Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

This meeting is being recorded and will be posted

advertisement 
Author of Record
Digital Identity Management
Sub-Workgroup
October 24, 2012
Meeting Etiquette
• Please announce your name each time prior to making comments or
suggestions during the call
• Remember: If you are not speaking keep your phone on mute
• Do not put your phone on hold – if you need to take a call, hang up
and dial in again when finished with your other call
– Hold = Elevator Music = very frustrated speakers and participants
• This meeting, like all of our meetings, is being recorded
– Another reason to keep your phone on mute when not speaking!
• Feel free to use the “Chat” or “Q&A” feature for questions or
comments
NOTE: This meeting is being recorded and will
be posted on the esMD Wiki page after the
meeting
2
From S&I Framework to Participants:
Hi everyone: remember to keep your
phone on mute 
Agenda
Topic
Presenter
Authentication Credential Overview
Debbie Bucci
Overview of the DEA Interim Rule
Debbie Bucci
3
Authentication Credentials
LOA3/LOA4
Oct 24, 2012
Authentication
• Authentication is the process of establishing confidence that an
individual who uses a credential that is known to the system (e.g.,
login name, digital certificate) is indeed the person to whom the
credential was issued
– Three types of authenticators:
• Something you know (e.g., password)
• Something you have (e.g., smartcard, hard token, mobile
phone)
• Something you are (e.g., fingerprint)
– Multi-factor authentication requires more than one type
– Authentication is performed when a user logs into a system and
may be required again within a given session
– Credential – binds the identity to the token
800-63-1 Matrix
Memorized Secret Token
Memorized Secret
Level 2
Token
Pre-registered
X
Knowledge Token
Preregistered
Knowledge
Look-up
Secret
Out of
Band
SF OTP
SF
Crypto
MF
Softwar
e Crypto
Level 2
Level 3
Level 3
Level 3
Level 3
Level 3
Level 4
Level 4
Level 2
Level 3
Level 3
Level 3
Level 3
Level 3
Level 4
Level 4
MF
OTP
MF
Crypto
Look-up Secret
Token
X
X
Level 2
Level 2
Level 2
Level 2
Level 3
Level 4
Level 4
Out of Band Token
X
X
X
Level 2
Level 2
Level 2
Level 3
Level 4
Level 4
SF OTP Device
X
X
X
X
Level 2
Level 2
Level 3
Level 4
Level 4
SF Cryptographic
Device
X
X
X
X
X
Level 2
Level 3
Level 4
Level 4
MF Software
Cryptographic
Token
X
X
X
X
X
X
Level 3
Level 4
Level 4
MF OTP Device
X
X
X
X
X
X
X
Level 4
Level 4
MF Cryptographic
Device
X
X
X
X
X
X
X
X
Level 4
Memorized Secret Tokens
• Shared secret between user and credential provider
• Something you know
• Examples
– Active Directory Passwords
– WiFi Passphrases
– PIN
Pre Registered Knowledge Tokens
•
•
•
•
•
Challenge/Response
Pre-registered responses or images
Set of shared secrets
Something you know
Examples
• I forgot my password setup
• Transaction information - “what was the amount of your last
payment to your phone company”
Look-up secret Tokens
• Electronic or physical set of shared secrets often printed on paper or
plastic
– the user is asked to provide a subset of characters printed on the
card
• Something you have
• Examples
• Entrust Grid Cards
• DualShield GridID
Out of Band Tokens
• Physical token that can receive a secret for one time use
• Something you have
• Examples
• SMS message on a registered cell phone
Single Factor One-Time
Password (OTP) Device
• Hardware device
• Something you have
• Examples
• RSA key fob token
• Credit card password generator
Single Factor Cryptographic
Device
• Hardware device that performs crypto operation on input provided to
the device
• Does not require a second factor
• Generally a signed message
• Something you have
• Examples
• PKI certificate
Multi-Factor Cryptographic
Device
•
•
•
•
•
Key is stored on a disk or soft media and requires activation
Does not require a second factor
Generally a signed message
Something you have and something you know
Examples
• PKI certificate + PIN
Multi-Factor OTP
• OTP hardware device that requires activation via PIN or biometric
• Something you have and something you know /or something you
are
• Examples
• Verizon or Symmantec OTP offering
• DAON IdentityX
Multi-Factor Cryptographic
Device
• Hardware device that contains protected key that requires activation
through a second factor
• Possession of device and control of key
• Something you have and something you know or something you are
• Examples
• PIV
• PIV-I
• ATM cards
DEA Interim Rule
• Requires the practitioner to authenticate to the
application using an authentication protocol that
uses two of the following three factors:
1.Something only the practitioner knows, such as a
password or response to a challenge question.
2.Something the practitioner is, biometric data such
as a fingerprint or iris scan.
3.Something the practitioner has, a device (hard
token) separate from the computer to which the
practitioner is gaining access.
DEA Interim Rule
• Biometrics
– Consulted extensively with NIST for recommendation
– DEA did not specify type as to allow for greatest flexibility and
adaptation for new technologies in the future
• Hard token must meet FIPS 140-2
– New hard token or provide credential for an existing token
– Must be separate from the machine used to access application
– Delivered thru 2 channels (mail, telephone, email)
• Would consider an alternative that does not diminish safety and
security of the system
• Not to be confused with certificates needed to dispense controlled
substances although that DEA number/certificate information needs
to be associated with the signing
Related documents
cpt
cpt
here
here
GO TO www.motherteresawomenuniv.ac.in
GO TO www.motherteresawomenuniv.ac.in
Minnesota_State_Fair_2013
Minnesota_State_Fair_2013
Easy Speakers Dictionary Instructions for CATalyst
Easy Speakers Dictionary Instructions for CATalyst
Philosophical Perspectives of Language, Roger Stainton
Philosophical Perspectives of Language, Roger Stainton
CS 3120 - Programming Language Concepts
CS 3120 - Programming Language Concepts
CodeMeter as Token - Wibu
CodeMeter as Token - Wibu
Download
advertisement