What is the U.S. Federal government accepted definition of "strong
authentication" regarding network security? What document defines this?

---

Clarification of Question by k3for-ga on 15 Jul 2004 08:49 PDT

URGENT - would like answer by 20 July 2004 - thanks!

Hi

I quickly discovered your confusion level on this topic. There doesn't
appear to be a clear definition of what this is yet. There are a
number of documents and change-overs pointing to Kerberos, others like
the FBI seem to think it is SSL, others, such as the Virgina DMV seem
to believe it is a good PIN number (it's hyperlinked even) and a
cookie. <you have to pause there, to really get the full effect>

Like many "keywords" in our Government, it seem to sound like the
right thing to say.

The more serious and, we'll say knowledgeable, or at least they could
write a line of code and fix a laptop if they had to, suggest the
following definition, which is more or less prevalent.

--"Strong authentication is a form of computer security in which the
identities of networked users, clients and servers are verified
without transmitting passwords over the network."---

Apparently the methodology here is a feeling that a network, and
therefore it's clients, and servers are more vulnerable to attack when
in transit. That data is the refugees running from fort to fort,
trying not to get caught. And, more or less this is the fact of life.
Strong Authentication there for would require you to, one, actually be
at the computer, and two, not rely on a data transfer for
authentication to happen. It is this last part that keeps bringing up
Kerberos. Just a note, in case you don't know, Kerberos is the three
headed dog that guards Hades in the underworld.

Again, there is no official definition to this term. It is an 'idea' a
'thing that must be done' but we aren't sure what that thing is going
to be, but we need it. Also, I've noticed over the last 15 years that
this happens quite a bit. ICE for example. The Network Security term
which bounced around from being virus protection to intrusion
detection, to firewall, and then sort of died from use. And then a
company started up calling themselves Network ICE and a product Black
ICE. The start of this term however was Neromancer.(the book), William
Gibson.

So the terms come out, and the fray try to find definition by
demonstration of ability.

US-CERT  United States Computer Emergency Readiness 
from the About Us page --"US-CERT is a partnership between the
Department of Homeland Security and the public and private sectors.
Established to protect the nation's Internet infrastructure, US-CERT
coordinates defense against and responses to cyber attacks across the
nation." ---

In looking for an actual policy for this I thought this the best
source of possible information in this area. A search on their sight
only showed a better example of what I was finding else where. The
general thought appears to be that encryption is definitely involved.
What encryption is not decided, nor the implementation or needed
events to warrant that encryption to be in play.

quote from a policy page --"Strong authentication, if available,
should be used to establish trusted communications." --- And if it is
not available I guess we should not worry about it. (??)

http://search.us-cert.gov/query.html?rq=0&ht=0&qp=&qs=&qc=&pw=100%25&ws=1&la=&qm=0&st=1&nh=25&lk=1&rf=2&oq=&rq=0&si=1&qt=strong+authentication

Finding the Official Policy Page on US-CERT lead to more "thought out"
forms of logic, but again, no clear and decisive definition is at
hand. In fact, on the Policy page, in the text showing there, the term
"Strong Authentication" isn't used.
http://www.us-cert.gov/policy/

Which does present an odd feeling when looking at pages such as this
http://computing.fnal.gov/security/StrongAuth/

Which seem to be most definite that there is not only a true and
correct usage for this term, but they are in fact living up to that
policy and meeting all of the outlined criteria. Since it appears that
they are the actual source of this Term.
http://computing.fnal.gov/security/StrongAuth/Plan/AuthenticationSynopsis.htm

I would have to say if you are looking for a clear definition this is
the clearest I've found. So clear it even sounds official. And they
have been working on it since 1999, and have yet to release the pilot
program, and the Full Plan document is under revision.

The reason Kerberos is found all over the place on pages discussing
how important this is, is this ---" Subject: 1.19. What is
preauthentication?

As mentioned in Question 1.18, one weakness in Kerberos is the ability
to do an offline dictionary attack by requested a TGT for a user and
just trying different passwords until you find one that decrypts the
TGT successfully.

One way of preventing this particular attack is to do what is known as
preauthentication. This means to simply require some additional
authentication before the KDC will issue you a TGT.

The simplest form of preauthentication is known as PA-ENC-TIMESTAMP.
This is simply the current timestamp encrypted with the user's key.

There are various other types of preauthentication, but not all
versions of Kerberos 5 support them all. " --- from the FAQ page on
the Kerberos page.
http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#preauth 

Microsoft has been very interested in Kerberos for a long time, but
has yet to really apply the methodology in a meaningful way. Although
the EPS system is a step in that general direction.

Of course they are all over this term and throwing it around like it
means something and they know what it is.

"ActivCard Strong Authentication Technology to Support Microsoft ISA Server 2004."

"Secure HTTPs are used to provide strong authentication and
confidentiality when using HTTP to gain access to content on the World
Wide Web. ..."

"Authenex, Inc. The Authenex Strong Authentication System (ASAS)
integrates 2-factor authentication technology with the VPN
functionality of ISA Server."

"Generally, strong authentication systems should require the user to
prove their physical presence without requiring them to remember and
use passwords"

-- all quoated of the page display provided by the search "Strong
Authentication" site:Microsoft.com
://www.google.com/search?num=100&hl=en&lr=lang_en&ie=UTF-8&q=%2B%22Strong+Authentication%22+site%3Amicrosoft.com&btnG=Search

What is Strong Authentication? Right now, an idea, and a way to make
money if you say strongly enough that you know what it is, and can
provide it, because Home Land Security is going to require it...(as
soon as they figure out what it is they are requiring.). That is what
Strong Authentication is, and means, at the present time.

Links of note

http://www.fnal.gov/docs/strongauth/

http://computing.fnal.gov/security/StrongAuth/

http://www-fbi.zhwin.ch/kom/13-PKI/certifier-solution.pdf

MIT's page on Kerberos and Security
http://web.mit.edu/kerberos/www/

Real CERT
http://www.cert.org/nav/index.html


Kerberos: The Network Authentication Protocol
http://web.mit.edu/kerberos/www/

Searches used during the research of this answer
strong authentication  inurl:gov
"strong authentication" inurl:gov
"strong authentication" inurl:gov inurl:whitehouse
"strong authentication" inurl:gov inurl:con
+"strong authentication" +congress 
+"ICE" +NETWORK SECUrity
"strong authentication" inurl:cert
Kerbos
Kerberos
+"Strong Authentication" site:microsoft



thanks, 

webadept-ga

I recommend a very good NIST reference on this topic:

SP 800-63 Electronic Authentication Guideline: Recommendations of the
National Institute of Standards and Technology, June 2004
(http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63v6_3_3.pdf).

NIST has provided a risk assessment and classified authentication
within different  security levels, with detailed descriptions for the
required mechanisms/controls. Level 4 is probably the one you are
looking for.

I would recommend any hardware based authentication token solution
that runs by proprietary algorythyms instead of a transmitted pin or
password - purely for starters. The laymans terms of 'something you
know (eg: your password or pin), 'something you have' (eg: hardware
token or palm device - I wont include SMS or cellphones in this as the
means of data transport is not given the same assurance), and finally
for the Biometrics fan in all of us, 'something you are', which uses
the physical characteristic of the authentication requestor.

In the real world, only two out of the three are required for an
assured level of 'strong' authentication, Biometrics is still a bit of
a wobbly technology but will get properly on its feet in a few years,
I know that Cryptocard provides hardware tokens that cost HALF of the
price of the equivalent RSA Securid solution, and unlike RSA based
solutions, do not transmit their passwords across the network for all
to see :) - if it can be cracked by 'Cain & Abel', it is most
definitely NOT strong authentication.

Crypt0-ga - Please do some research before you post such
nonsense...."I know that Cryptocard provides hardware tokens that cost
HALF of the price of the equivalent RSA Securid solution, and unlike
RSA based
solutions, do not transmit their passwords across the network for all
to see :) - if it can be cracked by 'Cain & Abel', it is most
definitely NOT strong authentication." 

Cryptocard's CHEAP price is based off its limited functionality and
security. you get what you pay for! Cryptocard's authentication
mechanism is event based rather than time based like RSA. If you do
you research I'm sure you will see that time based is much more
secure. Furthermore, RSA is using the newer NIST approved AES
algorithim. Last time I checked Crypto Card was using 3 DES and The
Rubix Cube algorithim.  I will give Crypto kudos with their
relationship with Apple but thats about it. RSA owns 80% of the market
place with large accounts within the Fortune 500, DOD, and Civilian
govt.....and they are growing.