Password Credential Assessment Profile 1.6.0

E-Authentication Credential Assessment for InCommon Federation Sampling of Three Universities

Gap Analysis Checklist

This checklist indicates the degree of compliance for the three universities that were assessed using the E-Authentication Assessment Framework. It provides a basis for comparison without highlighting any individual program.

Compliance Color Code Key
All in Compliance / 48%
One or more in Compliance / 25%
None in Compliance / 25%
Not Applicable (N/A) / 2%

Compliance Status terms:

Assurance Level 1

1.  Organizational Maturity

Tag / Description / Status / Status / Status
Established / 1.  The CSP shall be a valid legal entity, and a person with legal authority to commit the CSP shall submit the Assessment package.
2.  The operational system will be assessed as it stands at the time of the Assessment. Planned upgrades or modifications will not be considered during the assessment. / C
Letter from Purchasing Dept: Viewed copy of Dunlop letter. / CP
Signed document from vice provost to be provided. / C
Impact Statement document: approved on 1/2005
Authorization to Operate / 1.  The CS shall have completed appropriate authorization to operate (ATO) as required by the CSP policies.
2.  The CSP shall demonstrate it understands and complies with any legal requirements incumbent on it in connection to the CS. / CP
ATO will be available soon as compliance evidence. / C
ATO signed on March 1, 2004 / C
Impact Statement
General Disclosure / 1.  The CSP shall make the Terms, Conditions, and Privacy Policy for the CS available to the intended user community.
2.  In addition, the CSP shall notify subscribers in a timely and reliable fashion of any changes to the Terms, Conditions, and Privacy Policy. / C
TC&P must be signed as read by all new users. Any changes to the TC&P are broadcast by email, newswire, and in student newspaper.
Documentation currently being updated. / C
TC&P on website.
Email sent to customers minimum of 1x/yr with a link back to the current TC&P / C
TC&P and any changes to them are broadcast by email, covered in the student newspaper, and addressed in on-campus “town hall” meetings.
Additionally, in the future new users will be required to read the T,C&P policies at the first time they log in, and document that they have read them (by clicking on a button that will record the submission) .

2.  Authentication Protocol

Tag / Description / Status / Status / Status /
Secure Channel / Secrets transmitted across an open network shall be encrypted. / C
SSL / C
SSH, SSL, Kerberos / C
SSL, Kerberos
Proof of Control / The authentication protocol shall prove the claimant has control of the authentication password token. / C
SSL / C
SSL
Claimant self selects password – no one else knows it / C
SSL
Session Authentication / Session tokens shall be cryptographically authenticated. For example, session cookies must be encrypted, digitally signed, or contain an HMAC. / C
Cosign
Kerberos / C
SSL / C
SSL, or Kerberos, or both.
Stored Secrets / Secrets such as passwords shall not be stored as plaintext and access to them shall be protected by discretionary access controls that limit access to administrators and applications that require access. / NC: Username and password file is encrypted using Kerberos, but a temporary password is given out at account activation with a rule stating that password should be changed immediately. The password is stored in the encrypted directory but is also stored in the clear for use if the password ever needs to be reset.
Recommendation: Force the user to change the temporary password immediately at first log on to ensure that a secret password is stored in the encrypted directory. / C
Username and password file is encrypted using Kerberos. / C
Username and password file is encrypted using Kerberos at all times.
Non-repudiation / Measures shall be taken to reduce the risk of a subscriber intentionally compromising his/her token, to repudiate authentication. / C
Periodically, security requirement emails are sent to users.
Security awareness campaigns are conducted with freshman.
Recommendation: Have email link to a confirmation submission that the user has read the rules and policies. / C
Policies and rules are posted on the website. Periodically, emails are sent with a link back to the policies and rules. / C
Log on anomalies are monitored and checked.
Periodically, T,C&P policy emails are sent to users.
Recommendation: Whenever updates to Net ID policies are sent out through email, have a “I agree to the T,C, & P policies” confirmation button for the user to click, that will record they read and agree to the rules and policies.
Threat Protection / The authentication protocol must resist:
1.  On-line guessing
2.  Replay / NC
Need to have sufficient lock out rules and/or password life rules.
SSL
Kerberos / NC
Need to have sufficient lock out rules and/or password life rules
SSL
Kerberos / NC
Need to have sufficient lock out rules and/or password life rules.
SSL
Kerberos
Protocol Types / The only authentication protocol types allowed at this Assurance Level are:
·  Tunneled password
·  Zero knowledge-base password
·  Challenge-response password / C
Tunneled password / C
Tunneled password / C
Tunneled password
Approved Cryptography / 1.  At this assurance level, cryptographic operations are required between:
a)  Verifier and Relying Party
2.  All cryptographic operations shall be done in compliance with approved cryptographic techniques.
3.  Approved cryptographic techniques is either FIPS approved or NIST recommended - an algorithm or technique that is either:
1) Specified in a FIPS or NIST Recommendation, or
2) Adopted in a FIPS or NIST Recommendation. / P
To comply with the E-Authentication architecture, eGCA server certificates must be used to pass assertions. Therefore to become a member of the E-Authentication Federation, an eGCA server certificate must be installed at the CS.
Kerberos and SSL are used. / P
Server certificates are used. To be a member of the E-Authentication Federation, an eGCA server certificate must be installed at the CS.
Kerberos and SSL are used. / P
To comply with the E-Authentication architecture, eGCA server certificates must be used to pass assertions. Therefore to become a member of the E-Authentication Federation, an eGCA server certificate must be installed at the CS.
Kerberos and SSL are used.
FIPS 140-2 / Approved cryptographic algorithms must be implemented in a FIPS 140-2 Level 1 cryptographic module. / C / C
SHA1 / C

3.  Token Strength

Tag / Description / Status / Status / Status /
Uniqueness / 1.  Each subscriber shall self-select at registration time a unique token (e.g., UserID + Password).
2.  A user can have more than one token, but a token can only map to one user.
3.  Unique tokens cannot be recycled after a subscriber leaves the CS. / NC
A unique, temporary password is generated and given to the new user with the stated rule that the password should be changed when the user logs on for the first time. The rule is not enforced.
Recommendation:
Have CS enforce the rule at new user initial log on. / NC
Some of the userids and passwords are shared by groups of individuals. / CP
A unique, temporary password is generated and given to the new user with the stated rule that the password should be changed when the user logs on for the first time. The rule is not enforced, but is being changed to force the change.
Resistance to Guessing / At this assurance level, the PIN (numeric-only) or Password, and the controls used to limit on-line guessing attacks shall ensure that an attack targeted against a selected user’s PIN or Password shall have a probability of success of less than 2-10 (1 chance in 1,024) success over the life of the PIN or Password. Refer to NIST SP 800-63 Appendix A, and the CAF Suites’s Entropy Spreadsheet to calculate resistance to online guessing. / NC
Used Entropy model.
Recommendation:
Need to have sufficient lock out rules and/or password life rules.
A new version of the Entropy model located at: http://www.cio.gov/
Eauthentication
under Tools
E-A Assessment Suite / NC
Used Entropy model.
Recommendation:
Need to have sufficient lock out rules and/or password life rules.
A new version of the Entropy model located at: http://www.cio.gov/
Eauthentication
under Tools
E-A Assessment Suite / NC
Used Entropy model.
Recommendation:
Need to have sufficient lock out rules and/or password life rules.
A new version of the Entropy model located at: http://www.cio.gov/
Eauthentication
under Tools
E-A Assessment Suite
Modifiable / Subscribers must be able to change their passwords / C / C
Online capability. / C

4.  Status Management

Tag / Description / Status / Status / Status /
Credential Validity / CS shall maintain record of the status of credentials and not authenticate credentials that have been revoked. / C
Account is disabled by updating a field in the password directory.
Account records are archived on a regular basis. / C
Account is disabled by updating a field in the password directory.
Account records are not deleted. / C
Account is disabled by updating a field in the password directory.
Account records are archived on a regular basis.

Password Credential Assessment Profile 1.6.0

Assurance Level 2

Assessment at Assurance Level 2 also requires validated compliance with all Assurance Level 1 criteria. That is, Assurance Level 2 assessments are cumulative of Assurance Levels 1 and 2.

5.  Organizational Maturity

Tag / Description / Status / Status / Status /
Documentation / 1.  The CSP shall have all security related policies and procedures documented that are required to demonstrate compliance.
2.  Undocumented practices will not be considered evidence. / CP
The majority of the policy documents are excellent. A few password policies contradict each other, as noted in the Findings Report.
Recommendation:
Review policies and align where necessary. / NC
Several policy documents are still in draft.
Registration procedures are not fully documented. / CP
The majority of the policy documents are excellent. Some of the registration and account activation procedures need to be documented.
Recommendation:
Update incomplete or missing policy/procedure documents.
Staffing / 1.  The CSP shall have sufficient staff to operate the CS according to its policies and procedures.
2.  The staff who operate the CS shall have the appropriate skills and abilities for their roles in the operation of the CS. / C / C / C
Roles and responsibilities are clearly defined and staff is fully operational.
Subcontracts / 1.  Any subcontractor or outsourced components of the CS shall have reliable and appropriate contractual arrangements, where the agreement stipulates critical policies and practices that affect the assurance of the CS.
2.  Subcontractor responsibilities that are not stipulated in their agreements will not be considered reliable during the assessment. / N/A / N/A / N/A
Helpdesk / A helpdesk shall be available for subscribers to resolve issues related to their credentials during the CSP’s regular business hours, minimally from 9am to 5pm Monday through Friday. / C
Several locations and forms of Helpdesk support. Escalation procedures are in place. / C
Excellent helpdesk operations. Avail: 8am -5pm PST. Rolls over to Operations staff to resolve or determine if priority escalation is required. / C
Helpdesk hours are:
M-TH 8:00am-8:00pm
F 8:00am -5:00pm
Escalation procedures are documented. On call off hours support is available in the Operations Center.
Audit / The CSP shall be audited by an independent auditor every 24 months to ensure the organization’s practices are consistent with the policies and procedures for the CS. At the time of the assessment, the most recent audit shall have been performed within the last 12 months. / NC-CP
May have something like this. IT Director is checking. / C
ATO Report signed: March 1, 2004 / C
Audits are performed at a minimum of every 24 months. Audit staff is inhouse but in a separate, unrelated organization.
Risk Mgt / The CSP shall demonstrate a risk management methodology that adequately identifies and mitigates risks related to the CS. / NC
Recommendation:
Undergo a risk assessment and document methodology. / CP
The CSP has an adequate risk management methodology. Risk Management document(s) will be published in Spring 2005. / C
COOP / 1.  The CSP shall have a Continuity of Operations Plan (COOP) that covers disaster recovery and the resilience of the CS.
2.  Service level agreements are not assessment criteria; they are covered in the licensing arrangements.
3.  The CS shall employ failure techniques to ensure system failures do not result in false positive authentication errors. / P
Business Continuity Plan (BCP) is in draft.
Well established disaster recovery procedures in place.
Recommendation:
Finalize BCP. / CP
Well established disaster recovery procedures in place but not fully documented. Business Continuity site established and operational. Recommend formal business continuity training for employees. / CP
Business Continuity Plan (BCP) is in draft.
Well established disaster recovery procedures in place.