Meeting the InCommon Assurance profile criteria using Active Directory

[Eric Goodman <>]

Yeah, I recognized the potential confusion but hadn’t come up with a way to clarify. I like the scoping suggestion and will follow it going forward.

 

On David’s point, presuming we don’t get lots of comments we want to discuss, I agree with holding off for a week on meeting.

--- Eric

 

From: [mailto:] On Behalf Of Ann West
Sent: Wednesday, February 26, 2014 8:33 AM
To:
Subject: Re: [AD-Assurance] Re: [aac] Assurance Cookbook: February 2014 Interpretation Sections

 

 

Jeff makes a really good point. It's an unfortunate alignment. +1 to his suggestion for clarity.

 

Ann

 

On 2/26/14 11:09 AM, "Capehart,Jeffrey D" <> wrote:

 

Eric,

Nice work following all the trails and references.  We’re almost there!

 

There may be some places where there is an un-qualified reference and because the cookbook uses the 4.x.y.z numbering hierarchy too, I think it is extremely important to qualify those numbering references as IAP 4.2.3.6 and/or Cookbook 4.2.3 to make sure it is as clear as possible what the reader should go refer to.

 

Jeff

 

From: [] On Behalf Of David Walker
Sent: Wednesday, February 26, 2014 11:00 AM
To:
Cc: DHW
Subject: Re: [AD-Assurance] Re: [aac] Assurance Cookbook: February 2014 Interpretation Sections

 

Eric,

I haven't checked all of the specific section number references, but I agree with the general principle of removing any conclusions from the interpretations, leaving that for other sections in the Cookbook.

By the way, Ann says that we expect official feedback from the AAC next week.  Do we want hold this Friday's call, or cancel and talk about the AAC response a week from Friday?

David

On 02/25/2014 06:14 PM, Eric Goodman wrote:

Hi all,

 

[Ann, I leave it to you as moderator to decide if this response should go to the AAC, especially given that it hasn’t been “vetted” by the AD Workgroup yet. Feel free to reject until we’ve discussed amongst ourselves.]

 

After a little back and forth with Tom off-list, it sounds like his comments (presuming no contradiction from the other AAC members!) would be addressed by:

 

·         Removing the reference to 4.2.3.6.3 in section 4.2.3 (interpretation of 4.2.3.6.2)

o   This is because as he states, the secrets in scope for 4.2.3.6.2 are the same as those in 4.2.3.6.3; it’s not a different secret set.

·         This means that the content of section 4.2.4 (interpretation of 4.2.3.6.3), which refers to eavesdropping or replay attacks on non-IdP authentication protocols, is not part of the interpretation.

o   Simliar removal of non-IdP authentication protocols should be made in the interpretations in 4.2.5 and 4.2.5,  

·         Note also that the entire section addressing 4.2.3.6.3 should also be removed, since Tom is clarifying that there is no AD-specific issue here (it’s not a different set of secrets as the previous section, so only the last paragraph – which states what is out of scope – is still relevant).

 

 

This removes all reference to requirements of non-IdP authentication protocols from the interpretation section of the document. Given Tom’s comments, what we have spelled out are actually conclusions and are not part of the interpretation from the AAC, so probably should be removed from the interpretation (especially since we have stated that the interpretation has been reviewed by the AAC!)

 

I think we (the Workgroup) would still want to leave the specific guidance and conclusions around these protocols in the Recommendations and Management Assertions section, as without this guidance the document is no longer a Cookbook, but it could be removed from the interpretations section.

 

 

The typo Tom notes is easy enough to fix. :)

 

--- Eric

 

From: [] On Behalf Of Tom Barton
Sent: Sunday, February 23, 2014 2:14 PM
To:
Cc:
Subject: [AD-Assurance] Re: [aac] Assurance Cookbook: February 2014 Interpretation Sections

 

Hi Eric and everyone,

I am really grateful for all of the work that has gone into the AD Silver Cookbook. This will be a valuable resource to many. Some comments about the near-final draft follow.

Cookbook section 4.2.3.

I agree with the statements that clarify which authentication secrets are in scope for the IAP. The second paragraph goes a bit further by giving a few examples of authentication secrets that might not be in scope, and says of these "These non-IdP Authentication Secrets are addressed elsewhere in the spec, such as in 4.2.3.6.3.". I don't think non-IdP authentication secrets, ie, those not used to authenticate to the IdP, regardless of what other apps they may be used to authenticate to, are specifically addressed anywhere in the IAP, with the possible exception of some authentication scenarios addressed in IAP 4.2.8.2.2. In particular, IAP 4.2.3.6.3 is scoped to the same set of authentication secrets as IAP 4.2.3.6.1 and 4.2.3.6.2.

Is it perhaps better to say nothing at all about authentication secrets that are not in scope for the IAP?

Cookbook section 4.2.5.

There is a typo: ^4.2.5.2^4.2.5.1

IAP 4.2.3.6.3 doesn't specifically address replay of non-IdP authentication/assertion traffic.

Cookbook section 4.2.6.

IAP 4.2.3.6.3 doesn't specifically address eavesdropping of non-IdP authentication/assertion traffic.

On 2/22/2014 12:22 AM, Eric Goodman wrote:

Greetings AAC Members,

 

As most of you are aware, the current AD Assurance Cookbook workgroup (henceforth “the Workgroup”) has been working on an update to the AD Assurance Cookbook (“the Cookbook”) that was originally released in 2012. One of the changes in the Cookbook update is the addition of the Workgroup’s interpretations of key InCommon Silver IAP requirements. These interpretations provide the basis of the Workgroup’s recommendations in later portions of the document.

 

In October 2013, the AAC reviewed the Workgroup’s interpretations, and the two groups met in November to discuss the AAC feedback. In response, the Workgroup made further edits to the structure and interpretations in the Cookbook. In early January we released a new draft of the Cookbook, and based on community comments we have made one more round of edits to the document. At this point we have created what we hope to be our “final” version of the document.

 

Before we release this “final” version of the Cookbook, the Workgroup requests that the AAC review the updated Interpretations section. The relevant text of the Cookbook is attached to this email. (Note that because the interpretations actually appear over two sections of the Cookbook, there is some language that reads oddly out of context, hopefully this isn’t too distracting).

 

On behalf of the Workgroup members, thank you in advance for your consideration, and we look forward to your feedback.

 

--- Eric

--

Eric Goodman | Identity and Access Management Architect

University of California, Office of the President

 

4.1.2. Interpretation of IAP requirement, Section 4.2.3.4 - Stored Authentication Secrets

This requirement applies to IdP Verifier passwords stored in an AD DS password store, whether or not the AD DS store is the actual IdP Verifier. Note that this requirement only applies to passwords for accounts that are actually authenticated by the IdP (non-IdP accounts that are "co located" in the AD DS have no such requirements).

We interpret that this section is concerned with two separate controls:1) Logical access controls to prevent users or co-resident applications from accessing the password store directly -- addressed in the second sentence of the requirement textand2) Physical access controls to prevent attacks on the raw data files (passwords) stored on the disk -- addressed by the listing of the three mechansims for encrypting passwords at rest

Therefor this requirement would imply that encryption software that decrypts disk sectors (and not just individual Authentication Secrets) as they are accessed would meet the physical access control requirement to "decrypt the needed Secret when immediately required for authentication" as spelled out in this section, presuming such software uses Approved Algorithms for the encryption process.

4.1.3. Interpretation of IAP requirement, Section 4.2.3.6.1 - Strong Protection of Authentication Secrets (First Sentence)

Note, this IAP requirement addresses both storage and transmission of passwords, so is addressed under both the "Encrypting Passwords" topic and the "Securing Authentication Traffic" sections.

This requirement applies to IdP Verifier passwords stored in an AD DS password store, whether or not the AD DS store is the actual IdP Verifier. Note that this requirement only applies to passwords for accounts that are actually authenticated by the IdP (non-IdP accounts that are "co located" in the AD DS have no such requirements). 

For example, if a non-Windows system is used as the IdP Verifier, but the same passwords used by that Verifier are also stored in an AD DS, the AD DS password store is in scope and must be protected per sections 4.2.3.4 and 4.2.8, even though it is not being used as the IdP's Verifier. (Again, this only applies to passwords for accounts that are actually authenticated by the IdP)

…

4.2.2. Interpretation of IAP requirement, Section 4.2.3.6.1 - Strong Protection of Authentication Secrets (Second Sentence)

Note, this IAP requirement addresses both storage and transmission of passwords, so is addressed under both the "Encrypting Passwords" topic and the "Securing Authentication Traffic" sections.

This requirement applies when IdP Verifier passwords are provisioned into an AD DS store, whether or not the AD DS store being provisioned to is the actual IdP Verifier. Note that this requirement only applies to passwords for accounts that are actually authenticated by the IdP (non-IdP accounts that are "co located" in the AD DS have no such requirements).

For example, if a non-AD DS system is used as the IdP Verifier, but the passwords used by that Verifier are also provisioned into an AD DS, that AD DS provisioning process is in scope and therefore must use Protected Channels, even though it is not being used as the IdP's Verifier. (Again, this only applies to passwords for accounts that are actually authenticated by the IdP, or which allow modification of accounts authenticated by the IdP)

4.2.3. Interpretation of IAP Requirement, Section 4.2.3.6.2 - Strong Protection of Authentication Secrets

Authentication Secrets[1] in the context of this requirement is interpreted to mean those secrets (passwords, Kerberos session keys, NTLM challenge responses, etc.) that can be used to directly authenticate to the IdP or to directly modify authentication credentials (e.g., can be submitted directly to a change my password page).

Another way of stating this is that the intent of 4.2.3.6.2 is only to protect against risks that can attack the IdP’s direct authentication to its Verifier; protection of non-IdP Authentication Secrets that incidentally use the same Verifier as the IdP, such as Windows/Kerberos Tickets used to authenticate a user to a domain (a la ctrl-alt-del)[2], are not in scope of 4.2.3.6.2. These non-IdP Authentication Secrets are addressed elsewhere in the spec, such as in 4.2.3.6.3.

[1] The term “Authentication Secret” is assumed here to include the information in an authentication packet; e.g., in addition to actual authentication credentials (username/password), the information negotiating the initial exchange of a session key or the response to an authentication challenge is an “Authentication Secret”.

[2] This assumes that the local Windows/Kerberos tickets cannot be leveraged to authenticate the user to the IdP, such as a standard webpage that prompts for entry of user credentials. If the IdP supports mechanisms that allow the user to generate authentication assertions based directly on the possession of local Windows/Kerberos tickets (e.g., SPNEGO, GSSAPI and certain ADFS configurations), then the Windows/Kerberos tickets used in that interaction WOULD be in scope of this requirement.

4.2.4. Interpretation of IAP Requirement, Section 4.2.3.6.3 - Strong Protection of Authentication Secrets

This section addresses all handling of IdP Verifier authentication secrets, even if those authentication secrets are not used to authenticate anyone to the IdP. Note that authentication secrets that could be replayed to authenticate directly to the IdP are also covered by section 4.2.3.6.2, which has stricter requirements around transport encryption.

That is, assuming an IdP that requires manual entry of a username/password:

• applications (including non-IdP applications) that handle the username/password would be covered by both sections 4.2.3.6.2 and 4.2.3.6.3.
• applications (including non-IdP applications) that handle non-IdP authentication secrets based on IdP passwords (e.g., LM, NTLMv1, NTLMv2 or Kerberos authentication packets for Silver IAQ users) would be covered only by section 4.2.3.6.3

This section requires that policies and procedures are in place to minimize the risk of this traffic being attacked in a way that would subvert the security of IdP authentication events. While traffic covered in this section may use Protected Channels to secure authentication communications, an institution could also use other mechanisms that are generally considered secure, even if they are not Protected Channels. 

For completeness, we note that protection of the password while it is being locally processed within any application is also required, not just protection while in transit to or from said application. However, security of the information while being handled in a transient fashion within a web application is beyond the scope of AD DS configuration, so is not covered here.

4.2.5. Interpretation of IAP Requirement, Section 4.2.5.1 -  Resist Replay Attack

This section refers specifically to traffic between the Subject and the IdP, the IdP's Verifier, and/or a relying party as part of an IdP authentication/assertion event. All other traffic between the Subject and the AD DS is beyond the scope of 4.2.5.2. Replay of non-IdP authentication/assertion traffic is covered by sections 4.2.3.6.2 and 4.2.3.6.3.

4.2.6. Interpretation of IAP Requirement, Section 4.2.5.2 - Resist Eavesdropper Attack

This section refers specifically to traffic between the Subject and the IdP, the IdP's Verifier, and/or a relying party as part of an IdP authentication/assertion event. All other traffic between the Subject and the AD DS is beyond the scope of 4.2.5.2. Eavesdropping on non-IdP authentication/assertion traffic is covered by sections 4.2.3.6.2 and 4.2.3.6.3. 

4.2.7. Interpretation of IAP Requirement, Section 4.2.8.2.1 - Network Security

"Network communications supporting IdMS operations" is interpreted to mean communications between the actual software elements of the IDMS operation or administrative traffic to the IDMS. 

The only AD DS-specific communications protocol that would be in scope of this requirement is intra-domain controller password replication. (Note that provisioning of passwords into AD-DS is covered by 4.2.3.6.1)