Security Level 2 requires, at a minimum, role-based authentication in which a cryptographic module authenticates the authorization of an operator to assume a specific role and perform a corresponding set of services.
Security Level 3 requires identity-based authentication mechanisms, enhancing the security provided by the role-based authentication mechanisms specified for Security Level 2.
Role-Based Authentication: If role-based authentication mechanisms are supported by a cryptographic module, the module shall require that one or more roles either be implicitly or explicitly selected by the operator and shall authenticate the assumption of the selected role (or set of roles). The cryptographic module is not required to authenticate the individual identity of the operator. The selection of roles and the authentication of the assumption of selected roles may be combined. If a cryptographic module permits an operator to change roles, then the module shall authenticate the assumption of any role that was not previously authenticated.
Identity-Based Authentication: If identity-based authentication mechanisms are supported by a cryptographic module, the module shall require that the operator be individually identified, shall require that one or more roles either be implicitly or explicitly selected by the operator, and shall authenticate the identity of the operator and the authorization of the operator to assume the selected role (or set of roles). The authentication of the identity of the operator, selection of roles, and the authorization of the assumption of the selected roles may be combined. If a cryptographic module permits an operator to change roles, then the module shall verify the authorization of the identified operator to assume any role that was not previously authorized.
What is authentication in a cryptographic module? For example, the authentication required to access the management console of a home Wi-Fi router?
At Security Level 2, role-based authentication is required. On the other hand, Security Level 3 requires identity-based authentication, which is a higher level of security than Level 2. It is also stated that identity-based authentication is a security enhancement to Level 2 role-based authentication. Since I understand that only when there is an identity can a role be assigned to it, it seems to me that the requirements for authentication in Level 3 are lower than those in Level 2. What do you think?
What specific examples can you think of that fall under Security Levels 1 - 4? Would a home Wi-Fi router management console or BitLocker be L1? I couldn't think of L2 or L4.
FIPS 140-2 is applicable to HSM (Hardware security module) or TPM (Trusted Platform Module). the module that certified your cryptographic process/storage device in order to store and process the cryptographic module and crypto keys.
your 3 questions
1) a simple example will be use an x.509 client certificate for authentication.
2) Identity base, you can look at this
3) I have given the examples.
Thank you, John.
Did you mean some cryptographic module authenticates operators with X.509 and it is an example of identity-based authentication?
I think that "Strong authentication using Hardware Security Modules", as you gave me as an example, is not an example to authenticate users operating cryptographic modules, but it is an example to authenticate users with hardware security modules. I realize that FIPS 140 requires authenticating users who operate cryptographic modules with role-based or identity-based. Am I misunderstanding?
You mean HSM is one of cryptographic module and it authenticates users who operate it, right?
x.509 client certification is also a mean of authentication but it's not "strong". Properly you can consider it's something you have
A strong identity base authentication should have ( more than 1)
“Something you know”
“Something you have”,
"Something you are"
and "something you do" as pattern (something you do is a bit new)
Yes, Typical HSM vendor will aim to certify for different level of FIPS 140-2.
Good example is AWS's HSM , not to promote the vendor service but interesting for people to look at, you can find the other HSM vendor like Microsoft, utimaco , Thales as well
in the process of searching of the information , I also find AWS is trying to certify FIPS 140-2 end points as well. And this is a bit new to me, interesting.
Thank your for giving me some references. They made me understand more.
I think the following is a good idea.
> In this case it is the proxy account or the group that is being authenticated rather than the individual user account.
Thank you, @Baechle