitions and Considerations, NIST Special Publication 800-162, (Jan. 2014)

Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Plan v1.0, Federal Chief Information Officers Council November 2009 [FEDCIO1]

Control On-Net Activity (firewalls that authorize network users' activity)

Windows Active Directory,

Remote Authentication Dial-In User Service (RADIUS),

Lightweight Directory Access Protocol

Cisco ASA 5500 Series Configuration Guide using the CLI, 8.4 and 8.6: Chapter: Configuring the Identity Firewall Cisco ("The Identity Firewall in the ASA provides more granular access control based on users' identities. You can configure access rules and security policies based on user names and user groups name rather than through source IP addresses. The ASA applies the security policies based on an association of IP addresses to Windows Active Directory login information and reports events based on the mapped user names instead of network IP addresses.")

Methods

Ecosystem [White House at 21 2011]

Individual to be authenticated / Applicant / Subscriber / Claimant

Identity: "A set of attributes that uniquely describe a person within a given context." Draft NIST 800-63-3

Human or non-human (authentication that you are interacting with a service or company that you think you are)

Attributes of the individual

Address of record

Trustmark - signification or certificate that individual is who individual says that it is

Identity Proofing (establishing identity with an authentication provider).

NIST SP 800-63A Enrollment and Identity Proofing

Authentication Provider - party providing the means of authentication

Identity proofing and registration of the individual

Assurance of authentication (varying levels of assurance in different contexts in response to different risks) [NIST 800-63-2, p. vi]

Level 1: No identity proofing requirement

Level 2: Single factor remote network authentication

Level 3: Multi factor remote network authentication

Level 4: Highest level remote network authentication - "based on proof of possession of a key through a cryptographic protocol."

Data integrity and security

Risk assessment

"Map identified risks to appropriate assurance levels" [NIST 800-63-2, p. v]

Select appropriate technology that reflects needed level of assurance. [NIST 800-63-2, p. v]

Credentials used for authentication

Credential Service Provider

Issues Token to Applicant

Medium of authentication

Method of authentication / Authentication Protocol

NIST SP 800-63B Authentication and Lifecycle Management ("Digital authentication is the process of establishing confidence in user identities digitally presented to an information system. The robustness of this confidence is described by a categorization known as the AAL. NIST SP 800-63B addresses how an individual can securely authenticate to a Credential Service Provider (CSP) to access a (or set of) digital service.")

Federated Identity Management: "users are enabled to “federate” their identity through common, shared authentication processes and access multiple online organizations and services." [Draft NISTIR 8149]

NIST SP 800-63C Federation and Assertions("NIST SP 800-63C provides guidelines on the use of federated identity architectures and assertions to convey the results of authentication processes to an agency application. In addition, this guideline offers privacy enhancing techniques to share information about a valid, authenticated user, as well as describing methods that allow for strong multifactor authentication while the individual remains pseudonymous to the digital service. ")

Relying Party - "An entity that relies upon the subscriber’s authenticator(s) and credentials or a verifier’s assertion of a claimant’s identity, typically to process a transaction or grant access to information or a system." Draft NIST 800-63-3, Sec. 3.

Identity Ecosystem Framework (IDEF) Core Documents, IDESG

Process

"Applicant applies to Registration Authority to become a Subscriber of a Credential Service Provider." [NIST 800-63-2, p. 16]

Credential Service Provider engages in Identity Proofing. [NIST 800-63-2, p. 16]

Credential Service Provider issues credentials to Subscriber which binds a token to an identifier [NIST 800-63-2, p. 16]

Claimant demonstrates possession of token to Verifier through an Authentication Protocol; Verifier verifies that Claimant is the subscriber corresponding to the credential. [NIST 800-63-2, p. 17]

"Verifier passes assertion about the identity of the Subscriber to the Relying Party." [NIST 800-63-2, p. 17]

Relying Party relies on assertion in order to determine authorization and access.

Factors

Types of Factors [Liou] [NIST 800-63-2, p. 20]

Something user knows

Something user has (token, smartcard)

Something about the user (biometrics)

Number of Factors

Single Factor Authentication [Liou]

Authentication using only one type of factor, generally User Name and Password

Multi Factor Authentication [Liou]

Combination of factors of different types

Commonly, user name and password, plus code from a token

National Cybersecurity Center of Excellence (NCCoE) Multifactor Authentication for e-Commerce Project for the Retail Sector, NIST (requesting collaborators) 12/19/16

What User Knows

Password

Changing Passwords

Karen Scarfone, Murugiah Souppaya, Draft Special Publication (SP) 800-118, Guide to Enterprise Password Management, p. ES-2 NIST (Apr. 21, 2009) ("Many organizations implement password expiration mechanisms to reduce the potential impact of unauthorized use of a password. This is beneficial in some cases but ineffective in others, such as when the attacker can compromise the new password through the same keylogger that was used to capture the old password. Password expiration is also a source of frustration to users, who are often required to create and remember new passwords every few months for dozens of accounts, and thus tend to choose weak passwords and use the same few passwords for many accounts. Organizations should consider several factors when determining password expiration requirements, including the availability of secure storage for user passwords, the level of threats against the passwords, the frequency of authentication (daily versus annually), the strength of password storage, and the effectiveness or ineffectiveness of password expiration against cracking. Organizations should consider having different policies for password expiration for different types of systems, operating systems, and applications, to reflect their varying security needs and usability requirements. ")

Lorrie Cranor, FTC CTO, Time to Rethink Mandatory Password Changes, FTC (March 2, 2016) ("I go on to explain that there is a lot of evidence to suggest that users who are required to change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways that attackers can guess easily. Unless there is reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good in some cases.")

Dan Goodin, Frequent Password Changes Are The Enemy of Security, FTC Technologist Says, Ars Technica Aug. 2, 2016 ("Cranor eventually approached the chief information officer and the chief information security officer for the FTC and told them what a growing number of security experts have come to believe. Frequent password changes do little to improve security and very possibly make security worse by encouraging the use of passwords that are more susceptible to cracking. The CIO asked for research that supported this contrarian view, and Cranor was happy to provide it.")

Yinquian Zhang, Fabian Monrose, Michael Reiter, The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis, ACM 2010 ("This paper presents the first large-scale study of the success of password expiration in meeting its intended purpose, namely revoking access to an account by an attacker who has captured the account’s password. Using a dataset of over 7700 accounts, we assess the extent to which passwords that users choose to replace expired ones pose an obstacle to the attacker’s continued access. We develop a framework by which an attacker can search for a user’s new password from an old one, and design an efficient algorithm to build an approximately optimal search strategy. We then use this strategy to measure the difficulty of breaking newly chosen passwords from old ones. We believe our study calls into question the merit of continuing the practice of password expiration")

Sonia Chiasson, Paul C. van Oorschot, Quantifying the Security Advantage of Password Expiration Policies (2015) ("Many security policies force users to change passwords within fixed intervals, with the apparent justi- fication that this improves overall security. However, the implied security benefit has never been explicitly quanti- fied. In this note, we quantify the security advantage of a password expiration policy, finding that the optimal benefit is relatively minor at best, and questionable in light of overall costs.")

Security Myths and Passwords, CERIAS Blog, Purdue University (Apr. 19, 2006) ("forcing periodic password changes given today’s resources is unlikely to significantly reduce the overall threat—unless the password is immediately changed after each use. ")

Anne Adams, Martina Angela Sasse, Users are not the Enemy (nd) ("A closer analysis, however, revealed that such behavior is often caused by the way in which security mechanisms are implemented, and users’ lack of knowledge. We argue that to change this state of affairs, security departments need to communicate more with users, and adopt a usercentered design approach.")

Passwords Across Accounts

[Draft NISTIR 8149 at 1 ("While widely-known best practices state that usernames and passwords should not be shared between services, maintaining an ever growing list of logins creates friction for individuals and employees from virtually all walks of life. ")]

TeleSign Consumer Account Security Report 4 (June 2015) ("consumers continually put themselves at heightened risk when they use the same password across several accounts. If one password gets hacked, then all the other accounts are in peril. Between password reuse and not taking advantage of available additional security, such as two-factor authentication (2FA), users continue to ignore security advice in favor of convenience, thus leaving the entirety of the online world more open to the whims of hackers.")

Password Management

New NIST Guidelines for Organization-wide Password Maangement, NIST News April 21, 2009 ("When an employee has so many complex passwords to remember that he keeps them on a sticky note attached to his computer screen, that could be a sign that your organization needs a wiser policy for passwords, one that balances risk and complexity, explains computer scientist Karen Scarfone. Scarfone is co-author of new guidelines for agency-wide password management issued for public comment by the National Institute of Standards and Technology (NIST).")

draft of SP 800-118 Guide to Enterprise Password Management 2009 RETIRED

United States Federal Employees' Password Management Behaviors - a Department of Commerce Case Study, 2014

Michelle L. Mazurek, Saranga Komanduri, Timothy Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Patrick Gage Kelley, Richard Shay, and Blase Ur, Measuring Password Guessability for an Entire University, CyLab CMU Oct. 22, 2013

Links

Passwords and Authentication Research, Cylab Usable Privacy and Security Labratory, CMU

Password Protection 101, NIPC 11/1/01

PIN

Social Security Number

Drivers License Number

Passport Number

Challenge Questions

CAPTCHA ("Completely Automated Public Turing test to tell Computers and Humans Apart")

"An interactive feature added to web-forms to distinguish use of the form by humans as opposed to automated agents. Typically, it requires entering text corresponding to a distorted image or from a sound stream." [NIST 800-63-2, p. 8]

What User Has / Authenticators

Text Messages

NIST Declares the Age of SMS-Based 2-Factor Authentication Over, Techcrunch July 28, 2016

Andy Greenberg, So Hey You Should Stop Using Texts for Two Factor Authentication, Wired 6.26.16 ("The last few months have demonstrated that SMS text messages are often the weakest link in two-step logins: Attacks on political activists in Iran, Russia, and even here in the US have shown that determined hackers can sometimes hijack the SMS messages meant to keep you safe. ")

Brian Barrett, How Even the FTC's Lead Technologist Can Get Hacked, Wired 6.9.16 ("“The thief would have needed to know my name, my mobile phone number, and make a fake ID,” Cranor says. “It’s possible that the store could have asked for the last four digits of my SSN, but even that is not that hard for an identity thief to come by.”")

Lorrie Cranor, Your Mobile Phone Account Could Be Hijacked by an Identity Thief, FTC 6.7.16

Google

Authenticator

Eric Ravenscraft, Google Prompt Lets You Use Two-Factor Authentication Without Those Pesky Codes, LifeHacker 6.22.16

Objects

Changing

Token [Liou 9]

Code generator

Hardware Tokens

Virtual Tokens

Software Tokens

Static

Paper Credentials: Government Issued documents (drivers licenses, social security cards, birth certificates, passports)

Magnetic Cards

Smart Cards [Liou 8]

Andreas Poller, Ulrich Waldmann, Sven Vowe, Sven Turpe, Electronic Identity Cards for User Authentication - Promise and Practice, IEEE 2011 ("Proponents of eID envision a world where the identity card replaces username and password, supports business processes online and offline, and allows services to be provided online that up to now require presence of the citizen or paperwork. They hope that some day we will use one single eID scheme to shop online, open bank accounts, check into hotels, rent cars, and file our tax declarations.")

Risk: If Key for Smart Cards is compromised, all of the Smart Cards are compromised [Poller 10]

Smart Cards require adoption both by the service providers and by the end users, resulting in a chicken-and-egg adoption problem. [Poller 12]

RFID tags

Car keys with RFID tags in them

EZPasses for Highway travel

Passports with RFID tags

Mobile Phone

X. Fang and J. Zhan, "Online Banking Authentication Using Mobile Phones," 2010 5th International Conference on Future Information Technology, Busan, 2010, pp. 1-5 ("In this paper, we introduce a new authentication protocol for online banking. Our approach enhances performance and robustness against various attacks by using mobile phones to store digital certificate for clients")

Risks

Loss of object

Theft, spoofing, or cloning of object

Encryption

Cryptographic signatures

Digital Signature to a certificate, email, document

Certificates

DNSSEC

IPSEC

U-Prove, Microsoft

Identity Mixer, IBM ("Identity Mixer (idemix) is an anonymous credential system developed at IBM Research - Zurich that enables strong authentication and privacy at the same time.")

What User Is

Biometrics [Liou 9 ("Reproduction of the biometric information stored on the biometric readers may also be a security breach of this technique, placing confidential information at risk of being stolen.")]

NIST DRAFT 800-63-3, Sec. 2 ("Biometric authentication uses human characteristics that, in some cases, may be available to an attacker. Accordingly, the use of biometrics for authentication is limited to activation of a specific physical authenticator to which it is strongly bound, and the number of consecutive activation failures is limited, beyond which another activation factor or authenticator is required. This document suite also supports the use of biometrics to prevent repudiation of registration, and to verify that the same individual participates in all phases of the registration process.")

NIST 800-63-2, p. 4: "Biometric characteristics do not constitute secrets suitable for use in the conventional remote authentication protocols addressed in this document either. In the local authentication case, where the Claimant is observed by an attendant and uses a capture device controlled by the Verifier, authentication does not require that biometrics be kept secret. This document supports the use of biometrics to “unlock” conventional authentication tokens, to prevent repudiation of registration, and to verify that the same individual participates in all phases of the registration process."

NIST 800-63-2, p. 22: "As noted above, biometrics, when employed as a single factor of authentication, do not constitute acceptable secrets for e-authentication, but they do have their place in this specification. Biometric characteristics are unique personal attributes that can be used to verify the identity of a person who is physically present at the point of verification. They include facial features, fingerprints, DNA, iris and retina scans, voiceprints and many other characteristics. This publication recommends that biometrics be used in the registration process for higher levels of assurance to later help prevent a Subscriber who is registered from repudiating the registration, to help identify those who commit registration fraud, and to unlock tokens. "

Other Information that can be used to verify or reject (not considered authentication factors [NIST 800-63-2, p. 20]

Geolocation

Device Identification

IP Address

MAC Address

Cookies

Evaluation and comparison of methods factors.

DRAFT Strength of Function for Authenticators - Biometrics (SOFA-B) NIST Oct. 18, 2016 ("There is no established standardized method for comparing and combining authentication mechanisms, in part due to the wide array of available technologies. The establishment of a common framework for measuring, comparing, and combining (such as in multi-factor implementations) authenticator strength could enable greater alignment of identity practices with organizational risk and promote greater federation and interoperability across sectors, markets, and enterprises. At a workshop on January 12 and 13, 2016, NIST presented a proposed starting point for this framework with a focus on biometric technologies.1 This paper represents a further refinement of this work and outlines a process intended to support the evaluation of biometric authenticators and—ultimately—multiple authentication mechanisms.")

References

Government Activity

The White House, “National strategy for trusted identities in cyberspace,” April 2011(NSTIC)

FACT SHEET: Cybersecurity National Action Plan, The White House (Feb. 9, 2016) ("Empower Americans to secure their online accounts by moving beyond just passwords and adding an extra layer of security. By judiciously combining a strong password with additional factors, such as a fingerprint or a single use code delivered in a text message, Americans can make their accounts even more secure. This focus on multi-factor authentication will be central to a new National Cybersecurity Awareness Campaign launched by the National Cyber Security Alliance designed to arm consumers with simple and actionable information to protect themselves in an increasingly digital world. The National Cyber Security Alliance will partner with leading technology firms like Google, Facebook, DropBox, and Microsoft to make it easier for millions of users to secure their online accounts, and financial services companies such as MasterCard, Visa, PayPal, and Venmo that are making transactions more secure. In addition, the Federal Government will take steps to safeguard personal data in online transactions between citizens and the government, including through a new action plan to drive the Federal Government’s adoption and use of effective identity proofing and strong multi-factor authentication methods and a systematic review of where the Federal Government can reduce reliance on Social Security Numbers as an identifier of citizens.")

Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure, White House (NSPD-54/HSPD23) (May 2009) (“The Federal Government—in collaboration with industry and the civil liberties and privacy communities—should build a cybersecurity-based identity management vision and strategy for the Nation that considers an array of approaches, including privacy-enhancing technologies The Federal Government must interact with citizens through myriad information, services, and benefit programs and thus has an interest in the protection of the public’s private information as well ”)

E-Authentication Guidance for Federal Agencies [OMB M-04-04] [READ]

NIST

Information Technology Laboratory, Trusted Identites Group

Paul A. Grassi Michael E. Garcia James L. Fenton, DRAFT NIST Special Publication 800-63-3 Digital Authentication Guideline, Applied Cybersecurity Division, Information Technology Laboratory, NIST (2016) [READ]

William E. Burr, Donna F. Dodson, Elaine M. Newton, Ray A. Perlner, W. Timothy Polk, Sarbari Gupta, Emad A. Nabbus, Electronic Authentication Guideline, NIST Special Publication 800-63-2 (Aug. 2013)

William E. Burr, Donna F. Dodson, Elaine M. Newton, Ray A. Perlner, W. Timothy Polk, Sarbari Gupta, Emad A. Nabbus, Electronic Authentication Guideline, NIST Spec. Pub. 800-63-2 (Aug. 2013)

David Temoshok, Christine Abruzzi, Developing Trust Frameworks to Support Identity Federations, DRAFT NISTIR 8149, NIST (Sept 2016) [Draft NISTIR 8149 at ]

“Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Guidance” Federal Chief Information Officers Council and the Federal Enterprise Architecture, Web 2 Jun 2010

R. Fielding, J. Reschke, Hypertext Transfer Protocol (HTTP/1.1): Authentication, IETF RFC 7235 (June 2014)

Turner, Dawn M. "Digital Authentication: The Basics". Cryptomathic. Retrieved 9 August 2016.

Jing-Chiou Liou, Sujith Bhashyam, On Improving Feasibility and Security Measures of Online Authentication, International Journal of Advancements in Computer Technology, Vol. 2, No. 4, Oct. 2010