Level of assurance LoA vs robustness of infrastructureThe LoAs described by NIST and STORK primarily focus on the robustness of the authentication. The robustness of the technical infrastructure is mostly beyond their scope. It is assumed that proper measures are in place to prevent potential authentication protocol threats such as eavesdropping, man-in-the-middle, replaying, and hijacking. Attacks are not limited to the authentication protocol itself. Other attacks include the use of malicious code to compromise authentication tokens, insider threats to compromise authentication tokens, social engineering to get a subscriber to reveal his password to the attacker, “shoulder-surfing”, fooling claimants into using an insecure protocol, when they think that they are using a secure protocol, or intentionally denying ever having registerd by subscribers who deliberately compromise their tokens. Other types of threats are (SAML) assertion related such as modification, disclosure, repudiation, reuse, or redirect. Countermeasures should be in place to prevent these attacks as well. It goes too far to describe for each LoA the amount and strength of the required countermeasures. Most of these countermeasures are addressed in the information security policy of the stakeholders. NIST 800-63-1 also gives some guidelines. The most important ones are the use of digital signatures to sign assertions with and the use of SSL/TLS to secure the communication channel. Both control measures are required to fulfil the requirements for LoA2 and LoA3 and are already in place in SURFconext Strong Authentication. NIST SP 800-63-1 recommends the CSP (i.e. SURFconext Strong Authentication) for LoA2 to “employ appropriately tailored security controls from the low baseline of security controls defined in [NIST SP 800-53 ] and to ensure that the minimum assurance requirements associated with the low baseline are satisfied”. For LoA3 security controls from the moderate baseline of security controls are required. |