Subject: Meeting the InCommon Assurance profile criteria using Active Directory
[AD-Assurance] RE: AD Assurance: Clarification on Authentication Secrets
- From: "Curry, Warren" <>
- To: "" <>, "" <>
- Subject: [AD-Assurance] RE: AD Assurance: Clarification on Authentication Secrets
- Date: Mon, 26 Aug 2013 18:12:45 +0000
- Accept-language: en-US
Ann, I like your direction and thinking here.
Warren H. Curry
UFIT – Identity Access Management
PO Box 113359, 2008 NE Waldo Rd
Have a great day!!!
Resending to cc the AD-Assurance Working Group.
The issue below will be discussed on the AAC call tomorrow.
From the AD-Assurance Working Group:
The AD Assurance Working Group is finalizing our work on the updated Cookbook and alternative means needed to address gaps with MS AD compliance with the Profiles and with approved algorithms in particular.
Our discussions and action plan rest completely on our understanding and correct interpretation of the Profile language and requirements. Your help is needed to resolve an intent question, which, if we are correct, would simplify our recommendations to the Community:
Proposal for Interpretation of 126.96.36.199.2
The AD Assurance WG interprets Authentication Secrets in this context as those that can only be used to directly authenticate to the IDP, to modify authentication credentials (i.e., can be submitted directly to a change my password page) or to practically determine a user’s password.
Another way of stating this is that the intent of 188.8.131.52.2 is only to protect against risks that can attack the IDP’s direct authentication to its Verifier; protection of non-IDP Authentication Secrets (session keys, challenges, etc.) that incidentally use the same Verifier as the IDP are not in scope of 184.108.40.206.2. They are addressed elsewhere in the spec, such as in 4.2.5 Authentication Process.
Do you concur with our interpretation?
 The term “Authentication Secret” is assumed here to include the information in an authentication packet; e.g., the initial exchange of a session key or the response to an authentication challenge is an “Authentication Secret”.
 The use of the language “practically” here is echoing the language of 220.127.116.11 Resist Eavesdropper Attack, which requires that eavesdropping make it “impractical” to obtain the original secret through eavesdropping. It is NOT intended to reference the definition of “nearly impossible” as defined in NIST 800-63-1, page 17, footnote 26 (where “impractical” is given a numeric measure of requiring at least on the order of 2^80 cryptographic operations to break).
InCommon Assurance and Community
Internet2 based at Michigan Tech
- [AD-Assurance] Re: AD Assurance: Clarification on Authentication Secrets, Ann West, 08/26/2013
- [AD-Assurance] RE: AD Assurance: Clarification on Authentication Secrets, Curry, Warren, 08/26/2013
Archive powered by MHonArc 2.6.16.