cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Masahiro
Newcomer III

Questions about authentication requirements as defined by FIPS 140-2

FIPS 140-2 defines the authentication requirements for cryptographic modules as follows.
 
Security Level 2 requires, at a minimum, role-based authentication in which a cryptographic module authenticates the authorization of an operator to assume a specific role and perform a corresponding set of services.
 
Security Level 3 requires identity-based authentication mechanisms, enhancing the security provided by the role-based authentication mechanisms specified for Security Level 2.
The bold parts above are defined as follows.
 
Role-Based Authentication: If role-based authentication mechanisms are supported by a cryptographic module, the module shall require that one or more roles either be implicitly or explicitly selected by the operator and shall authenticate the assumption of the selected role (or set of roles). The cryptographic module is not required to authenticate the individual identity of the operator. The selection of roles and the authentication of the assumption of selected roles may be combined. If a cryptographic module permits an operator to change roles, then the module shall authenticate the assumption of any role that was not previously authenticated.
 
Identity-Based Authentication: If identity-based authentication mechanisms are supported by a cryptographic module, the module shall require that the operator be individually identified, shall require that one or more roles either be implicitly or explicitly selected by the operator, and shall authenticate the identity of the operator and the authorization of the operator to assume the selected role (or set of roles). The authentication of the identity of the operator, selection of roles, and the authorization of the assumption of the selected roles may be combined. If a cryptographic module permits an operator to change roles, then the module shall verify the authorization of the identified operator to assume any role that was not previously authorized.
Based on the above, I have questions.
 
  1. What is authentication in a cryptographic module? For example, the authentication required to access the management console of a home Wi-Fi router?

  2. At Security Level 2, role-based authentication is required. On the other hand, Security Level 3 requires identity-based authentication, which is a higher level of security than Level 2. It is also stated that identity-based authentication is a security enhancement to Level 2 role-based authentication. Since I understand that only when there is an identity can a role be assigned to it, it seems to me that the requirements for authentication in Level 3 are lower than those in Level 2. What do you think?

  3. What specific examples can you think of that fall under Security Levels 1 - 4? Would a home Wi-Fi router management console or BitLocker be L1? I couldn't think of L2 or L4.

Haneda, Masahiro
Certification: CISSP, CCSP, CCSK, PMP, ITIL Foundation V3
Location: Japan
My LinkedIn Profile
7 Replies
csjohnng
Community Champion

@Masahiro 

 

FIPS 140-2 is applicable to HSM (Hardware security module) or TPM (Trusted Platform Module). the module that certified your cryptographic process/storage device in order to store and process the cryptographic module and crypto keys.

 

your 3 questions

 

1) a simple example will be use an x.509 client certificate for authentication.

2) Identity base, you can look at this 

https://hsm.utimaco.com/solutions/applications/authentication/

3) I have given the examples.

 

 

John
Masahiro
Newcomer III

@csjohnng 

 

Thank you, John.

 

Did you mean some cryptographic module authenticates operators with X.509 and it is an example of identity-based authentication?

I think that "Strong authentication using Hardware Security Modules", as you gave me as an example, is not an example to authenticate users operating cryptographic modules, but it is an example to authenticate users with hardware security modules. I realize that FIPS 140 requires authenticating users who operate cryptographic modules with role-based or identity-based. Am I misunderstanding?

 

You mean HSM is one of cryptographic module and it authenticates users who operate it, right?

 

Haneda, Masahiro
Certification: CISSP, CCSP, CCSK, PMP, ITIL Foundation V3
Location: Japan
My LinkedIn Profile
csjohnng
Community Champion

Yes.

x.509 client certification is also a mean of authentication but it's not "strong". Properly you can consider it's something you have 

A strong identity base authentication should have ( more than 1)

“Something you know”

“Something you have”,

"Something you are"

and "something you do" as pattern (something you do is a bit new)

 

Yes, Typical HSM vendor will aim to certify for different level of FIPS 140-2.

Good example is AWS's HSM , not to promote the vendor service but interesting for people to look at, you can find the other HSM vendor like Microsoft, utimaco , Thales as well

https://aws.amazon.com/blogs/security/aws-key-management-service-now-offers-fips-140-2-validated-cry...

 

https://docs.aws.amazon.com/cloudhsm/latest/userguide/fips-validation.html

 

in the process of searching of the information , I also find AWS is trying to certify FIPS 140-2 end points as well. And this is a bit new to me, interesting.

https://aws.amazon.com/compliance/fips/

 

 

 

John
Masahiro
Newcomer III

Thank your for giving me some references. They made me understand more.

Haneda, Masahiro
Certification: CISSP, CCSP, CCSK, PMP, ITIL Foundation V3
Location: Japan
My LinkedIn Profile
csjohnng
Community Champion

@Masahiro 

No problem. In the process of answering your question, I also learn something new.

Cheers

 

John
Baechle
Advocate I

Roles can be set up a few different ways. One of the most popular is through the use of groups, another is through the use of SUDO or other system accounts that a role (group of users) is authorized to act as. In this case it is the proxy account or the group that is being authenticated rather than the individual user account.

Sincerely,

Eric Baechle
CISSP-ISSEP
Masahiro
Newcomer III

I think the following is a good idea.

 

> In this case it is the proxy account or the group that is being authenticated rather than the individual user account.

 

Thank you, @Baechle 

 

Best regards,

 

 

Haneda, Masahiro
Certification: CISSP, CCSP, CCSK, PMP, ITIL Foundation V3
Location: Japan
My LinkedIn Profile