Scribing Template --Wed., Nov 13, 2013 at 9am -- Monterey Room
TOPIC: AD Assurance Cookbook Update
CONVENER: Eric Goodman
SCRIBE: David Walker
# of ATTENDEES: 10-12
MAIN ISSUES DISCUSSED:
Draft reviewed can be found here: https://spaces.at.internet2.edu/display/InCAssurance/AD+Silver+Cookbook
- The Cookbook's recommendation to not rely on Kerberos tokens is a broader issue than just AD
- Based on language in NIST 800-63 indicating that encrypting the initial Kerberos credential (TGT) with a user password is seen as unacceptable.
- 800-63 indicates 2^80 bits of entropy (comparable to a 42-character user selected password) are required if the user password is used to encrypt session keys.
- Other implementations of Kerberos would share the same vulnerabilities
- Discussion ongoing about forming a separate group to review Kerberos as an acceptable protocol. If that group determines that Microsoft's Kerberos is OK, then the AD Cookbook will be revised.
- Based on language in NIST 800-63 indicating that encrypting the initial Kerberos credential (TGT) with a user password is seen as unacceptable.
- Issues of the IdP's use of verifier vs. other apps' use of IdP's verifier. The requirements are greater for the IdP's use of a verifier, which allows use of less secure AD protocols for non-IdP applications.
- Vulnerabilities exist, independent of whether certifying for Silver or not. The advice in the Cookbook is valuable even if you are not planning to certify for Silver.
- Credentials need to be protected when they can be used to affect assertions directly, so AD administrator credentials are likely to be within scope of the requirements.
- The Cookbook is all about AD with AD-managed passwords. LoA-3 MFA or even non-password single factors managed outside of AD are other possibilities for Silver compliance.
- Consider local application security, as well as Silver requirements, when deciding how to approach the issues raised in the Cookbook. You may very well want to exceed the minimum required for compliance with the IAP.