adapting levels of assurance for nstic
DESCRIPTION
Presentation from Internet Identity Workshop, May 2011 on ways that Level of Assurance can be adapted to better mesh with the National Strategy for Trusted Identities in Cyberspace (NSTIC). More discussion is at http://blogs.cisco.com/security/adapting-levels-of-assurance-for-the-nstic/TRANSCRIPT
Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved. 1
Adapting Levels of Assurance for NSTICJim Fenton <[email protected]>
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
LOA Requirements (M-04-04)• “E-Authentication Guidance for
Federal Agencies”
• Dated December 16,2003
• Issued by Office of Management and Budget
• Specifies four levels of assurance and when they should be used
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
M-04-04 Levels of Assurance
• An indicator of risk/value of the transaction
• Drives authentication and identity proofing requirements
Level Description
1 Little or no confidence in the asserted identity’s validity
2 Some confidence in the asserted identity’s validity
3 High confidence in the asserted identity’s validity
4 Very high confidence in the asserted identity’s validity
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Impact of Authentication Errors• Impacts consider both potential harm and likelihood
• Categories:Inconvenience, distress, or damage to standing or reputation
Financial loss or agency liability
Harm to agency programs or public interests
Unauthorized release of sensitive information
Personal safety
Civil or criminal violations
• Degree of impactLow, Moderate, or High within each category
Severity and duration of effect
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Maximum Potential Impacts by Assurance Level
Potential Impact Category 1 2 3 4
Inconvenience, distress, or damage to standing or reputation
L M M H
Financial loss or agency liability L M M H
Harm to agency programs or public interests N/A
L M H
Unauthorized release of sensitive information N/A
L M H
Personal safety N/A
N/A L M/H
Civil or criminal violations N/A
L M H
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
NIST SP 800-63• “Electronic Authentication Guideline”
• Issued April 2006 (v1.0.2) by NIST
• Technical guidelines for how authentication should be done in response to M-04-04
• Currently being revised by NIST
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
SP 800-63 Requirements
• Observation: A lot of existing authentication is done in plaintextWe are at level 0!
• Question: Is proofing an authentication issue or an attribute issue?
Level Plaintext transport
Long-term Secrets
Multifactor Proofing
1 N OK Optional None
2 N Only to IdP Optional In-person or remote
3 N N/A Required In-person or remote
4 N N/A H/W Token In-person only
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Attribute and “Identity” Providers• NSTIC distinguishes between “Identity” and Attribute Providers
Identity Providers authenticate and provide authentication assertions
Pseudonymity implies that other assertions don’t automatically come with authentication
• Proposal: Fully separate authentication from all other attributesIdP provides referrals to attribute services
• Question: Isn’t identity proofing an attribute provider, not an authentication requirement?
• Suggesting separation of proofing from authentication requirements in SP 800-63 revision
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
How does this work?• Effective LOA = min(LOA of authentication,
accredited LOA of authentication provider, LOA of attribute binding, accredited LOA of attribute provider)
• LOA of attribute binding is determined by (lesser of):Attribute provider’s confidence in attribute
LOA of authentication used at enrollment with provider
• Effective LOA maps to M-04-04 requirements
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Why do we Care?• Identity Providers are the users’ agents in the identity world
Require the most trust from the user
Therefore user choice is important
• Removing the proofing requirement enables many more IdPsCan issue LOA 4 hardware token without in-person transaction
• An arms-length relationship between credential and attribute providers is good for privacy
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
References• OMB M-04-04, “E-Authentication Guidance for Federal Agencies”:
http://www.whitehouse.gov/sites/default/files/omb/memoranda/fy04/m04-04.pdf
• NIST Special Publication 800-63, “Electronic Authentication Guideline”
http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf
• My blog series on NSTIC (will be addressing this)http://blogs.cisco.com/tag/nstic-series/
Thank you.