Skip to Content.
Sympa Menu

ad-assurance - RE: [AD-Assurance] RE: Various links of interest

Subject: Meeting the InCommon Assurance profile criteria using Active Directory

List archive

RE: [AD-Assurance] RE: Various links of interest

Chronological Thread 
  • From: Eric Goodman <>
  • To: "" <>
  • Subject: RE: [AD-Assurance] RE: Various links of interest
  • Date: Tue, 5 Mar 2013 20:04:31 +0000
  • Accept-language: en-US
  • Authentication-results:; dkim=neutral (message not signed) header.i=none

Thanks for calling out that linkage, David.


Despite Jeff’s clear summary of when he was referring to FIPS 140-2 security levels vs. NIST 800-63 LoA levels, my brain was spinning trying to hook it all together. J (That’s a comment on the linkages in the source documents, not on Jeff’s summary!)


So if you are saying that all we need for InCommon/NIST 800-63 LoAs 1 and 2 are “Approved Algorithms”, and not the full FIPS profile, then that means the relevant link is actually “Annex A” of the FIPS document, correct?


The “Annex A” document itself seems very hard to find… FIPS 140-2 refers to


for the Annex, but I don’t see links to either “Annex A” or “Approved Algorithms” there. I did find the following draft version of Annex A in a more general Google search, last updated in mid 2012:


is that the document we’re looking for?


--- Eric



From: [mailto:] On Behalf Of David Walker
Sent: Monday, March 04, 2013 10:43 AM
Subject: Re: [AD-Assurance] RE: Various links of interest


Hmmm...  I see that the draft I barely started in Friday actually got sent...

Anyway, as I started to say, the issue is how to map 800-63's levels of assurance to FIPS 140-2's levels of security for credential storage.  That can be found in section "7.3 Token and Credential Management Assurance Levels" of 800-63-1:

  • LoA 1:  No FIPS 140-2 requirement.
  • LoA 2:  No FIPS 140-2 requirement, although an Approved algorithm must be used to encrypt the password.
  • LoA 3: FIPS 140-2 Level 2 or higher is required.
  • LoA 4: FIPS 140-2 Level 2 or higher is required.

Not a lot of help for us here.  My quick reading of 140-2, however, tells me that all levels of FIPS 140-2 require an Approved algorithm, so any 140-2 certified password storage method should suffice for LoA-2.

On Fri, 2013-03-01 at 17:03 -0800, David Walker wrote:

Thanks, Jeff.  You've done a lot of my work for me.

The remaining issue is how we map NIST 800-63's levels of assurance to FIPS 140-2's levels of security.

On Fri, 2013-03-01 at 19:10 +0000, Capehart,Jeffrey D wrote:

There was also a question about which Level of Assurance mapped to which FIPS security level. 


My understanding is that all FIPS 140-2 Security Levels use Approved Algorithms so for the purposes of InCommon Silver IAP V1.2 that it does not matter whether the Approved Algorithms you use are Level 1,2,3, or 4.  Any should suffice.  The Security level is not related to the Assurance level.


Keep on reading if interested…


Refer to Special Publication SP 800-63-1Electronic Authentication Guideline


OMB M-04-04 defines four levels of assurance, Levels 1 to 4, in terms of the consequences of authentication errors and misuse of credentials. Level 1 is the lowest assurance level, and Level 4 is the highest.  To avoid confusion, refer to these specifically as  ASSURANCE LEVEL(s) 1-4.


Note that in general, BRONZE maps to Assurance Level 1 and SILVER to Assurance Level 2.


FIPS 140-2 says:This standard specifies the security requirements that will be satisfied by a cryptographic module utilized within a security system protecting sensitive but unclassified information (hereafter referred to as sensitive information). The standard provides four increasing, qualitative levels of security: Level 1, Level 2, Level 3, and Level 4.  Note that later they are referred to more specifically as SECURITY LEVEL(s) 1-4.   If interested in the differences, refer toTable 1: Summary of security requirementsin FIPS 140-2.


Here’s where assurance levels come in for Active Directory:

You will see by reading the IAP 1.2 Criteria # (Silver) Stored Authentication Secrets… there are three choices to select from.  The verbiage is quite similar to what you will see for Assurance Level 2 in SP-800-63-1.  You are also allowed to use Level 3 or 4.  Level 1 also is very similar to the # (Bronze) Basic Protection of Authentication Secrets.


At Level 1, the following shall be required:  (Compare to BRONZE #

•                     Credential storage– Files of shared secrets used by Verifiers at Level 1 authentication shall be protected by access controls that limit access to administrators and only to those applications that require access. Such shared secret files shall not contain the plaintext passwords; typically they contain a one-way hash or “inversion” of the password. In addition, any method allowed for the protection of long-term shared secrets at Level 2 or above may be used at Level 1.


At Level 2, the following shall be required:(Compare to SILVER #

Credential storage – Files of shared secrets used by CSPs at Level 2 shall be protected by access controls that limit access to administrators and only to those applications that require access. Such shared secret files shall not contain the plaintext passwords or secrets; two alternative methods may be used to protect the shared secret:

1.     Passwords may be concatenated to a variable salt (variable across a group of passwords that are stored together) and then hashed with an Approved algorithm so that the computations used to conduct a dictionary or exhaustion attack on a stolen password file are not useful to attack other similar password files. The hashed passwords are then stored in the password file. The variable salt may be composed using a global salt (common to a group of passwords) and the username (unique per password) or some other technique to ensure uniqueness of the salt within the group of passwords.

2.     Shared secrets may be encrypted and stored using Approved encryption algorithms and modes, and the needed secret decrypted only when immediately required for authentication. In addition, any method allowed to protect shared secrets at Level 3 or 4 may be used at Level 2.




From: [] On Behalf Of Brian Arkills
Sent: Friday, March 01, 2013 1:01 PM
Subject: [AD-Assurance] Various links of interest


Incommon IAP


AD Silver cookbook


FIPS 140-2


Example of specific Microsoft library that is FIPS approved:


Note: All of these have at the end of the "Operational Environment:" the parenthetical "(single-user mode)".


Enabling FIPS approved mode on Windows:





Archive powered by MHonArc 2.6.16.

Top of Page