In our effort to bring formalism to the IAWG, I may have gone overboard, but below please find the 63B#0120 – FIPS 140 “verifier" criteria update, requested in the last meeting

Jimmy

 

 

Jimmy Jung www.Slandala.com 703 851 6813

 

 

PS - in the first paragraph of draft 63B-4, 2.2.2; does replay-resistant and authentication intent apply to all AAL2 or just authenticators procured by federal agencies?

 

Change summary: 

Clarify the use of the term “Verifiers” in 63B#0120.

Discussion:

63B#0090			Federal agencies SHALL only procure authenticators which have been validated as meeting FIPS 140 Level 1 or higher.
63B#0120			Federal agencies SHALL only operate verifiers which have been validated as meeting FIPS 140 Level 1 or higher.

63B#0120 is taken word for word from 800-63B and requires “verifiers to meet FIPS 140 Level 1 or higher.”  It seems likely that this is a companion to 63B#0090 which requires authenticators that meet FIPS 140, indicating that the authenticator and the verifier should BOTH operate at FIPS 140; however, “verifiers” generally refers to an organization, typically the CSP.  FIPS 140 identifies Security Requirements for devices, specifically cryptography; applying it as a criteria to an organization is awkward.  In 63B#0090, the NIST language and our guidance ONLY applies this to authenticators “procured”  by federal agencies; allowing for “bring-your-own” authenticators that do not meet FIPS 140.  Which is to say, the criteria specifically allows authenticators in 63B#0090 that do not meet the criteria of 63B#0120.  The following options are suggested for consideration:

1. Identify 63B#0120 as redundant with 63B#0090
2. Address this incongruity in the guidance
3. Tailor 63B#0120 to the “transaction”(i.e., the verification, vs the verifier) and the just the authenticators in 63B#0090
4. OK, option 4 should probably be option 3, but I didn’t look at draft 63-4 until later – steal language from Draft 63-4 (which may still need some tinkering)

It should be noted that this only applies to federal agencies (and we do have agencies with or applying for certification). 

 

Specific Changes:

OPTION	63B tag		index		KI_criterion (text in red in this column are revisions this version)	Note - guidance will be added as KI-IAWG members develop it in response to usage & experience
1		63B#0120			Withdrawn - addressed by 63B#0090
2		63B#0120			Federal agencies SHALL only operate verifiers which have been validated as meeting FIPS 140 Level 1 or higher.	As described in 63B#0090, this is intended to exempt user-provided (“bring-your-own) authenticators from having to meet the FIPS 140 requirements, particularly on the government-to-public use case.
3		63B#0120			Federal agencies SHALL verify FIPS 140 Level 1 (or higher) authenticators using equivalent cryptography.
4		63B#0120			Cryptography used by verifiers operated by or on behalf of federal agencies at AAL2 SHALL be validated to meet the requirements of [FIPS140] Level 1.	As described in 63B#0090, this is intended to exempt user-provided (“bring-your-own) authenticators from having to meet the FIPS 140 requirements, particularly on the government-to-public use case.

 

 

Original references:

KIAF-1440

 

63B-3

4.2.2 Authenticator and Verifier Requirements

Cryptographic authenticators used at AAL2 SHALL use approved cryptography. Authenticators procured by government agencies SHALL be validated to meet the requirements of FIPS 140 Level 1. Software-based authenticators that operate within the context of an operating system MAY, where applicable, attempt to detect compromise of the platform in which they are running (e.g., by malware) and SHOULD NOT complete the operation when such a compromise is detected. At least one authenticator used at AAL2 SHALL be replay resistant as described in Section 5.2.8. Authentication at AAL2 SHOULD demonstrate authentication intent from at least one authenticator as discussed in Section 5.2.9.

Communication between the claimant and verifier (the primary channel in the case of an out-of band authenticator) SHALL be via an authenticated protected channel to provide confidentiality of the authenticator output and resistance to MitM attacks.

Verifiers operated by government agencies at AAL2 SHALL be validated to meet the requirements of FIPS 140 Level 1.

 

DRAFT 63B-4

2.2.2.Authenticator and Verifier Requirements

Authenticators used at AAL2 SHALL use approved cryptography. Cryptographic authenticators procured by federal agencies SHALL be validated to meet the requirements of [FIPS140] Level 1. At least one authenticator used at AAL2 SHALL be replay-resistant, as described in Sec. 3.2.7. Authentication at AAL2 SHOULD demonstrate authentication intent from at least one authenticator, as discussed in Sec. 3.2.8.

Communication between the claimant and verifier SHALL occur via one or more authenticated protected channels.

Cryptography used by verifiers operated by or on behalf of federal agencies at AAL2 SHALL be validated to meet the requirements of [FIPS140] Level 1.

When a biometric factor is used in authentication at AAL2, the performance requirements stated in Sec. 3.2.3SHALL be met, and the verifier SHALL determine that the biometric sensor and subsequent processing meet these requirements. Verifiers SHALL offer at least one phishing-resistant authentication option at AAL2, as described in Sec. 3.2.5. Federal agencies SHALL require their staff, contractors, and partners to use phishing-resistant authentication to access federal information systems. In all cases, verifiers SHOULD encourage the use of phishing-resistant authentication at AAL2 whenever practical since phishing is a significant threat vector.