ad-assurance - [AD-Assurance] Assurance Cookbook: February 2014 Interpretation Sections
Subject: Meeting the InCommon Assurance profile criteria using Active Directory
List archive
- From: Eric Goodman <>
- To: "" <>
- Cc: "" <>
- Subject: [AD-Assurance] Assurance Cookbook: February 2014 Interpretation Sections
- Date: Sat, 22 Feb 2014 06:22:17 +0000
- Accept-language: en-US
Greetings AAC Members, As most of you are aware, the current AD Assurance Cookbook workgroup (henceforth “the Workgroup”) has been working on an update to the AD Assurance Cookbook (“the Cookbook”) that was originally released in 2012. One of the changes in the
Cookbook update is the addition of the Workgroup’s interpretations of key InCommon Silver IAP requirements. These interpretations provide the basis of the Workgroup’s recommendations in later portions of the document.
In October 2013, the AAC reviewed the Workgroup’s interpretations, and the two groups met in November to discuss the AAC feedback. In response, the Workgroup made further edits to the structure and interpretations in the Cookbook. In early
January we released a new draft of the Cookbook, and based on community comments we have made one more round of edits to the document. At this point we have created what we hope to be our “final” version of the document. Before we release this “final” version of the Cookbook, the Workgroup requests that the AAC review the updated Interpretations section. The relevant text of the Cookbook is attached to this email. (Note that because the interpretations
actually appear over two sections of the Cookbook, there is some language that reads oddly out of context, hopefully this isn’t too distracting). On behalf of the Workgroup members, thank you in advance for your consideration, and we look forward to your feedback. --- Eric -- Eric Goodman | Identity and Access Management Architect University of California, Office of the President 4.1.2. Interpretation of IAP requirement, Section 4.2.3.4 - Stored Authentication Secrets
This requirement applies to IdP Verifier passwords stored in an AD DS password store, whether or not the AD DS store is the actual IdP Verifier. Note that this requirement only applies to passwords for accounts that are actually authenticated by the IdP
(non-IdP accounts that are "co located" in the AD DS have no such requirements). We interpret that this section is concerned with two separate controls:1) Logical access controls to prevent users or co-resident applications from accessing the password store directly -- addressed in the second sentence of the requirement textand2) Physical
access controls to prevent attacks on the raw data files (passwords) stored on the disk -- addressed by the listing of the three mechansims for encrypting passwords at rest Therefor this requirement would imply that encryption software that decrypts disk sectors (and not just individual Authentication Secrets) as they are accessed would meet the physical access control requirement to
"decrypt the needed Secret when immediately required for authentication" as spelled out in this section, presuming such software uses Approved Algorithms for the encryption process. 4.1.3.
Interpretation of IAP requirement, Section 4.2.3.6.1 - Strong Protection of Authentication Secrets (First Sentence)
Note, this IAP requirement addresses both storage and transmission of passwords, so is addressed under both the "Encrypting Passwords" topic and the "Securing Authentication Traffic" sections. This requirement applies to IdP Verifier passwords stored in an AD DS password store, whether or not the AD DS store is the actual IdP Verifier. Note that this requirement only applies to passwords for accounts that are actually authenticated by the IdP
(non-IdP accounts that are "co located" in the AD DS have no such requirements). For example, if a non-Windows system is used as the IdP Verifier, but the same passwords used by that Verifier are also stored in an AD DS, the AD DS password store is in scope and must be protected per sections 4.2.3.4 and 4.2.8, even though it is not being
used as the IdP's Verifier. (Again, this only applies to passwords for accounts that are actually authenticated by the IdP) …
4.2.2. Interpretation of IAP requirement, Section 4.2.3.6.1 - Strong Protection of Authentication Secrets (Second Sentence)
Note, this IAP requirement addresses both storage and transmission of passwords, so is addressed under both the "Encrypting Passwords" topic and the "Securing Authentication Traffic" sections. This requirement applies when IdP Verifier passwords are provisioned into an AD DS store, whether or not the AD DS store being provisioned to is the actual IdP Verifier. Note that this requirement only applies to passwords for accounts that are actually
authenticated by the IdP (non-IdP accounts that are "co located" in the AD DS have no such requirements). For example, if a non-AD DS system is used as the IdP Verifier, but the passwords used by that Verifier are also provisioned into an AD DS, that AD DS provisioning process is in scope and therefore must use Protected Channels, even though it is not being
used as the IdP's Verifier. (Again, this only applies to passwords for accounts that are actually authenticated by the IdP, or which allow modification of accounts authenticated by the IdP) 4.2.3. Interpretation of IAP Requirement, Section 4.2.3.6.2 - Strong Protection of Authentication Secrets
Authentication Secrets[1] in the context of this requirement is interpreted to mean those secrets (passwords, Kerberos session keys, NTLM challenge responses, etc.) that can be used to directly authenticate to the IdP or to directly
modify authentication credentials (e.g., can be submitted directly to a change my password page). Another way of stating this is that the intent of 4.2.3.6.2 is only to protect against risks that can attack the IdP’s direct authentication to its Verifier; protection of non-IdP Authentication Secrets that incidentally use the same Verifier as the IdP,
such as Windows/Kerberos Tickets used to authenticate a user to a domain (a la ctrl-alt-del)[2], are not in scope of 4.2.3.6.2. These non-IdP Authentication Secrets are addressed elsewhere in the spec, such as in 4.2.3.6.3. [1] The term “Authentication Secret” is assumed here to include the information in an authentication packet; e.g., in addition to actual authentication credentials (username/password), the information negotiating the initial exchange of a session key or
the response to an authentication challenge is an “Authentication Secret”. [2] This assumes that the local Windows/Kerberos tickets cannot be leveraged to authenticate the user to the IdP, such as a standard webpage that prompts for entry of user credentials. If the IdP supports mechanisms that allow the user to generate authentication
assertions based directly on the possession of local Windows/Kerberos tickets (e.g., SPNEGO, GSSAPI and certain ADFS configurations), then the Windows/Kerberos tickets used in that interaction WOULD be in scope of this requirement. 4.2.4. Interpretation of IAP Requirement, Section 4.2.3.6.3 - Strong Protection of Authentication Secrets
This section addresses all handling of IdP Verifier authentication secrets, even if those authentication secrets are not used to authenticate anyone to the IdP. Note that authentication secrets that could be replayed to authenticate directly to the IdP are
also covered by section 4.2.3.6.2, which has stricter requirements around transport encryption. That is, assuming an IdP that requires manual entry of a username/password:
This section requires that policies and procedures are in place to minimize the risk of this traffic being attacked in a way that would subvert the security of IdP authentication events. While traffic covered in this section
may use Protected Channels to secure authentication communications, an institution could also use other mechanisms that are generally considered secure, even if they are not Protected Channels. For completeness, we note that protection of the password while it is being locally processed within any application is also required, not just protection while in transit to or from said application. However, security of the information while being handled
in a transient fashion within a web application is beyond the scope of AD DS configuration, so is not covered here. 4.2.5. Interpretation of IAP Requirement, Section 4.2.5.1 - Resist Replay Attack
This section refers specifically to traffic between the Subject and the IdP, the IdP's Verifier, and/or a relying party as part of an IdP authentication/assertion event. All other traffic between the Subject and the AD DS is beyond the scope
of 4.2.5.2. Replay of non-IdP authentication/assertion traffic is covered by sections 4.2.3.6.2 and 4.2.3.6.3. 4.2.6. Interpretation of IAP Requirement, Section 4.2.5.2 - Resist Eavesdropper Attack
This section refers specifically to traffic between the Subject and the IdP, the IdP's Verifier, and/or a relying party
as part of an IdP authentication/assertion event. All other traffic between the Subject and the AD DS is beyond the scope of 4.2.5.2. Eavesdropping on non-IdP authentication/assertion traffic is covered by sections 4.2.3.6.2 and 4.2.3.6.3. 4.2.7. Interpretation of IAP Requirement, Section 4.2.8.2.1 - Network Security
"Network communications supporting IdMS operations" is interpreted to mean communications between the actual software elements of the IDMS operation or administrative traffic to the IDMS. The only AD DS-specific communications protocol that would be in scope of this requirement is intra-domain controller password replication. (Note that provisioning of passwords into AD-DS is covered by 4.2.3.6.1) |
- [AD-Assurance] Assurance Cookbook: February 2014 Interpretation Sections, Eric Goodman, 02/22/2014
- [AD-Assurance] Re: [aac] Assurance Cookbook: February 2014 Interpretation Sections, Tom Barton, 02/23/2014
- RE: [AD-Assurance] Re: [aac] Assurance Cookbook: February 2014 Interpretation Sections, Eric Goodman, 02/25/2014
- Re: [AD-Assurance] Re: [aac] Assurance Cookbook: February 2014 Interpretation Sections, David Walker, 02/26/2014
- RE: [AD-Assurance] Re: [aac] Assurance Cookbook: February 2014 Interpretation Sections, Capehart,Jeffrey D, 02/26/2014
- Re: [AD-Assurance] Re: [aac] Assurance Cookbook: February 2014 Interpretation Sections, Ann West, 02/26/2014
- RE: [AD-Assurance] Re: [aac] Assurance Cookbook: February 2014 Interpretation Sections, Eric Goodman, 02/26/2014
- Re: [AD-Assurance] Re: [aac] Assurance Cookbook: February 2014 Interpretation Sections, Ann West, 02/26/2014
- RE: [AD-Assurance] Re: [aac] Assurance Cookbook: February 2014 Interpretation Sections, Eric Goodman, 02/26/2014
- Re: [AD-Assurance] Re: [aac] Assurance Cookbook: February 2014 Interpretation Sections, Ann West, 02/26/2014
- RE: [AD-Assurance] Re: [aac] Assurance Cookbook: February 2014 Interpretation Sections, Capehart,Jeffrey D, 02/26/2014
- Re: [AD-Assurance] Re: [aac] Assurance Cookbook: February 2014 Interpretation Sections, David Walker, 02/26/2014
- RE: [AD-Assurance] Re: [aac] Assurance Cookbook: February 2014 Interpretation Sections, Eric Goodman, 02/25/2014
- [AD-Assurance] Re: [aac] Assurance Cookbook: February 2014 Interpretation Sections, Tom Barton, 02/23/2014
Archive powered by MHonArc 2.6.16.