ad-assurance - [AD-Assurance] RE: Various links of interest
Subject: Meeting the InCommon Assurance profile criteria using Active Directory
List archive
- From: "Capehart,Jeffrey D" <>
- To: "" <>
- Subject: [AD-Assurance] RE: Various links of interest
- Date: Fri, 1 Mar 2013 19:10:43 +0000
- Accept-language: en-US
- Authentication-results: sfpop-ironport03.merit.edu; dkim=neutral (message not signed) header.i=none
There was also a question about which Level of Assurance mapped to which FIPS security level.
My understanding is that all FIPS 140-2 Security Levels use Approved Algorithms so for the purposes of InCommon Silver IAP V1.2 that it does not matter whether the Approved Algorithms you use are Level 1,2,3,
or 4. Any should suffice. The Security level is not related to the Assurance level. Keep on reading if interested… Refer to Special Publication SP 800-63-1
Electronic Authentication Guideline http://csrc.nist.gov/publications/nistpubs/800-63-1/SP-800-63-1.pdf OMB M-04-04 defines four levels of assurance, Levels 1 to 4, in terms of the consequences of authentication errors and misuse of credentials. Level 1 is the lowest assurance level, and Level 4
is the highest. To avoid confusion, refer to these specifically as
ASSURANCE LEVEL(s) 1-4. Note that in general, BRONZE maps to
Assurance Level 1 and SILVER to Assurance Level 2. FIPS 140-2 says:
This standard specifies the security requirements that will be satisfied by a cryptographic module utilized within a security system protecting sensitive but unclassified information (hereafter referred to as
sensitive information). The standard provides four increasing, qualitative levels of security: Level 1, Level 2, Level 3, and Level 4. Note that later they are referred to more specifically as
SECURITY LEVEL(s) 1-4. If interested in the differences, refer to
Table 1: Summary of security requirements
in FIPS 140-2. Here’s where assurance levels come in for Active Directory: You will see by reading the IAP 1.2 Criteria #4.2.3.4 (Silver) Stored Authentication Secrets… there are three choices to select from. The verbiage is quite similar to what you will see for Assurance Level 2
in SP-800-63-1. You are also allowed to use Level 3 or 4. Level 1 also is very similar to the #4.2.3.5 (Bronze) Basic Protection of Authentication Secrets. At Level 1, the following shall be required: (Compare to BRONZE #4.2.3.5)
•
Credential storage
– Files of shared secrets used by Verifiers at Level 1 authentication shall be protected by access controls that limit access to administrators and only to those applications that require access. Such shared secret
files shall not contain the plaintext passwords; typically they contain a one-way hash or “inversion” of the password. In addition, any method allowed for the protection of long-term shared secrets at Level 2 or above may be used at Level 1.
At Level 2, the following shall be required:
(Compare to SILVER #4.2.3.4) • Credential storage – Files of shared secrets used by CSPs at Level 2 shall be protected by access controls that limit access to administrators and only to those applications that require access. Such
shared secret files shall not contain the plaintext passwords or secrets; two alternative methods may be used to protect the shared secret:
1.
Passwords may be concatenated to a variable salt (variable across a group of passwords that are stored together) and then hashed with an Approved algorithm so that the computations used to conduct
a dictionary or exhaustion attack on a stolen password file are not useful to attack other similar password files. The hashed passwords are then stored in the password file. The variable salt may be composed using a global salt (common to a group of passwords)
and the username (unique per password) or some other technique to ensure uniqueness of the salt within the group of passwords.
2.
Shared secrets may be encrypted and stored using Approved encryption algorithms and modes, and the needed secret decrypted only when immediately required for authentication. In addition, any method
allowed to protect shared secrets at Level 3 or 4 may be used at Level 2. Jeff From: [mailto:]
On Behalf Of Brian Arkills Incommon IAP http://www.incommon.org/docs/assurance/IAP.pdf AD Silver cookbook FIPS 140-2 http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf Example of specific Microsoft library that is FIPS approved: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2010.htm#1335 Note: All of these have at the end of the "Operational Environment:" the parenthetical "(single-user mode)".
Enabling FIPS approved mode on Windows: http://support.microsoft.com/kb/811833 -B |
- [AD-Assurance] Various links of interest, Brian Arkills, 03/01/2013
- Re: [AD-Assurance] Various links of interest, Ann West, 03/01/2013
- RE: [AD-Assurance] Various links of interest, Rank, Mark, 03/01/2013
- [AD-Assurance] RE: Various links of interest, Capehart,Jeffrey D, 03/01/2013
- Message not available
- Re: [AD-Assurance] RE: Various links of interest, David Walker, 03/04/2013
- RE: [AD-Assurance] RE: Various links of interest, Eric Goodman, 03/05/2013
- Re: [AD-Assurance] RE: Various links of interest, David Walker, 03/05/2013
- RE: [AD-Assurance] RE: Various links of interest, Brian Arkills, 03/06/2013
- Re: [AD-Assurance] RE: Various links of interest, David Walker, 03/05/2013
- RE: [AD-Assurance] RE: Various links of interest, Eric Goodman, 03/05/2013
- Re: [AD-Assurance] RE: Various links of interest, David Walker, 03/04/2013
- Message not available
- Re: [AD-Assurance] Various links of interest, Ann West, 03/01/2013
Archive powered by MHonArc 2.6.16.