Meeting the InCommon Assurance profile criteria using Active Directory

["Capehart,Jeffrey D" <>]

There was also a question about which Level of Assurance mapped to which FIPS security level. 

 

My understanding is that all FIPS 140-2 Security Levels use Approved Algorithms so for the purposes of InCommon Silver IAP V1.2 that it does not matter whether the Approved Algorithms you use are Level 1,2,3, or 4.  Any should suffice.  The Security level is not related to the Assurance level.

 

Keep on reading if interested…

 

Refer to Special Publication SP 800-63-1 Electronic Authentication Guideline

http://csrc.nist.gov/publications/nistpubs/800-63-1/SP-800-63-1.pdf

 

OMB M-04-04 defines four levels of assurance, Levels 1 to 4, in terms of the consequences of authentication errors and misuse of credentials. Level 1 is the lowest assurance level, and Level 4 is the highest.  To avoid confusion, refer to these specifically as  ASSURANCE LEVEL(s) 1-4.

 

Note that in general, BRONZE maps to Assurance Level 1 and SILVER to Assurance Level 2.

 

FIPS 140-2 says: This standard specifies the security requirements that will be satisfied by a cryptographic module utilized within a security system protecting sensitive but unclassified information (hereafter referred to as sensitive information). The standard provides four increasing, qualitative levels of security: Level 1, Level 2, Level 3, and Level 4.  Note that later they are referred to more specifically as SECURITY LEVEL(s) 1-4.   If interested in the differences, refer to Table 1: Summary of security requirements in FIPS 140-2.

 

Here’s where assurance levels come in for Active Directory:

You will see by reading the IAP 1.2 Criteria #4.2.3.4 (Silver) Stored Authentication Secrets… there are three choices to select from.  The verbiage is quite similar to what you will see for Assurance Level 2 in SP-800-63-1.  You are also allowed to use Level 3 or 4.  Level 1 also is very similar to the #4.2.3.5 (Bronze) Basic Protection of Authentication Secrets.

 

At Level 1, the following shall be required:  (Compare to BRONZE #4.2.3.5)

•                      Credential storage – Files of shared secrets used by Verifiers at Level 1 authentication shall be protected by access controls that limit access to administrators and only to those applications that require access. Such shared secret files shall not contain the plaintext passwords; typically they contain a one-way hash or “inversion” of the password. In addition, any method allowed for the protection of long-term shared secrets at Level 2 or above may be used at Level 1.

 

At Level 2, the following shall be required: (Compare to SILVER #4.2.3.4)

• Credential storage – Files of shared secrets used by CSPs at Level 2 shall be protected by access controls that limit access to administrators and only to those applications that require access. Such shared secret files shall not contain the plaintext passwords or secrets; two alternative methods may be used to protect the shared secret:

1.      Passwords may be concatenated to a variable salt (variable across a group of passwords that are stored together) and then hashed with an Approved algorithm so that the computations used to conduct a dictionary or exhaustion attack on a stolen password file are not useful to attack other similar password files. The hashed passwords are then stored in the password file. The variable salt may be composed using a global salt (common to a group of passwords) and the username (unique per password) or some other technique to ensure uniqueness of the salt within the group of passwords.

2.      Shared secrets may be encrypted and stored using Approved encryption algorithms and modes, and the needed secret decrypted only when immediately required for authentication. In addition, any method allowed to protect shared secrets at Level 3 or 4 may be used at Level 2.

 

Jeff

 

From: [mailto:] On Behalf Of Brian Arkills
Sent: Friday, March 01, 2013 1:01 PM
To:
Subject: [AD-Assurance] Various links of interest

 

Incommon IAP

http://www.incommon.org/docs/assurance/IAP.pdf

 

AD Silver cookbook

https://spaces.internet2.edu/display/InCAssurance/InCommon+Silver+with+Active+Directory+Domain+Services+Cookbook

 

FIPS 140-2

http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf

 

Example of specific Microsoft library that is FIPS approved:

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2010.htm#1335

 

Note: All of these have at the end of the "Operational Environment:" the parenthetical "(single-user mode)".

 

Enabling FIPS approved mode on Windows:

http://support.microsoft.com/kb/811833

 

-B