topic Re: Questions about authentication requirements as defined by FIPS 140-2 in Tech Talk

Questions about authentication requirements as defined by FIPS 140-2

Masahiro — Mon, 09 Oct 2023 09:59:50 GMT

FIPS 140-2 defines the authentication requirements for cryptographic modules as follows.

Security Level 2 requires, at a minimum, role-based authentication in which a cryptographic module authenticates the authorization of an operator to assume a specific role and perform a corresponding set of services.

Security Level 3 requires identity-based authentication mechanisms, enhancing the security provided by the role-based authentication mechanisms specified for Security Level 2.

The bold parts above are defined as follows.

Role-Based Authentication: If role-based authentication mechanisms are supported by a cryptographic module, the module shall require that one or more roles either be implicitly or explicitly selected by the operator and shall authenticate the assumption of the selected role (or set of roles). The cryptographic module is not required to authenticate the individual identity of the operator. The selection of roles and the authentication of the assumption of selected roles may be combined. If a cryptographic module permits an operator to change roles, then the module shall authenticate the assumption of any role that was not previously authenticated.

Identity-Based Authentication: If identity-based authentication mechanisms are supported by a cryptographic module, the module shall require that the operator be individually identified, shall require that one or more roles either be implicitly or explicitly selected by the operator, and shall authenticate the identity of the operator and the authorization of the operator to assume the selected role (or set of roles). The authentication of the identity of the operator, selection of roles, and the authorization of the assumption of the selected roles may be combined. If a cryptographic module permits an operator to change roles, then the module shall verify the authorization of the identified operator to assume any role that was not previously authorized.

Based on the above, I have questions.

What is authentication in a cryptographic module? For example, the authentication required to access the management console of a home Wi-Fi router?
At Security Level 2, role-based authentication is required. On the other hand, Security Level 3 requires identity-based authentication, which is a higher level of security than Level 2. It is also stated that identity-based authentication is a security enhancement to Level 2 role-based authentication. Since I understand that only when there is an identity can a role be assigned to it, it seems to me that the requirements for authentication in Level 3 are lower than those in Level 2. What do you think?
What specific examples can you think of that fall under Security Levels 1 - 4? Would a home Wi-Fi router management console or BitLocker be L1? I couldn't think of L2 or L4.

Re: Questions about authentication requirements as defined by FIPS 140-2

csjohnng — Sat, 02 Oct 2021 14:18:25 GMT

@Masahiro

FIPS 140-2 is applicable to HSM (Hardware security module) or TPM (Trusted Platform Module). the module that certified your cryptographic process/storage device in order to store and process the cryptographic module and crypto keys.

your 3 questions

1) a simple example will be use an x.509 client certificate for authentication.

2) Identity base, you can look at this

https://hsm.utimaco.com/solutions/applications/authentication/

3) I have given the examples.

Re: Questions about authentication requirements as defined by FIPS 140-2

Masahiro — Sun, 03 Oct 2021 09:42:00 GMT

@csjohnng

Thank you, John.

Did you mean some cryptographic module authenticates operators with X.509 and it is an example of identity-based authentication?

I think that "Strong authentication using Hardware Security Modules", as you gave me as an example, is not an example to authenticate users operating cryptographic modules, but it is an example to authenticate users with hardware security modules. I realize that FIPS 140 requires authenticating users who operate cryptographic modules with role-based or identity-based. Am I misunderstanding?

You mean HSM is one of cryptographic module and it authenticates users who operate it, right?

Re: Questions about authentication requirements as defined by FIPS 140-2

csjohnng — Sun, 03 Oct 2021 12:29:42 GMT

Yes.

x.509 client certification is also a mean of authentication but it's not "strong". Properly you can consider it's something you have

A strong identity base authentication should have ( more than 1)

“Something you know”

“Something you have”,

"Something you are"

and "something you do" as pattern (something you do is a bit new)

Yes, Typical HSM vendor will aim to certify for different level of FIPS 140-2.

Good example is AWS's HSM , not to promote the vendor service but interesting for people to look at, you can find the other HSM vendor like Microsoft, utimaco , Thales as well

https://aws.amazon.com/blogs/security/aws-key-management-service-now-offers-fips-140-2-validated-cryptographic-modules-enabling-easier-adoption-of-the-service-for-regulated-workloads/

https://docs.aws.amazon.com/cloudhsm/latest/userguide/fips-validation.html

in the process of searching of the information , I also find AWS is trying to certify FIPS 140-2 end points as well. And this is a bit new to me, interesting.

https://aws.amazon.com/compliance/fips/

Re: Questions about authentication requirements as defined by FIPS 140-2

Masahiro — Tue, 05 Oct 2021 11:24:50 GMT

Thank your for giving me some references. They made me understand more.

Re: Questions about authentication requirements as defined by FIPS 140-2

csjohnng — Tue, 05 Oct 2021 13:18:21 GMT

@Masahiro

No problem. In the process of answering your question, I also learn something new.

Cheers

Re: Questions about authentication requirements as defined by FIPS 140-2

Baechle — Sun, 10 Oct 2021 15:51:36 GMT

Roles can be set up a few different ways. One of the most popular is through the use of groups, another is through the use of SUDO or other system accounts that a role (group of users) is authorized to act as. In this case it is the proxy account or the group that is being authenticated rather than the individual user account.

Sincerely,

Eric Baechle
CISSP-ISSEP

Re: Questions about authentication requirements as defined by FIPS 140-2

Masahiro — Wed, 13 Oct 2021 08:59:15 GMT

I think the following is a good idea.

> In this case it is the proxy account or the group that is being authenticated rather than the individual user account.

Thank you, @Baechle

Best regards,