Identity Assertions Draftv5
1 like752 views
The document discusses identity assurance levels and identity assertions. It recommends that the assurance level meet the requirements of the identity assertion use case. Both technical and process aspects are important. Lower assurance levels evolved from business-to-consumer use cases, but higher levels of assurance are needed for government and critical infrastructure applications. Standards like PIV and PIV-I can provide a high level of assurance through multi-factor authentication using smart cards. The document cautions against using weaker credentials like usernames and passwords for privileged access or across systems.
![Identity Assertions
Identity: Establish who you are (for a good reason)
Credential: Bind who you are to some thing
Access:
Assign roles to identity [Authorization] (e.g. for access)
First role is the system administrator
Need to rules for privileged account holders
Qualifications a parallel component required for
authentication, (e.g. NRC, CFATS, SOX, HIPAA…)
Too many roles, also confusion here with certifications,
attributes, privileges across organizations and within
organizations
Identity Assertion: (Management)
Authorization for Authentication
Smart Card Alliance Confidential
Property of the Smart Card Alliance © 2010](https://image.slidesharecdn.com/identityassertionsdraftv5-12725896701311-phpapp01/85/Identity-Assertions-Draftv5-2-320.jpg)
Identity Assertions Draftv5
- 1. Recommendations and observations for ISC Identity Assurance Levels and Assertion Salvatore D’Agostino, IDmachines LLC LaChelle LeVan, Probaris, Inc. Interagency Advisory Board April Fools, 2010 Washington, DC
- 2. Identity Assertions Identity: Establish who you are (for a good reason) Credential: Bind who you are to some thing Access: Assign roles to identity [Authorization] (e.g. for access) First role is the system administrator Need to rules for privileged account holders Qualifications a parallel component required for authentication, (e.g. NRC, CFATS, SOX, HIPAA…) Too many roles, also confusion here with certifications, attributes, privileges across organizations and within organizations Identity Assertion: (Management) Authorization for Authentication Smart Card Alliance Confidential Property of the Smart Card Alliance © 2010
- 3. Trust allows use “These challenges lie in being able to verify the identity of an individual or non-person entity (NPE) in the digital realm and to establish trust in the use of that identity in conducting business.” Page 1, FICAM Roadmap and Implementation Guidance, November 10, 2009 Smart Card Alliance Confidential Property of the Smart Card Alliance © 2010
- 4. Identity Assurance Levels Assurance: 1) the degree of confidence in the vetting process used to establish the identity..., and 2) the degree of confidence that the individual who uses the credential is the individual to whom the credential was issued. Four (4) assurance levels: Level 1: Little or no confidence Level 2: Some confidence Level 3: High confidence Level 4: Very high confidence Reference: E-Authentication Guidance for Federal Agencies (OMB M04-04), December 16, 2003 Smart Card Alliance Confidential Property of the Smart Card Alliance © 2010
- 5. Still confused about internet “identity” On the Internet, everybody knows you're a dog. By Michael Kinsley Posted Monday, Nov. 27, 2006, at 9:00 PM ET The pre-cursor was 5 July 1993, Peter Steiner, New Yorker cartoon, “On the internet, nobody knows you’re a dog.” So which is it, ? Smart Card Alliance Confidential Property of the Smart Card Alliance © 2010
- 6. Assurance Process and Tokens Assurance Process Strength Tokens Level 1 Self-assertion minimum Username and Password standards Open ID Foundation, Open Identity No liability with Identity Service Exchange, Kantara Initiative, OAuth, Provider CardSpace/InfoCard, and more (e.g. Mozilla, MyOneLogIn) Level 2 On-line instant qualification, Known (trusted?) identifier provider, out-of band follow-up after e.g. Educause/Shiboleth/InCommon transaction Shared secrets (pet’s name) Mutually accepted liability. Level 3 On-line out-of-band verification Cryptographic solution with transaction One time password Limited personal liability some Soft certificate (unbound to token) network liability. Machine identity Level 4 In person proofing, separation Cryptographic solution of roles Hardware token Biometrics PIV, PIV-I Mixed service level liability Smart Card Alliance Confidential Property of the Smart Card Alliance © 2010
- 7. Identity versus identifiers • Assurance levels and type of “identity” are related. • At lower assurance (Levels 1,2) use is via an identifier and not an identity. • Level 4 identity requires roles, responsibilities and technologies (e.g. PKI and biometric binding of identity)- PIV and PIV-I provide standards for this. Smart Card Alliance Confidential Property of the Smart Card Alliance © 2010
- 8. Standards Based Approach PIV and PIV-I sets standards Highest trusted assurance level Interoperable Federal Bridge is as trust anchor and root trust broker Chip is current method of hard token that exist in a number of form factors Two parts Establishing identity Defining credential to bind identity (for Level 4) Smart Card Alliance Confidential Property of the Smart Card Alliance © 2010
- 9. ICAM and Identity Assertions ICAM The segment architecture relates to a system (People, Process and Infrastructure) driven by identity and the need to assert (use) it. Identity Credential Application (Access in ICAM) • Authentication of credential when presented to system » Level 4 accepted at Levels </=4 Management of the application and system requires understanding, designing, building and maintaining the use cases for identity assertions. Smart Card Alliance Confidential Property of the Smart Card Alliance © 2010
- 10. Use, risk and authentication Use requires risk assessment Ability to create (or measure) consistency of use Drives requirement for assurance level Include loss of life, loss of value, loss of reputation, etc. Authentication levels Choice driven by risk assessment Have to drive proper use of the credential for the application (no backsliding) Maps to Assurance Level Smart Card Alliance Confidential Property of the Smart Card Alliance © 2010
- 11. PIV, PIV-I Level 4 Identity Delivers on Authentication, Authorization, Administration, and Audit (4As) High Assurance Version!! Opening doors to a facility Accessing information in an enterprise system Digitally signing documents with legal non-repudiation Transferring money between two organizations…. Federated Trust Trusted transactions or interchange of information Multi-factor strong authentication Something you are (e.g., biometric) Something you have (e.g., token or smart card) Something you know (e.g., PIN or password). Smart Card Alliance Confidential Property of the Smart Card Alliance © 2010
- 12. Application Level 4 Credential Level 1 Transactions •Username and Password log-on •Free-read of FASC-N physical access •Optional proximity antenna physical access Level 4 identity •Use as flash pass using Level 1 methods Smart Card Alliance Confidential Property of the Smart Card Alliance © 2010
- 13. Application Level 4 Credential Level 4 Transactions •Cryptographic log on (Certificate and PIN) •Contact smart card reader for physical access control •Machine read •Certificate •PIN •Fingerprint Level 4 identity using Level 4 •Digitally Signed methods Photograph •Machine sure credential is valid (current, challenge, revocation, trust) Smart Card Alliance Confidential Property of the Smart Card Alliance © 2010
- 14. Recommendations and Comments 1. Assurance level needs to meet assertion use case. 2. Both process and technology 3. Lower assurance levels evolved from B2C world use cases. 1. Allows large numbers of people easier access to web sites 2. Single Sign On (low assurance, not “robot”) 4. Need to be careful of building on top of weak credentials such as username and password and Physical Access Control Systems (PACS). 5. Need to be extremely careful with privileged credential 6. Federal ICAM initiative provides solid framework for use in C2G, B2G, G2G world in addition to the enterprise 1. Cybersecurity and Physical Security 2. Converging initiatives in: 1. Aerospace and Defense 2. Education 3. Finance and Banking 4. Pharmaceuticals and Research 5. Other Critical Infrastructure (CIPP and NIPP) 7. PIV and PIV-I use COTS to provide high assurance for IT applications 1. Strong case to leverage existing credentials and infrastructure 2. PKI PACS exists and can address physical security 8. If you have a Level 4 credential why introduce other methods? 1. Particularly given standards based approach. Smart Card Alliance Confidential Property of the Smart Card Alliance © 2010
- 15. Sal D’Agostino +1 617.201.4809 sal@idmachines.com Smart Card Alliance 191 Clarksville Rd. · Princeton Junction, NJ 08550 · (800) 556-6828 www.smartcardalliance.org