Adapting Levels of Assurance for NSTIC

Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved. 1

Adapting Levels of Assurance for NSTICJim Fenton <[email protected]>

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 2

LOA Requirements (M-04-04)• “E-Authentication Guidance for

Federal Agencies”

• Dated December 16,2003

• Issued by Office of Management and Budget

• Specifies four levels of assurance and when they should be used


M-04-04 Levels of Assurance

• An indicator of risk/value of the transaction

• Drives authentication and identity proofing requirements

Level Description

1 Little or no confidence in the asserted identity’s validity

2 Some confidence in the asserted identity’s validity

3 High confidence in the asserted identity’s validity

4 Very high confidence in the asserted identity’s validity


Impact of Authentication Errors• Impacts consider both potential harm and likelihood

• Categories:Inconvenience, distress, or damage to standing or reputation

Financial loss or agency liability

Harm to agency programs or public interests

Unauthorized release of sensitive information

Personal safety

Civil or criminal violations

• Degree of impactLow, Moderate, or High within each category

Severity and duration of effect


Maximum Potential Impacts by Assurance Level

Potential Impact Category 1 2 3 4

Inconvenience, distress, or damage to standing or reputation

L M M H

Financial loss or agency liability L M M H

Harm to agency programs or public interests N/A

L M H

Unauthorized release of sensitive information N/A

L M H

Personal safety N/A

N/A L M/H

Civil or criminal violations N/A

L M H


NIST SP 800-63• “Electronic Authentication Guideline”

• Issued April 2006 (v1.0.2) by NIST

• Technical guidelines for how authentication should be done in response to M-04-04

• Currently being revised by NIST


SP 800-63 Requirements

• Observation: A lot of existing authentication is done in plaintextWe are at level 0!

• Question: Is proofing an authentication issue or an attribute issue?

Level Plaintext transport

Long-term Secrets

Multifactor Proofing

1 N OK Optional None

2 N Only to IdP Optional In-person or remote

3 N N/A Required In-person or remote

4 N N/A H/W Token In-person only


Attribute and “Identity” Providers• NSTIC distinguishes between “Identity” and Attribute Providers

Identity Providers authenticate and provide authentication assertions

Pseudonymity implies that other assertions don’t automatically come with authentication

• Proposal: Fully separate authentication from all other attributesIdP provides referrals to attribute services

• Question: Isn’t identity proofing an attribute provider, not an authentication requirement?

• Suggesting separation of proofing from authentication requirements in SP 800-63 revision


How does this work?• Effective LOA = min(LOA of authentication,

accredited LOA of authentication provider, LOA of attribute binding, accredited LOA of attribute provider)

• LOA of attribute binding is determined by (lesser of):Attribute provider’s confidence in attribute

LOA of authentication used at enrollment with provider

• Effective LOA maps to M-04-04 requirements


Why do we Care?• Identity Providers are the users’ agents in the identity world

Require the most trust from the user

Therefore user choice is important

• Removing the proofing requirement enables many more IdPsCan issue LOA 4 hardware token without in-person transaction

• An arms-length relationship between credential and attribute providers is good for privacy


References• OMB M-04-04, “E-Authentication Guidance for Federal Agencies”:

http://www.whitehouse.gov/sites/default/files/omb/memoranda/fy04/m04-04.pdf

• NIST Special Publication 800-63, “Electronic Authentication Guideline”

http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf

• My blog series on NSTIC (will be addressing this)http://blogs.cisco.com/tag/nstic-series/

Thank you.

Technology

Adapting Levels of Assurance for NSTIC