ad-assurance - [AD-Assurance] Definitions for Authentication Secrets
Subject: Meeting the InCommon Assurance profile criteria using Active Directory
List archive
- From: "Capehart,Jeffrey D" <>
- To: "" <>
- Subject: [AD-Assurance] Definitions for Authentication Secrets
- Date: Fri, 23 Aug 2013 17:49:16 +0000
- Accept-language: en-US
|
Following up from today’s call on the discussion surrounding “Authentication Secrets” and whether a hash versus the plaintext password would be considered to be included… Note the slight variations and differences in the definitions for “Authentication Secret”: NIST SP800-63 A generic term for any secret value that could be used by an Attacker to impersonate the Subscriber in an authentication protocol.
These are further divided into
short-term authentication secrets, which are only useful to an Attacker for a limited period of time, and
long-term authentication secrets, which allow an Attacker to impersonate the Subscriber until they are manually reset. The token secret is the canonical example of a long term authentication secret, while the token authenticator, if it is different from
the token secret, is usually a short term authentication secret. IAAF v1.2 The term
Authentication Secret
is used generically for passwords, passphrases, PINs, symmetric keys and other forms of secrets used for authentication. An Authentication Secret may also be generated by a
Token, which is a physical device (or specialized software on a device such as a mobile phone) used in authentication. Authentication Secrets are vulnerable to guessing attacks, so resistance to guessing is an important IAP requirement. Requirements for protection of Secrets in transit and storage also may be needed. NOTE: Another key point to reference for the Alternative Means statements: 3.1.3 CREDENTIAL TECHNOLOGY For shared secret Credentials, e.g., userID/password, the IAP might address how the Authentication Secret must be
sufficiently difficult for a person other than the Subject to determine through trial and error, or other means and must be protected from illicit capture or replay. Appendix C: Authentication Secret Used generically for passwords, passphrases, PINs, symmetric keys and other forms of secrets used for authentication Jeff Capehart, CISA |
- [AD-Assurance] Definitions for Authentication Secrets, Capehart,Jeffrey D, 08/23/2013
- [AD-Assurance] RE: Definitions for Authentication Secrets, Eric Goodman, 08/23/2013
- [AD-Assurance] RE: Definitions for Authentication Secrets, Capehart,Jeffrey D, 08/23/2013
- [AD-Assurance] RE: Definitions for Authentication Secrets, Ron Thielen, 08/23/2013
- [AD-Assurance] RE: Definitions for Authentication Secrets, Eric Goodman, 08/23/2013
Archive powered by MHonArc 2.6.16.