You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

AD-Assurance Notes from April 5

David Walker, InCommon/Internet2
Brian Arkills, UWash
Michael Brogan, UWash 
Jeff Capehart, UFL 
Ron Thielen, UChicago 
Joe Streeter, UW Madison 
Eric Coleman, University of Illinois 
Jeff Whitworth, UNC-Greensboro
Mark Rank, UCSF
Ann West, InCommon/Internet2 

Next Call

April 12 at Noon ET
+1-734-615-7474 PREFERRED
+1-866-411-0013
0195240#
Agenda: Updates to AIs

Action Items

Cookbook Todo List

Add guidance about methods to prevent transient password exposure.

Notes

NASA Questions

Do they support LoA 2 or higher with AD with a password? What levels of Assurance do they support with AD? If so how? Show the Matrix.

Notes approved.

Action Item Updates

David's AM Abstract - InC AM meant to address specific criterion of the IAP. Maybe this could be more of a general principle of how to review this. Need an AM proposal for the specific item, but introduce this notion of checking non-compliant behavior in a timely manner when we see it. 

Michael's updates re: LDAP and protected channels - duplicated across the table. How should we track it in the table. Add it one and then refer to it with the footnote. Anyone turned off all the non-compliant ciphers? For PCI, Chicago has done this, but has not received complaints. AM might be RC4 128 bit encryption is as good as the approved algorithms. This would fall under industry standard, but isn't NIST/FIPS approved. Could be approved for a period of time or just for Bronze? 

Matrix

4.2.5.1 - Resist Replay Attack - Needs more details. NTLMv2 has time element that isn't included. More to the Kerberos statement. Resist Replay doesn't give you anything to make an identity assertion. Where does AD fit into IdMS and acts as a verifier for the IdP. Ron says these aren't gaps. High level statement to apply to particular environment. Passive listening. 

DOn't learn th epassowrd, just replyaing a hash or another cred that gets you to the target.

Review our Scoping. 

Storing or using the same password in AD as in the verifier for the IdP, this applies. 

Brian - flush out for the next call. 

4.2.5.2  - Resist Eavesdropper Attack - Capture credential and use in replay. or Capture credential and decrypting it. Cux in MiM/easvesdropper aren't as important as the risk you're trying to mitigate. Eavesdropping on one-time used token (Kerberos) lower risk to multiple-use password. 

Active act. 

Impractical defined in 800-63 takes at least 2^80 cryptographic operations to crack it. 13 character password is 2^85.

would be good to compare Kerb5 with MS AD Kerb. 

Kerb - pre-authn key exchange could be vunerable to eavesdropper - MS impement Kerb armoring in Windows 2012 and 2008. 

Kerb - resist by definition of the protocol. 

If using 2008, could increase the password length to mitigate. 

Michael - SSL and TLS and Kerbos information in email and reference them into the right cells. 

  • No labels