Improve authentication with valuable guidelines from NIST

The National Institute of Standards and Technology has a valuable report that can help administrators determine the level of authentication that their organizations need.

If security is a major concern for your organization, check out TechRepublic's IT Security Survival Guide. This book and CD provide the information you need to keep your organization's IT systems safe from contemporary network threats and to protect systems and data.

A security document from the National Institute of Standards and Technology (NIST) can help administrators get through the often complex problem of designing and implementing secure e-commerce practices over the Web. I'm going to give you a breakdown of what this document has to offer.

The report

NIST (formerly the Bureau of Standards) has published the final version of Special Publication 800-63, "Electronic Authentication Guideline: Recommendations of the National Institute of Standards and Technology."

Federal agencies are required to follow some of the recommendations made by NIST, but these recommendations can also provide a valuable guide to commercial IT departments, especially for administrators who are looking for ready-made guidelines for securing their own Web operations. Electronic authentication is one of the most critical security concerns of many administrators, and this 63-page report provides a lot of useful information, even though much of it is well hidden in the many pages of "official" language.

The report divides the authentication problem into four basic levels related to the different level of confidence each provides. This is a good place to start in designing your own security plan, especially if you want to make use of the later parts of the guide, which tie specific protocols and threats to the different levels of security.

Obviously, it is much more important to be certain about whom you are authenticating if they are placing orders or you are sending financial information to them, but even at the most basic level, it is often critical that businesses be able to authenticate the person at the other end of the data stream even before sending such basic information as price quotes (especially if you quote different prices to different customers for various marketing or credit-worthiness reasons).

The SP 800-63 report can help you define the authentication level(s) most appropriate for your organization, as well as which protocols you should use to reach each level. In addition, the publication can save you a lot of time when it comes to preparing a comprehensive list of the actual threats you may face. IT professionals know that you can't adequately protect against something you don't know about, and we also know just how easy it is to overlook one danger while you are trying to decide on everything you must protect against.

While not everything in this document will apply directly to your IT environment, it's good to know that you can just copy and paste some sections directly into your plans if they seem appropriate. It's good form to give NIST credit for their contribution, but this is copyright-free material, so you don't have to spend endless hours rewriting or altering sections before you can use the recommendations in your own operations. You also don't have to worry about how much or how little of the text you can reuse without incurring the ire of a vendor.

The tables in Section 9, Summary of Technical Requirements by Level, are very useful. If you can match your needs with one of the four predefined levels detailed in the first part of this document, these tables will quickly show just what technical hurdles you may face in implementing the guidelines, such as what token types are permitted at a certain level and what attack vectors you may need to protect against to achieve a certain degree of security.

The token types covered in SP 800-63 include (with the most secure at the top of the list):

  • Hard crypto tokens
  • One-time password devices
  • Soft crypto tokens
  • Passwords
  • PINs

The various attacks described include:

  • Online guessing
  • Replay
  • Eavesdropping
  • Verifier impersonation
  • Man-in-the-middle attacks
  • Session hijacking

The highest level of security requires protection against all six of these types of attacks, while the lowest level only requires protection against replay and online guessing.

Appendix A is devoted to an information theory-based analysis of passwords, including a formula for evaluating password strength and information content (entropy level) of any password. In cryptography, entropy is used as a basic measure of how easy or difficult it would be to guess a particular password or category of passwords. Although the mathematics may not interest you, there is an extensive general discussion that should be helpful to anyone involved in security (other than professional cryptographers).

Final word

Many times we are too quick to dismiss any government work in our field. Many of us have come face-to-face with the limitations of government agencies and sometimes forget that there is also some very helpful work being done by these agencies that we can take advantage of in our everyday work. Those of us in the U.S. are paying for this one way or another, so why not take advantage of the few pearls we can take from publications such as the ones from NIST? If nothing else, this document can serve as a great training resource to get new IT staff members up to speed on various security issues.

Also watch for . . .

  • Wired News has reported a significant federal court ruling in a Massachusetts case in which a bookseller copied and read all the e-mails his customers were sending using his e-mail service. His snooping was for commercial purposes, targeting customers with book offers based on the e-mails they sent to Amazon (this practice is similar to the Google free gigabyte e-mail system that is about to debut). He was sued, but the court has ruled that he did not violate the Wiretap Act. The privacy implications to companies are obvious. Don't use public mail systems to conduct business, don't send e-mails from various wireless connections such as those found at coffee shops. On the other hand, if you set up a free e-mail service for your customers you are apparently free to snoop on what they are saying, at least for the time being. I look for this one to go all the way to the Supreme Court in Washington.
  • A report on the new California privacy law includes a link to comments by a legal firm about the effects the California Online Privacy Protection act of 2003 will have on all companies doing any business in California. The law spells out privacy statement requirements and other privacy-related rules regarding sharing of customer data.
  • On the "we can all relax now" front, the UN has come out against spam and, according to the CMP story, the UN says it will eliminate spam within two years, leading to "the preservation of the Internet." Whew! That's a great weight off my mind.
  • Lotus Domino Web Access (iNotes) has a DoS issue caused by large JPG images. See the Secunia note for the few available details on this unspecified problem.
  • IBM's SecureWay Firewall can suffer a DoS event from invalid packets. There is a report on the Open Source Vulnerability Database.
  • Mozilla and Firefox have a newly discovered problem that is covered in a Secunia report.

Editor's Picks

Free Newsletters, In your Inbox