(+351) 213 243 750ISO/IEC 29115:2013 – Entity Authentication Assurance Framework.
Information technology – Security techniques – Entity authentication assurance framework.
Introduction
Many electronic transactions within or between ICT systems have security requirements which depend upon an understood or specified level of confidence in the identities of the entities involved. Such requirements may include the protection of assets and resources against unauthorized access, for which an access control mechanism might be used, and/or the enforcement of accountability by the maintenance of audit logs of relevant events, as well as for accounting and charging purposes.
This International Standard provides a framework for entity authentication assurance. Assurance within this International Standard refers to the confidence placed in all of the processes, management activities, and technologies used to establish and manage the identity of an entity for use in authentication transactions.
Figure 1 — Overview of the Entity Authentication Assurance Framework
fig_1
Using four specified Levels of Assurance (LoAs), this International Standard provides guidance concerning control technologies, processes, and management activities, as well as assurance criteria that should be used to mitigate authentication threats in order to implement the four LoAs. It also provides guidance for the mapping of other authentication assurance schemes to the specified four levels, as well as guidance for exchanging the results of an authentication transaction. Finally, this International Standard provides informative guidance concerning the protection of personally identifiable information (PII) associated with the authentication process.
This International Standard is intended to be used principally by credential service providers (CSPs) and by others having an interest in their services (e.g., relying parties, assessors and auditors of those services). This Entity Authentication Assurance Framework (EAAF) specifies the minimum technical, management, and process requirements for four LoAs to ensure equivalence among credentials issued by various CSPs. It also provides some additional management and organizational considerations that affect entity authentication assurance, but it does not set forth specific criteria for those considerations. Relying Parties (RPs) and others may find this International Standard helpful to gain an understanding of what each LoA provides. Additionally, it may be adopted for use within a trust framework to define technical requirements for LoAs. The EAAF is intended for, but not limited to, session-based and document-centric use cases using various authentication technologies. Both direct and brokered trust scenarios are possible, within either bilateral or federated legal constellations.
1 Scope
This International Standard provides a framework for managing entity authentication assurance in a given context. In particular, it:
— specifies four levels of entity authentication assurance;
— specifies criteria and guidelines for achieving each of the four levels of entity authentication assurance;
— provides guidance for mapping other authentication assurance schemes to the four LoAs;
— provides guidance for exchanging the results of authentication that are based on the four LoAs; and
— provides guidance concerning controls that should be used to mitigate authentication threats.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
2.1 Identical Recommendations | International Standards
None.
2.2 Paired Recommendations | International Standards
None.
2.3 Additional references
None.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
assertion
statement made by an entity without accompanying evidence of its validity
[SOURCE: ITU-T X.1252]
Note 1 to entry: The meaning of the terms claim and assertion are generally agreed to be somewhat similar but with slightly different meanings. For the purposes of this International Standard, an assertion is considered to be a stronger statement than a claim.
3.2
authentication
provision of assurance in the identity of an entity
[SOURCE: ISO/IEC 18014-2]
3.3
authentication factor
piece of information and/or process used to authenticate or verify the identity of an entity
[SOURCE: ISO/IEC 19790]
Note 1 to entry: Authentication factors are divided into four categories:
— something an entity has (e.g., device signature, passport, hardware device containing a credential, private key);
— something an entity knows (e.g., password, PIN);
— something an entity is (e.g., biometric characteristic); or
— something an entity typically does (e.g., behaviour pattern).
3.4
authentication protocol
defined sequence of messages between an entity and a verifier that enables the verifier to perform authentication of an entity
3.5
authoritative source
repository which is recognized as being an accurate and up-to-date source of information
3.6
claim
statement that something is the case, without being able to give proof
[SOURCE: ITU-T X.1252]
Note 1 to entry: The meaning of the terms claim and assertion are generally agreed to be somewhat similar but with slightly different meanings. For the purposes of this International Standard, an assertion is considered to be a stronger statement than a claim.
3.7
context
environment with defined boundary conditions in which entities exist and interact
[SOURCE: ITU-T X.1252]
3.8
credential
set of data presented as evidence of a claimed or asserted identity and/or entitlements
Note 1 to entry: See Annex B for additional characteristics of a credential.
3.9
credential service provider
trusted actor that issues and/or manages credentials
3.10
entity
something that has separate and distinct existence and that can be identified in a context
[SOURCE: ITU-T X.1252]
Note 1 to entry: For the purposes of this International Standard, entity is also used in the specific case for something that is claiming an identity.
3.11
entity authentication assurance
degree of confidence reached in the authentication process that the entity is what it is, or is expected to be
[SOURCE: ITU-T X.1252]
Note 1 to entry: The confidence is based on the degree of confidence in the binding between the entity and the identity that is presented.
3.12
identifier
one or more attributes that uniquely characterize an entity in a specific context
3.13
identity
set of attributes related to an entity
[SOURCE: ISO/IEC 24760]
Note 1 to entry: Within a particular context, an identity can have one or more identifiers to allow an entity to be uniquely recognized within that context.
3.14
identity information verification
process of checking identity information and credentials against issuers, data sources, or other internal or external resources with respect to authenticity, validity, correctness, and binding to the entity
3.15
identity proofing
process by which the Registration Authority (RA) captures and verifies sufficient information to identify an entity to a specified or understood level of assurance
3.16
man-in-the-middle attack
attack in which an attacker is able to read, insert, and modify messages between two parties without their knowledge
3.17
multifactor authentication
authentication with at least two independent authentication factors
[SOURCE: ISO/IEC 19790]
3.18
mutual authentication
authentication of identities of entities which provides both entities with assurance of each other’s identity
3.19
non-repudiation
ability to protect against denial by one of the entities involved in an action of having participated in all or part of the action
[SOURCE: ITU-T X.1252]
3.20
phishing
scam by which an email user is duped into revealing personal or confidential information which the scammer can then use illicitly
3.21
registration authority
trusted actor that establishes and/or vouches for the identity of an entity to a CSP
3.22
relying party
actor that relies on an identity assertion or claim
3.23
repudiation
denial in having participated in all or part of an action by one of the entities involved
[SOURCE: ITU-T X.1252]
3.24
salt
non-secret, often random, value that is used in a hashing process
Note 1 to entry: It is also referred to as sand.
3.25
shared secret
secret used in authentication that is known only to the entity and the verifier
3.26
time stamp
reliable time variant parameter which denotes a point in time with respect to a common reference
3.27
transaction
discrete event between an entity and service provider that supports a business or programmatic purpose
3.28
trust framework
set of requirements and enforcement mechanisms for parties exchanging identity information
3.29
trusted third party
authority or its agent, trusted by other actors with respect to specified activities (e.g., security-related activities)
Note 1 to entry: A trusted third party is trusted by an entity and/or a verifier for the purposes of authentication.
3.30
validity period
time period during which an identity or credential may be used in one or more transactions
3.31
verification
process of checking information by comparing the provided information with previously corroborated information
3.32
verifier
actor that corroborates identity information
Note 1 to entry: The verifier can participate in multiple phases of the EAAF and can perform credential verification and/or identity information verification.
Only informative sections of standards are publicly available. To view the full content, you will need to purchase the standard by clicking on the “Buy” button.
Bibliography
[1] The National e-Authentication Framework http://www.finance.gov.au/e-government/security-and-authentication/authentication-framework.html
[2] Australian Government Gatekeeper Public Key Infrastructure http://www.gatekeeper.gov.au/
[3] ITU-T Focus Group on Identity Management Report 5 Report on Requirements for Global Interoperable Identity Management http://www.itu.int/ITU-T/studygroups/com17/fgidm/
[4] ITU-T Focus Group: Report on Identity Management Report 6 Framework for Global Interoperability http://www.itu.int/ITU-T/studygroups/com17/fgidm/
[5] ITU-T Report on the Definition of the Term “Identity”, April, 2008 http://www.itu.int/ITU-T/jca/idm/
[6] Kantara Initiative Identity Assurance Framework v2.0,http://kantarainitiative.org/confluence/display/GI/Identity+Assurance+Framework+v2.0
[7] New Zealand Standard: Evidence of Identity (EOI) June 2006 http://www.dia.govt.nz/diawebsite.nsf/wpg_URL/Resource-material-Evidence-of-Identity-Standard-Evidence-of-Identity-Standard-(html-version)?Open Document
[8] NIST Special Pub 800-36 Guide to Selecting Information Technology Security Products, October 2003, http://csrc.nist.gov/publications/nistpubs/800-36/NIST-SP800-36.pdf
[9] NIST Special Pub 800-63 Electronic Authentication Guideline Version 1.0.2, April 2006 http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf
[10] “OECD Recommendation for Electronic Authentication and OECD Guidelines for Electronic Authentication” http://www.oecd.org/dataoecd/32/45/38921342.pdf
[11] OMB M-04-04, e-Authentication Guidance for Federal Organization http://www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf
[12] Principles for Electronic Authentication: A Canadian Framework, http://strategis.ic.gc.ca/epic/site/ecic-ceac.nsf/en/h_gv00240e.html
[13] B. VAN ALSENOY and D. DE COCK, ‘Due processing of personal data in eGovernment? A Case Study of the Belgian electronic identity card’, Datenschutz und Datensicherheit, March 2008, p. 180
[14] A. Menezes, P. van Oorschot, S. Vanstone, ‘Handbook of Applied Cryptography’, 1997, p. 3-4. http://www.cacr.math.uwaterloo.ca/hac/
[15] ENISA, Mapping (Interoperable Delivery of European e-government services to public Administrations, Businesses and Citizens) IDABC Authentication Assurance Levels to SAML v2.0
[16] ITU-T Recommendation X.1252 (2010), Baseline identity management terms and definitions
[17] ITU-T Recommendation Y.2702 (2010), Next generation network authentication and authorization requirements
[18] ITU-T Recommendation Y.2720 (2010), Next generation network identity management framework
[19] ITU-T Recommendation Y.2721 (2010), NGN identity management requirements and use cases
[20] ITU-T Recommendation Y.2722 (2010), NGN identity management mechanisms
[21] ISO/IEC 9798:2010, Information technology — Security techniques — Entity authentication
[22] ISO/IEC 19792:2009, Information technology — Security techniques — Security evaluation of biometrics
[23] ISO/IEC 27001:2005, Information technology — Security techniques — Information security management system
[24] ISO/IEC 29100:2011, Information technology — Security techniques — Privacy framework
[25] ISO/IEC 29101, Information technology — Security techniques — Privacy architecture framework
[26] ISO/IEC 24760-1:2011, Information technology — Security techniques — A framework for identity management — Part 1: Terminology and concepts
[27] ISO/IEC 19790:2012, Information technology — Security techniques — Security requirements for cryptographic modules
1 LoA is a function of the processes, management activities, and technical controls that have been implemented by a CSP for each of the EAAF phases based on the criteria set forth in Clause 10.
2 This does not preclude the use of pseudonyms.
3 Remote identity proofing is accomplished over a network and therefore involves not being able to physically see the entity whereas local identity proofing is accomplished in a manner that requires physically seeing the entity.
4 The witnessed in-person control applies only to human entities.
5 The boundary of a hardware security module is defined in ISO/IEC 19790:2012.
