NISTIR 8344: Ontology for Authentication
- intro
- Authentication Ontology
- Authentication Mechanisms
- Properties
- Building and Maintaining Authentication
- metrology for authentication
intro
NISTIR 8344: Ontology for Authentication
主要是官话。
Authentication: prove membership or hierarchy (position)
measurement:
- 软/硬件/entity的唯一标识
- 防止标识信息的duplicated、compromised
- 信息的安全传输、保护
- human-machine 认证的可用性
Authentication is the component of the IAA process that provides a degree of assurance that the entity’s assigned identity is verified.
Authentication Ontology
Figure 1是概要图。
Authentication:
- Metrology: Security & Usability
- Trust
- Mgmt: 包含identity management(IM) 与 authorization
- Components
- Method: Confirmation (IAA, human-machine, human-human, machine-machine), Affirmation (OAA, Attribute)
Authentication Mechanisms
Figure 2 是分类图。
Confirmation: verification of an entity to manage permission or access
Attestation: verification of a direct or indirect attribute of the object (not entity) of interest
Class: Confirmation
Authenticate entity
Domain: human-machine
Authentication: initial, multi-modal, continuous
- initial: single response (yes/no), such as passwords, dedicated Authentication devices, biometrics. per session.
- continuous: behavioral biometrics used in a continuously sampling mode.
- multi-modal: combination of initial and/or continuous Authentication.
Family:
- Memorized Secret: password/PIN/picture/sound, something you know. Cognitive passwords, personal information.
- Biometric: fingerprint/facial/iris/voice, something you are. Initial/Continuous, behavioral biometrics.
- Apparatus: time-based PIN/event-based PIN/password in hardware devices/smartcards/RFID-based devices, something you have.
- Multi-Modal: combination two or more human-machine Authentication methods. multi-factor Authentication. Attribute Time/Location.
Domain: machine-machine
machine-machine Authentication is used to:
- communication link security, such as IPSEC, TLS
- trusted deviced network
- automated(cached) human-machine Authentication
- provide other auth data, such as location
- provide trusted services, such as DNS, NTS, location.
machine-machine Authentication:
- crypto based: protocol, pre-shared key, digital signature, ….
- setup by admin, transparent to user
- can be a cached human-machine Authentication
- can link temporally, can be self-checking
Domain: human-human
social engineer
out-of-band
Class: Attestion
Authenticate object
Domain: Attribute
many of the types of mechanisms used for machine-machine Confirmation Authentication may also be used in Attribute Attestation Authentication.
Family:
- Encryption: protect hash (secure storage / mac / digital signature / Merkle signature ), symmetric encryption
- Storage: store separately
- Watermarking: representation embodied by the data rather than on the data itself. watermarking is not necessarily cryptographic, cryptography is often used to prevent manipulation of the watermark.
Properties
IAA: identity management, Authentication, authorization
OAA: object management, Authentication, authorization
IAA
identity management
identity management: the issuance or adoption of a digital identity that is logically tied to a physical entity.
physical entity is based on the receipt of identification credentials from trusted parties, such as a passport, license, organizational registration.
digital identity: an artifact produced to establish a presence on the systems of interest.
Authorization
RBAC: role-based access control
ABAC: attribute-based access control
MAC: mandatory access control, denied all unless allowed
DAC: discretionary access control, permitted all unless denied
Authentication
failed attempt threshold
communication with authorization
prevent others from gaining access
OAA
object management
the communication between OM and authentication should support, as a minimum, request permission, revocation, and acknowledgement of the request.
authentication
when authentication of the object is required, the authentication uses the digital artifact to validate the object to the assurance level determined by the choice of attribute selection and the authentication method used.
authorization
authorization is not considered part of the OA process but may be necessary for the management of an object.
Trust relationships in Confirmation Authentication
Assignment Considerations: credential 的强度,例如individual-based 强于 role-based
Links of Trust
- One-Way Trust Authentication : 单向校验
- Mutual Trust Authentication: 双向校验
Multi-Level Trust Authentication: combination of one-way and mutual trust relationships
Attestation: the object is the same as what was expected
Basic Mechanism Components
Components: Identity Representation (password, finger, signature, …), Sensors (connection between the user and the system), Communications, Storage, Processing
Building and Maintaining Authentication
security, deployability, usability, manageability
security Attributes:
- social engineering: Observation, Failover, Guessing, Strict following of guidelines, Data acquisition, Authenticator acquisition
- Configuration vulnerability: Server evidence repository, communication observance(MITM, replay, keylogger)
- Information leakage: packaging, help desk, reporting, feedback
deployability Attributes:
- Accessibility: Disability Considerations, Restrictions
- Cost: acceptable cost per user, acceptable cost for risk, acceptable implementation costs
- Compatibility: system, organization, authentication can be scaled
Usability Attributes:
- Effectiveness
- Efficiency
- Satisfaction
Manageability Attributes:
- Annual Costs: Admin, token, IT, Reader
- Long-Term Availability: Token, Readers or other sensors, Server hardware and software
metrology for authentication
security
minimizing compromise
representation, inimitable(避免仿制), secure delivery, secure storage
usability
effective: do the right things
efficient: doing things right
satisfaction: the willingness of the user to support authentication
