NIST SP 800-63-2：电子身份验证技术指南

需积分: 9 82 浏览量更新于2024-07-16 收藏 1.07MB PDF 举报

NIST SP800-63-2.pdf是美国国家标准与技术研究院(National Institute of Standards and Technology, NIST)发布的《电子认证指南》。该指南针对联邦政府机构在开放网络上实现远程用户身份验证提供了详细的指导。它关注的核心主题包括电子认证的四个级别保障（Identity Proofing、Registration、Tokens和Authentication Protocols）以及相关的声明。 1. **身份证明（Identity Proofing）**：这一部分定义了验证用户真实身份的严格程度，要求确保只有授权用户才能访问系统。这可能涉及多重因素认证，如生物特征识别（如指纹或面部识别）、知识为基础的验证（如密码）以及拥有物（如智能卡或手机）。 2. **注册（Registration）**：指南强调了用户账户的创建过程，包括数据收集、验证和存储的安全措施，以防止欺诈和滥用。这涉及到对个人信息的合法性和完整性的管理，以及定期更新和审计机制。 3. **令牌（Tokens）**：电子令牌作为一种安全介质，用于提供临时、一次性或受时间限制的访问权限。它们可以是物理设备、软件应用或基于云计算的服务，以增强一次性密码或数字签名功能，增强安全性。 4. **认证协议（Authentication Protocols）**：指南详细描述了各种加密和身份验证协议的设计和实施标准，如公钥基础设施（Public Key Infrastructure, PKI）和多因素认证（Multi-Factor Authentication, MFA），以确保通信的保密性和完整性。 5. **电子凭证（Electronic Credentials）**：电子形式的身份证明，如数字证书、数字签名或电子印章，被用来验证用户身份并在电子交易中扮演核心角色。这些凭证必须符合严格的生命周期管理和撤销机制。 6. **电子交易与电子政府（Electronic Transactions and Electronic Government）**：NIST SP800-63-2的应用范围不仅限于企业环境，还涵盖了政府机构之间的电子服务，确保公众和公务员能够安全、高效地在线互动。 7. **密码策略与管理（Passwords）**：指南对密码策略提出了明确要求，包括复杂度、定期更换、密码历史和双因素或多重认证的支持，以降低因弱口令导致的安全风险。 8. **责任与法律依据（Authority）**：该出版物是根据《联邦信息安全管理法案》(FISMA, Public Law P.L. 107-347)制定的，NIST负责制定信息安全标准和指导方针，以满足联邦信息系统的基本安全要求。 NIST SP800-63-2.pdf文档是联邦政府电子认证领域的权威指南，对于理解和实施有效的身份验证策略、保护网络安全及推动电子政务发展具有重要意义。任何实施或遵循此标准的组织，都需要确保其系统的安全性、可靠性和合规性。

Electronic Authentication Guideline

• Clarification of differences between Levels 3 and 4 in Table 12; and

• New guidelines that permit leveraging existing credentials to issue derived

credentials.

The subsequent sections of NIST SP 800-63-1 presented a series of recommendations for

the secure implementation of RAs, CSPs, Verifiers, and RPs. It should be noted that

secure implementation of any one of these can only provide the desired level of assurance

if the others are also implemented securely. Therefore, the following assumptions were

made in NIST SP 800-63-1:

• RAs, CSPs, and Verifiers are trusted entities. Agencies implementing any of

the above trusted entities have some assurance that all other trusted entities

with which the agency interacts are also implemented appropriately for the

desired security level.

• The RP is not considered a trusted entity. However, in some authentication

systems the Verifier maintains a relationship with the RP to facilitate secure

communications and may employ security controls which only attain their full

value when the RP acts responsibly. The Subscriber also trusts the RP to

properly perform the requested service and to follow all relevant privacy

policy.

• It is assumed that there exists a process of certification through which

agencies can obtain the above assurance for trusted entities which they do not

implement themselves.

• A trusted entity is considered to be implemented appropriately if it complies

with the recommendations in this document and does not behave maliciously.

• While it is generally assumed that trusted entities will not behave maliciously,

this document does contain some recommendations to reduce and isolate any

damage done by a malicious or negligent trusted entity.

NIST SP 800-63-2 is a limited update of Special Publication 800-63-1 and substantive

changes are made only in section 5. Registration and Issuance Processes. The substantive

changes in the revised draft are intended to facilitate the use of professional credentials in

the identity proofing process, and to reduce the need to use postal mail to an address of

record to issue credentials for level 3 remote registration. Other changes to section 5 are

minor explanations and clarifications.

Electronic Authentication Guideline

3. Definitions and Abbreviations

There are a variety of definitions used in the area of authentication. We have kept terms

consistent with the original version of SP 800-63. Pay careful attention to how the terms

are defined here.

Active Attack

An attack on the authentication protocol where the Attacker transmits

data to the Claimant, Credential Service Provider, Verifier, or Relying

Party. Examples of active attacks include man-in-the-middle,

impersonation, and session hijacking.

Address of Record

The official location where an individual can be found. The address of

record always includes the residential street address of an individual

and may also include the mailing address of the individual. In very

limited circumstances, an Army Post Office box number, Fleet Post

Office box number or the street address of next of kin or of another

contact individual can be used when a residential street address for the

individual is not available.

Approved

Federal Information Processing Standard (FIPS) approved or NIST

recommended. An algorithm or technique that is either 1) specified in a

FIPS or NIST Recommendation, or 2) adopted in a FIPS or NIST

Recommendation.

Applicant

A party undergoing the processes of registration and identity proofing.

Assertion

A statement from a Verifier to a Relying Party (RP) that contains

identity information about a Subscriber. Assertions may also contain

verified attributes.

Assertion Reference

A data object, created in conjunction with an assertion, which identifies

the Verifier and includes a pointer to the full assertion held by the

Verifier.

Assurance

In the context of OMB M-04-04 and this document, assurance is

defined as 1) the degree of confidence in the vetting process used to

establish the identity of an individual to whom the credential

was issued, and 2) the degree of confidence that the individual who

uses the credential is the individual to whom the credential was issued.

Asymmetric Keys

Two related keys, a public key and a private key that are used to

perform complementary operations, such as encryption and decryption

or signature generation and signature verification.

Attack

An attempt by an unauthorized individual to fool a Verifier or a

Relying Party into believing that the unauthorized individual in

question is the Subscriber.

Attacker

A party who acts with malicious intent to compromise an information

system.

Attribute

A claim of a named quality or characteristic inherent in or ascribed to

someone or something. (See term in [ICAM] for more information.)

Authentication

The process of establishing confidence in the identity of users or

information systems.

Electronic Authentication Guideline

Authentication

Protocol

A defined sequence of messages between a Claimant and a Verifier that

demonstrates that the Claimant has possession and control of a valid

token to establish his/her identity, and optionally, demonstrates to the

Claimant that he or she is communicating with the intended Verifier.

Authentication

Protocol Run

An exchange of messages between a Claimant and a Verifier that

results in authentication (or authentication failure) between the two

parties.

Authentication Secret

A generic term for any secret value that could be used by an Attacker to

impersonate the Subscriber in an authentication protocol.

These are further divided into short-term authentication secrets, which

are only useful to an Attacker for a limited period of time, and long-

term authentication secrets, which allow an Attacker to impersonate

the Subscriber until they are manually reset. The token secret is the

canonical example of a long term authentication secret, while the token

authenticator, if it is different from the token secret, is usually a short

term authentication secret.

Authenticity

The property that data originated from its purported source.

Bearer Assertion

An assertion that does not provide a mechanism for the Subscriber to

prove that he or she is the rightful owner of the assertion. The RP has to

assume that the assertion was issued to the Subscriber who presents the

assertion or the corresponding assertion reference to the RP.

Bit

A binary digit: 0 or 1.

Biometrics

Automated recognition of individuals based on their behavioral and

biological characteristics.

In this document, biometrics may be used to unlock authentication

tokens and prevent repudiation of registration.

Certificate Authority

(CA)

A trusted entity that issues and revokes public key certificates.

Certificate Revocation

List (CRL)

A list of revoked public key certificates created and digitally signed by

a Certificate Authority. See [RFC 5280].

Challenge-Response

Protocol

An authentication protocol where the Verifier sends the Claimant a

challenge (usually a random value or a nonce) that the Claimant

combines with a secret (such as by hashing the challenge and a shared

secret together, or by applying a private key operation to the challenge)

to generate a response that is sent to the Verifier. The Verifier can

independently verify the response generated by the Claimant (such as

by re-computing the hash of the challenge and the shared secret and

comparing to the response, or performing a public key operation on the

response) and establish that the Claimant possesses and controls the

secret.

Claimant

A party whose identity is to be verified using an authentication

protocol.

Electronic Authentication Guideline

Claimed Address

The physical location asserted by an individual (e.g. an applicant)

where he/she can be reached. It includes the residential street address of

an individual and may also include the mailing address of the

individual.

For example, a person with a foreign passport, living in the U.S., will

need to give an address when going through the identity proofing

process. This address would not be an “address of record” but a

“claimed address.”

Completely

Automated Public

Turing test to tell

Computers and

Humans Apart

(CAPTCHA)

An interactive feature added to web-forms to distinguish use of the

form by humans as opposed to automated agents. Typically, it requires

entering text corresponding to a distorted image or from a sound

stream.

A character string, placed in a web browser’s memory, which is

available to websites within the same Internet domain as the server that

placed them in the web browser.

Cookies are used for many purposes and may be assertions or may

contain pointers to assertions. See Section 9.1.1 for more information.

Credential

An object or data structure that authoritatively binds an identity (and

optionally, additional attributes) to a token possessed and controlled by

a Subscriber.

While common usage often assumes that the credential is maintained

by the Subscriber, this document also uses the term to refer to

electronic records maintained by the CSP which establish a binding

between the Subscriber’s token and identity.

Credential Service

Provider (CSP)

A trusted entity that issues or registers Subscriber tokens and issues

electronic credentials to Subscribers. The CSP may encompass

Registration Authorities (RAs) and Verifiers that it operates. A CSP

may be an independent third party, or may issue credentials for its own

use.

Cross Site Request

Forgery (CSRF)

An attack in which a Subscriber who is currently authenticated to an

RP and connected through a secure session, browses to an Attacker’s

website which causes the Subscriber to unknowingly invoke unwanted

actions at the RP.

For example, if a bank website is vulnerable to a CSRF attack, it may

be possible for a Subscriber to unintentionally authorize a large money

transfer, merely by viewing a malicious link in a webmail message

while a connection to the bank is open in another browser window.

Electronic Authentication Guideline

Cross Site Scripting

(XSS)

A vulnerability that allows attackers to inject malicious code into an

otherwise benign website. These scripts acquire the permissions of

scripts generated by the target website and can therefore compromise

the confidentiality and integrity of data transfers between the website

and client. Websites are vulnerable if they display user supplied data

from requests or forms without sanitizing the data so that it is not

executable.

Cryptographic Key

A value used to control cryptographic operations, such as decryption,

encryption, signature generation or signature verification. For the

purposes of this document, key requirements shall meet the minimum

requirements stated in Table 2 of NIST SP 800-57 Part 1.

See also Asymmetric keys, Symmetric key.

Cryptographic Token

A token where the secret is a cryptographic key.

Data Integrity

The property that data has not been altered by an unauthorized entity.

Derived Credential

A credential issued based on proof of possession and control of a token

associated with a previously issued credential, so as not to duplicate the

identity proofing process.

Digital Signature

An asymmetric key operation where the private key is used to digitally

sign data and the public key is used to verify the signature. Digital

signatures provide authenticity protection, integrity protection, and

non-repudiation.

Eavesdropping Attack

An attack in which an Attacker listens passively to the authentication

protocol to capture information which can be used in a subsequent

active attack to masquerade as the Claimant.

Electronic

Authentication (E-

Authentication)

The process of establishing confidence in user identities electronically

presented to an information system.

Entropy

A measure of the amount of uncertainty that an Attacker faces to

determine the value of a secret. Entropy is usually stated in bits. See

Appendix A.

Extensible Mark-up

Language (XML)

Extensible Markup Language, abbreviated XML, describes a class of

data objects called XML documents and partially describes the

behavior of computer programs which process them.

Federal Bridge

Certification Authority

(FBCA)

The FBCA is the entity operated by the Federal Public Key Infrastructure

(FPKI) Management Authority that is authorized by the Federal PKI

Policy Authority to create, sign, and issue public key certificates to

Principal CAs.

Federal Information

Security Management

Act (FISMA)

Title III of the E-Government Act requiring each federal agency to

develop, document, and implement an agency-wide program to provide

information security for the information and information systems that

support the operations and assets of the agency, including those

provided or managed by another agency, contractor, or other source.

剩余122页未读，继续阅读

艾米的爸爸

粉丝: 783
资源: 314

NIST SP 800-63-2：电子身份验证技术指南

打字员：NIST SP 800-60，《将信息和信息系统的类型映射到安全类别的指南》

nist 800-181标准中文版

NIST零信任架构SP 800-207 标准草案（中文版）.pdf

NIST SP800-63.pdf

NIST SP800-81-2.pdf

NIST SP800-76-2.pdf

NIST SP800-79-2.pdf

NIST SP800-52r2-draft2.pdf

NIST SP800-85A-2-final.pdf

NIST SP800-70-rev2.pdf

最新资源