Download Trust Elevation Method

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
Document related concepts

Modified Dietz method wikipedia , lookup

Transcript 
[Type text]
One time password (OTP):
Trust Elevation Method:
Access to network resources can be controlled through
the use of a User Name / Password with the possible
combination of One Time Password.
A one-time password (OTP) is a password that is valid
for only one login session or transaction. OTP requires
additional technology in order to work.
OTP are dynamic and avoid many of the shortcomings
that are associated with static passwords.
In theory OTPs are not vulnerable to replay attacks.
There are many approaches for the generation of OTPs.
1.
Based on time-synchronization between the
authentication server and the client providing
the password (OTPs are valid only for a short
period of time)
•
Time-dependent authenticators base
their OTP generation on time
intervals. A password is valid for a
given amount of time.
•
Can be implemented with small key
cards that are equipped with digital
displays. The card displays a unique
numeric combination that has been
randomly generated by the hardware
token.
•
To be authenticated, users enter their
personal PIN numbers, followed by
the current OTP displayed on their key
card.
2.
Using a mathematical algorithm to generate a
new password based on the previous password
(OTPs are effectively a chain and must be used
in a predefined order).
Generate of OTPs randomly. Some token
generators allow the users to generate the
OTP by entering a PIN.
•
1
3.
Using a mathematical algorithm where the
new password is based on a challenge (e.g., a
random number chosen by the authentication
server or transaction details) and/or a counter.

Smart Devices that a user carries can be used
to generate OTP. The token can be generated
using software that runs on the smart device.
[Type text]


OTP can be sent out through SMS to users or
other out of band methods
OTP over text messaging may be encrypted
with variable vulnerabilities
SMS based OTP have vulnerabilities
 There are threats from hackers, phishing and
stealing.
 The mobile phone operator becomes part of
the trust chain.
 hackers may mount a MITM attack.
 OTPs can be printed on paper that the user is
required to carry
Some providers offer web based methods for delivering
one time passwords without the need for tokens.
 Example includes the use of pre-chosen
categories from a randomly-generated grid of
pictures. Each picture in the grid has a
randomly generated alphanumeric character
overlaid on it.
 User enters alphanumeric characters
associated with the preset category to form
the OTP.
OTP helps to eliminate a number of system
vulnerabilities, such as password cracking, password
sniffing, brute force attacks, and social engineering.
Usability is a problem in particular with OTP systems
that utilize hardware key cards, since those users are
required to use their keys every time they login.
Vulnerable to theft, PIN stealing, forgotten at home or
stolen PINs.
Questions:
Which party is performing the method?
How does the method improve trust?
Relying Party/ Identity Service Provider/ Network
This method can improve trust if done properly. Trust is
improved through the use of dynamic passwords
N0. Method is vulnerable to eavesdropping.
How does the method address the threat of
eavesdropping?
How does the method address the threat of online
guessing?
How does the method address the threat of replay
attack?
How does the method address the threat of man
in the middle?
How does the method address the threat of
spoofing and masquerading?
This method is somehow vulnerable to online guessing.
This method solves the problem of replay attacks.
This method is somehow vulnerable to man in the
middle attacks
This method is vulnerable to spoofing and
masquerading
2
[Type text]
Are there implementation requirements for
improving trust? If so, what are they and why are
they necessary?
Elevating Trust and counter measures
Organizations need a multi-faceted defense against
password vulnerabilities
o Use a secure OTP method
Are there privacy and/or confidentiality issues
engaged when using the method, such as user
consent for attribute release/exchange? Are there
reasonable solutions for potential privacy impacts?
What are the usability issues when using the
method? Are there reasonable solutions for
potential usability impacts?
TBD
Initial NIST LOA
0
1
2
Resulting NIST LOA
This method is very common with users.
Comments
This is a single factor LOA 2 regardless of the OTP strength
When performed with a previously registered phone that is
subscribed to by the user, can constitute a second factor hard
token.
3
4
Just for grins, I’ve added the M 04-04 risk/assurance table. It continues to make perfect sense.
TBD
Table 1 – Maximum Potential Impacts for Each Assurance Level
Assurance Level Impact Profiles
Potential Impact
Categories for
Authentication Errors
Inconvenience, distress
or damage to standing or
reputation
Financial loss or agency
liability
Harm to agency
programs or public
interests
Unauthorized release of
sensitive information
Personal Safety
Civil or criminal violations
1
2
3
4
Low
Mod
Mod
High
Low
Mod
Mod
High
N/A
Low
Mod
High
N/A
Low
Mod
High
N/A
N/A
Low
N/A
Low
Mod
Mod
High
High
3
Related documents
Effective Risk Management Strategies in Outpatient
Effective Risk Management Strategies in Outpatient
Delivery Partner Guide - Homes and Communities Agency
Delivery Partner Guide - Homes and Communities Agency
(journal3.pdf)
(journal3.pdf)
Security
Security
OTP Bank Plc. acquires Kulska banka
OTP Bank Plc. acquires Kulska banka
Document
Document
Misunderstood information Your medical record is designed to be
Misunderstood information Your medical record is designed to be
Insert practice name
Insert practice name
Windows Security
Windows Security
In addition to the Weekly Update, I`d also like for you to write a
In addition to the Weekly Update, I`d also like for you to write a
Using the SAMHSA OTP Extranet System: Program
Using the SAMHSA OTP Extranet System: Program
Using the SAMHSA OTP Extranet System: Program Director
Using the SAMHSA OTP Extranet System: Program Director