January 11, 2015

Thoughts about electronic authentication after NIST 800-63-1 review

   This guideline is devoted to the problem of electronic authentication in federal IT system. For my current job this recommendations are not obligatory, but I found some tricky details in this standard. I also use it to structure information connected with this vital infosec problem.
   The standard consists of 6 major sections. The first one is called "E-Authentication Model", where you can find detailed description of  authentication process and architectural model. This scheme is used almost in all authentication protocols such as Kerberos, 802.1x and etc. Additionally you can find some words about who participate in authentication process, what types of tokens and credentials are widely used. Below all these topics will be described and explained.
   The next sections is about registration and issuance processes. After short introduction there are threats and mitigation strategies. As for me I find these two parts of every section valuable, because I can use it in security policy or as a part of threat modeling.Every section finishes with tables about assurance level and what should be done to fulfill the requirements.
   Section about tokens is a good place to find out some unusual authentication schemes with single and multi-factor tokens. Threats, mitigation strategies and tables with assurance level are at the end of the section.
   In token and credential management section I find good enumeration of CSP responsibilities. This list is written in general words, but you can implement these responsibilities in every system where token and credential management are presented. Can you guess what information you can find at the end of the section? Right, threats, mitigation activities and tables...
   Section about authentication process mainly focuses on defense against man-in-the-middle attacks. Almost all mitigation activities are based on using TLS and strong cryptography.
   Nowadays SSO is very popular because of convenience and security (of course, it should be properly developed and implemented). Without assertion process this technology will be useless. Assertion section in standard is well written, 2 models are described (direct and indirect), also there are examples of assertion types. You know what you can find at the end of the section...
   In conclusion, from my point of view, this guideline has lack of technical information and may be authors next time will try to give more practical recommendations about mitigation strategies. But nevertheless this standard is a good sources to systematize your knowledge.

No comments:

Post a Comment