...
4.2.3 Credential Technology | These InCommon IAPs are based on use of “shared Authentication Secret” forms of identity Credentials. If other Credentials are used to authenticate the Subject to the IdP, they must meet or exceed the effect of these requirements. |
Criteria | Management Assertion |
.1 Credential unique identifier | 1. The institution's personal digital certificate (PDC) is issued with a Subject Distinguished Name (DN) and a serial number.The serial number is a unique number in the serial number field. The DN of the PDC contains a UID. The UID is a uniquely assigned attribute of a person in the institution's Enterprise Directory. See the {link to cetificate profile} for a complete description of the certificate DN. The serial number and the UID distinguish the PDC from all other Credentials issued by the IdPO. |
.2 Resistance to guessing Authentication Secret | See 4.2.3.3, Strong Resistance |
.3 Strong resistance to guessing Authentication | 1. The institution's PDC on the MF device provides cryptographic strength mechanisms described in NIST [SP 800-63] for Level 3 and 4 assurance, protecting the private key against compromise by on-line guessing. The device is a multi-factor "hard" cryptographic token, requiring the user to unlock the device with a password in order to access the private key. |
...
" ac:schema-version="1" ac:macro-id="c8d0c0a6-e31f-4484-a58c-73d49aa392a8"><ac:plain-text-body><![CDATA[2. The authentication secret (1024 bit RSA key) has about 80 bits of entropy according to NIST [SP 800-57.] The password used to unlock the MF device is created by the Subject during in-person registration for the device. The password must be at least {insert length here} characters long and must contain a numeric (0-9), |
...
an |
...
uppercase |
...
English |
...
letter |
...
(A-Z), |
...
a |
...
lower |
...
case |
...
English |
...
letter |
...
(a-z), |
...
and a special character (~!@#$%^&() |
...
{ |
...
} |
...
+`- |
...
{ |
...
[ |
...
|\;'./:"<>? |
...
) |
...
. |
...
Access |
...
to the MF device is locked after {insert number here} invalid attempts to enter the correct password. The password for a locked device must be administratively reset, requiring the Subject to visit the institution's RA office in person. |]]></ac:plain-text-body></ac:structured-macro> | ||||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="dcb781cd9c53dd0b-9d9762cd-4db940bf-a6fbbc90-4ae09e5e92ca7a60c9af9959"><ac:plain-text-body><![CDATA[ | .4 Stored Authentication Secrets | The authentication secret is the x.509 private key which is generated onboard the MF cryptographic device. The private key cannot be exported off the device; thus it is not escrowed. The MF hardware cryptographic token used by the institution is certified at FIPS 140-2 Level 2. (See [FIPS 140 Certificate | http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140crt/140crt852.pdf].) This credential protects stored secrets at NIST [SP 800-6] assurance Level 4, thus meeting the criteria for method 3 in section 4.2.3.4 of the IAP. | ]]></ac:plain-text-body></ac:structured-macro> |
.5 Protected Authentication Secrets | 1. When issuing personal digital certificate credentials, the MF cryptogrpahic device generates and stores the user’s RSA key pair inside the protected environment of the smart chip in the device. The user’s private key component is never transmitted to another Credential Store and is permanently kept on the device. Access to the private key component on the device is password protected and implements a lockout threshold of 10 consecutive invalid password attempts. |