AD-Assurance Notes from April 5
David Walker, InCommon/Internet2
Brian Arkills, UWash
Michael Brogan, UWash
Jeff Capehart, UFL
Ron Thielen, UChicago
Joe Streeter, UW Madison
Eric Coleman, University of Illinois
Jeff Whitworth, UNC-Greensboro
Mark Rank, UCSF
Ann West, InCommon/Internet2
Next Call
April 12 at Noon ET
+1-734-615-7474 PREFERRED
+1-866-411-0013
0195240#
Agenda: Updates to AIs
Action Items
Cookbook Todo List
Add guidance about methods to prevent transient password exposure.
Notes
NASA Questions
Do they support LoA 2 or higher with AD with a password? What levels of Assurance do they support with AD? If so how? Show the Matrix.
Notes approved.
Action Item Updates
David's AM Abstract - InC AM meant to address specific criterion of the IAP. Maybe this could be more of a general principle of how to review this. Need an AM proposal for the specific item, but introduce this notion of checking non-compliant behavior in a timely manner when we see it.
Michael's updates re: LDAP and protected channels - duplicated across the table. How should we track it in the table. Add it one and then refer to it with the footnote. Anyone turned off all the non-compliant ciphers? For PCI, Chicago has done this, but has not received complaints. AM might be RC4 128 bit encryption is as good as the approved algorithms. This would fall under industry standard, but isn't NIST/FIPS approved. Could be approved for a period of time or just for Bronze?
Matrix
4.2.5.1 - Resist Replay Attack - Needs more details. NTLMv2 has time element that isn't included. More to the Kerberos statement. Resist Replay doesn't give you anything to make an identity assertion. Where does AD fit into IdMS and acts as a verifier for the IdP. Ron says these aren't gaps. High level statement to apply to particular environment. Passive listening.
DOn't learn th epassowrd, just replyaing a hash or another cred that gets you to the target.
Review our Scoping.
Storing or using the same password in AD as in the verifier for the IdP, this applies.
Brian - flush out for the next call.
4.2.5.2 - Resist Eavesdropper Attack - Capture credential and use in replay. or Capture credential and decrypting it. Cux in MiM/easvesdropper aren't as important as the risk you're trying to mitigate. Eavesdropping on one-time used token (Kerberos) lower risk to multiple-use password.
Active act.
Impractical defined in 800-63 takes at least 2^80 cryptographic operations to crack it. 13 character password is 2^85.
would be good to compare Kerb5 with MS AD Kerb.
Kerb - pre-authn key exchange could be vunerable to eavesdropper - MS impement Kerb armoring in Windows 2012 and 2008.
Kerb - resist by definition of the protocol.
If using 2008, could increase the password length to mitigate.
Michael - SSL and TLS and Kerbos information in email and reference them into the right cells.