Skip to Content.
Sympa Menu

ad-assurance - [AD-Assurance] RE: Definitions for Authentication Secrets

Subject: Meeting the InCommon Assurance profile criteria using Active Directory

List archive

[AD-Assurance] RE: Definitions for Authentication Secrets

Chronological Thread 
  • From: Eric Goodman <>
  • To: "" <>
  • Subject: [AD-Assurance] RE: Definitions for Authentication Secrets
  • Date: Fri, 23 Aug 2013 19:55:28 +0000
  • Accept-language: en-US

Thanks for finding these (I never found the one in the IAAF).


The NIST definition is arguably broader than the IAAF’s, the IAAF sounds like it really means “the password” not “a session key”.


I was just getting ready to send my suggested text, but it is written assuming that an encrypted session key or a response message (to am NTLMv2 challenge) would be considered an “Authentication Secret”. The IAAF definition implies to me that it is not, and to me shifts the argument back over to “we’re not sending the authentication secret, we’re sending something encrypted with the authentication secret” although part of me feels like “sending my password encrypted” and “sending data encrypted with my password” are roughly equivalent.


--- Eric




From: [mailto:] On Behalf Of Capehart,Jeffrey D
Sent: Friday, August 23, 2013 10:49 AM
Subject: [AD-Assurance] Definitions for Authentication Secrets


Following up from today’s call on the discussion surrounding “Authentication Secrets” and whether a hash versus the plaintext password would be considered to be included…


Note the slight variations and differences in the definitions for “Authentication Secret”:


NIST SP800-63

A generic term for any secret value that could be used by an Attacker to impersonate the Subscriber in an authentication protocol.

These are further divided into short-term authentication secrets, which are only useful to an Attacker for a limited period of time, and long-term authentication secrets, which allow an Attacker to impersonate the Subscriber until they are manually reset. The token secret is the canonical example of a long term authentication secret, while the token authenticator, if it is different from the token secret, is usually a short term authentication secret.


IAAF v1.2

The term Authentication Secret is used generically for passwords, passphrases, PINs,

symmetric keys and other forms of secrets used for authentication. An Authentication

Secret may also be generated by a Token, which is a physical device (or specialized

software on a device such as a mobile phone) used in authentication. Authentication

Secrets are vulnerable to guessing attacks, so resistance to guessing is an important IAP

requirement. Requirements for protection of Secrets in transit and storage also may be



NOTE: Another key point to reference for the Alternative Means statements:


For shared secret Credentials, e.g., userID/password, the IAP might address how the

Authentication Secret must be sufficiently difficult for a person other than the Subject to

determine through trial and error, or other means and must be protected from illicit capture

or replay.


Appendix C:

Authentication Secret

Used generically for passwords, passphrases, PINs, symmetric keys and other forms of secrets used for authentication


Jeff Capehart, CISA
IT Audit Manager
University of Florida - Office of Internal Audit
(352) 273-1882


Archive powered by MHonArc 2.6.16.

Top of Page