4.2.5.1 - Resist Replay Attack
The Kerberos central authentication system includes several countermeasures to resist replay attacks, including a) address field in tickets; b) time-based authenticators; and c) replay caches.
4.2.5.2 - Resist Eavesdropper Attack
4.2.5.3 - Secure Communication
Management asserts that all communication between the Subject and the IdP is over a secure communication channel using https with AES ___bit encryption.
4.2.5.4 - Proof of Possession
4.2.5.5 - Session Authentication
Sample assertion for Shibboleth:
The Shibboleth IdP employs SSL encryption along with a secure cookie management strategy for session maintenance.
4.2.5.6 - Mitigate Risk of Credential Compromise
Included in the account claim email is the following text which is also published on the "protect your identity" web page http:// .... /
"Protect your passwords and do NOT share them with anyone. Sharing account information with people you know or through "social engineering" are the most common reasons for identity theft. The university will NEVER ask you for your passwords. If you fear an account may be compromised, change the password or contact the Help Center immediately. (Your university password can be reset at the password reset website https:// ... /) ."