Identity Assurance at Virginia Tech CSG January 13, 2010 Mary Dunker
Background 2008 Board of Visitors Resolution on increasing administrative efficiencies through expansion of automated systems and enhanced security charged Vice Presidents to develop a plan to continue to automate the University’s administrative systems utilizing modern information technology processes and security tools to gain process efficiencies. 2
Automating Processes Involves Personal digital identities Decisions on the part of sponsors of automated electronic systems, applications Integration – secure authentication 3
Requirement Ability to determine, with some level of certainty, that the person presenting themselves in an online transaction is who they say they are. Identity Assurance 4
VT Enterprise Personal Digital Identities Guest accounts – little or no assurance in identity Personal Identifier (PID), Active Directory account, Oracle ID – some assurance in identity. Personal Digital Certificate (PDC) on eToken – 2-factor, high assurance in identity 5
Identity Proofing, Issuing Credentials Guest accounts – guest is invited via e- mail to create ID PID – issued remotely; user answers questions based on information in university data base. Identity proofing part of admission or hiring process. PDC – issued in person, requires PID, government-issued photo IDs. 6
PDC Issued on Aladdin eToken, certified at FIPS level 2. Tamper-resistant Private key cannot be exported off eToken Face-to-face identity verification; 2 government- issued photo Ids; must match information in our Enterprise Directory 2-person issuance process (RAA and CAA) Available to all employees Enabled for authentication and digital signature Employee signs agreement not to share 7
Standard/Guidance for Sponsors Office of Management Budget M-04-04, E- Authentication Guidance for Federal Agencies; /m04-04.pdf /m04-04.pdf National Institute of Standards and Technology Special Publication , Electronic Authentication Guideline; rev1/SP Rev1_Dec2008.pdf 8
Process 1.Determine potential impact of authentication error 2.Map potential impact level to LOA of personal digital identity 3.Select credentials 4.Request technical review from Identity Management Services 5.Implement digital credentials 6.Validate with security review 7.Document; reassess annually 9
Potential Impact Profile Level 10 Potential Impact Profile Levels Consequences Inconvenience, distress, or damage to standing or reputation N/ALowMod HighVery high Financial loss or university liabilityN/ALowMod HighVery high Harm to university programs or public interests N/A LowModHighVery high Unauthorized release of sensitive informationN/A LowModHighVery high Personal safetyN/A LowMod (or) High Very high Penalties for civil, criminal, or disciplinary violations N/A LowModHighVery high
11 LOA Identity assertion Identity proofing requirements Authentication factorsDigital credential examples 0No identity is asserted. None No authentication is required. Site is open to public 1Little or no confidence in the validity of the asserted identity Some identity information is acquired. Little or no verification is performed. Single-factor authentication with password Guest accounts 2Some confidence that the asserted identity is valid Some identity information is acquired, with some level of verification. Single-factor authentication with password or biometric attribute PID and password; Active Directory ID and password; Oracle ID and password. Finger print reader. Hokie Passport card with photo 3Moderate degree of confidence in validity of the asserted identity Matching of the collected identity information is strengthened by additional identity verification from a trusted authority. Identity proofing may be in-person or in some circumstances, remote. A minimum of two authentication factors is required; i.e., something you know and (something you have or something you are) Personal digital certificates; finger print readers requiring passwords or PINs, 4High degree of confidence in the validity of the asserted identity In-person identity proofing is required, including referencing a biometric attribute. A minimum of two authentication factors is required, including a cryptographic key stored on a hardware token that does not allow the export of authentication keys. Personal digital certificate (PDC) on Aladdin eToken USB device protected with password 5Very high degree of confidence in the validity of the asserted identity In-person identity proofing is required, including recording a biometric attribute. Three authentication factors are required, including a biometric attribute and a cryptographic key stored on a hardware token that meets certain technical specifications. Fingerprint reader with PIN, plus something you have Levels of assurance of personal digital identities
Integration: CAS Version 3.1+ Recognizes login credential and assigns LOA Passes LOA to application in SAML payload Supports guest accounts, PID, PDC for login 12
Levels of Assurance using CAS 13 LOA values defined by VT CAS, reflecting NIST NIST CAS client must support SAML 1.1 messages. urn:oasis:names:tc:SAML:2.0:post:ac:classes:nist :v1- 0-2:1 – Guest Id/password urn:oasis:names:tc:SAML:2.0:post:ac:classes:nist :v1- 0-2:2 - PID/password urn:oasis:names:tc:SAML:2.0:post:ac:classes:nist :v1- 0-2:3 - NOT USED urn:oasis:names:tc:SAML:2.0:post:ac:classes:nist :v1- 0-2:4 - PDC on eToken
References National Institute of Standards and Technology Special Publication , Electronic Authentication Guideline; Rev1_Dec2008.pdf Office of Management Budget M-04-04, E-Authentication Guidance for Federal Agencies; University of Wisconsin, Madison, User Authentication and Levels of Assurance; Virginia Tech, Standard for Use of Personal Digital Identities 14