4.1 Audience
The intended audiences for this Standard are those people responsible for the development, management and security of agency information and IT systems, including: technical analysts, architects and developers, information and IT managers and administrators, IT security managers and administrators, outsourcers and other parties providing IT or security services to agencies.
Readers of this Standard are assumed to be familiar with information security concepts and practices.
4.2 NZ e-GIF status
Upon approval by the e-GIF Management Committee, this Standard will enter the NZ e-GIF as Under development (U), and graduate to Recommended (R) after a successful, documented implementation. This Standard is expected to graduate to Adopted (A) once there is a track record of proven successful implementation.
For guidance on agency responsibilities for compliance with NZ e-GIF standards at each status level, refer to the latest version of the NZ e-GIF (www.e.govt.nz).
4.3 Accessing advice on this Standard
Advice on this Standard can be obtained from:
e-GIF Operations
State Services Commission
Postal: PO Box 329, WELLINGTON
Phone: 04 495 6600
Fax: 04 495 6669
Email: e-gif@ssc.govt.nz
Web: www.e.govt.nz
The State Services Commission is the agency responsible for this Standard.
4.4 Interpretation
The following words, defined in Key Words for Use in RFCs to Indicate Requirement Levels (RFC 2119), are used in this Standard:
'MUST' identifies a mandatory requirement for compliance with this Standard.
'SHOULD' refers to practices that are advised or recommended.
Agencies deviating from a 'SHOULD', MUST document:
the reason for the deviation
an assessment of the residual risk resulting from the deviation
a date by which the decision will be reviewed
management's approval of the above.
When cross-referencing sections of this Standard, only the number may be quoted.
The full titles of referenced documents cited in this Standard are given in the list of referenced documents at the end.
4.5 Document structure
Section 2 describes which elements of authentication are covered by this Standard and outlines the further sources for elements not covered by this Standard. Section 3 provides details on the NZ e-GIF authentication standards and also discusses the all-of-government authentication shared services. Section 5 briefly discusses vulnerabilities, threats and attacks. The requirements of this Standard are given in section 6.
4.6 Terms and definitions
For the purposes of this Standard, the following definitions apply:
Authentication
Process of establishing, to the required level of confidence, the identity of one or more parties to a transaction. Consists of identity management (establishing who you are) and logon management (confirming who you are). In particular, for this Standard authentication is used in the commonly understood sense of a customer logging onto a service with their username and authentication key. This is consistent with the logon management aspect of the general authentication definition above.
Authentication key
Method used by an individual to authenticate his or her identity over the Internet. Examples of authentication keys include passwords, one-time passwords, software tokens, hardware tokens and biometrics. Authentication keys are also referred to as keys.
Authentication protocol
Predefined data formats and methods for the messages that are exchanged during the authentication process. The authentication process verifies that the customer has control of an authentication key to authenticate that customer remotely.
Factors of authentication
The three ways in which an entity may be authenticated: by something they know, have or are. One, two, or three-factor authentication uses one, two, or three of the factors of authentication, respectively. Multi-factor authentication is either two-factor or three factor authentication.
Government Logon Service (GLS)
An all-of-government shared service that provides ongoing re-confirmation of online identity to participating agencies to the desired level of confidence.
Identity-related risk
Any risk for a particular service that results from an individual's identity being incorrectly attributed. Also refer to the Evidence of Identity Standard for further details.
Identity Verification Service (IVS)
An all-of-government shared service that provides individuals with the option to verify their identity authoritatively, online, and in real-time with participating agencies to a passport-level of confidence.
Mutual authentication
Where both entities authenticate to each other (the authentication is normally based on the same or closely similar methods).
Online service
Service that an agency offers through an interactive online delivery channel.
Proof of possession protocol
An authentication protocol where a customer proves to a verifier that they control an authentication key (for example, a cryptographic key or a password).
Transport Layer Security (TLS)
Like the Secure Sockets Layer (SSL) protocol, which it supersedes, TLS provides a cryptographically protected channel for web browser exchanges. TLS is defined by the Internet Engineering Task Force. TLS is similar to the older SSL protocol and is effectively SSL version 3.1.
Username
Construction of alphanumeric characters that is used to identify a customer within the authentication system (the username is used to identify the customer, or rather their authentication key, to the verifier as part of the authentication process).
Authentication keys
Activation data
Normally a password or biometric that is used to authenticate to a hardware or software token or a hardware device before they may be used. Software tokens (in particular any related cryptographic keys or secrets) are normally protected under a key generated using the activation data.
Biometrics
In the context of customer authentication, biometrics refer to physical characteristics or behavioural patterns of a person. Examples include fingerprints, thumbprints, hand geometry, iris patterns, speech patterns, face geometry, keyboard-typing patterns.
Cryptographic keys
Protected values (in terms of their confidentiality and integrity) used in cryptographic operations.
Cryptographic operations
Special algorithms and protocols that may be used in the authentication process.
Hardware token
Specialised hardware device that protects cryptographic keys and performs cryptographic operations. Use of the hardware token normally requires entry of activation data such as a password or biometric.
One-time password
One-time password systems utilise a series of passwords in the authentication process. Each password of the series is called a one-time password, as they are all distinct (or at least distinct with a very high probability). Many methods are based on a static shared base secret that is used to generate the distinct authentication secrets. Other common methods use collections of passwords that are distributed to customers.
Password
Static secret, usually composed of keyboard characters, that is used as the authentication key.
Software token
A software token is essentially software implementation of a hardware token: a specialised piece of software that protects cryptographic keys and performs cryptographic operations. Use of the software token normally requires entry of activation data such as a password or biometric. In this case, the cryptographic keys are protected using a key derived from the activation data. (The term digital certificate is often incorrectly used in place of software token.)
Entities involved in the authentication process
Customer
Person who claims some identity, which undergoes the authentication process. The identity claim may be based on a username.
Verifier
Entity that performs the procedures for verifying the claim of identity for customers. The verifier and the service provider may be separate entities.
Attacks
Customer fraud attacks
Where the customer deliberately compromises his or her authentication key or computing environment to enable them to deny subsequent authentication events.
Eavesdropper attacks
Where an attacker obtains information from an authentication exchange and recovers data, such as authentication key values, which then may be used to authenticate.
Insider attacks
Where verifiers or systems managers deliberately compromise the authentication system or steal authentication keys or related data.
Malicious code attacks
Attacks that are generally aimed at the customer's computing environment. They vary in their sophistication from simple key loggers to advanced Trojan programs that can gain control of the customer's computer. Malicious code attacks may also be aimed at verifier systems.
Man-in-the-middle attacks
Where an attacker inserts him/herself between the customer and the verifier in an authentication exchange. The attacker attempts to authenticate by posing as the customer to the verifier and the verifier to the customer.
Replay attacks
Where the attacker records the data of a successful authentication and replays this information to attempt to falsely authenticate to the verifier.
Session hijacking attacks
Where the attacker takes over (hijacks) a session following successful authentication.
Social engineering attacks
Attacks that are aimed at obtaining authentication keys or data by fooling the customer into using an insecure authentication protocol, or into loading malicious code onto the customer's computer. Attacks may also be aimed at the verification process, for example by trying to trick help desk staff into accepting a false story.
Verifier impersonation attacks
Where the attacker impersonates the verifier to the customer to obtain authentication keys or data, which then may be used to authenticate falsely to the verifier.