You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

IAP v1.2 Section 

Requirements (paraphrased)

AD-DS

Gaps

4.2.3.4 - Stored Authentication
Secrets (S)

Do not store passwords as plaintext. Limit access to admins and apps that require access.

Protect stored passwords with one of the following alternatives:

1. Concatenate a variable salt to the password and hash with an
Approved Algorithm.

2. Encrypt the password with an Approved Algorithm and decrypt
only when immediately needed for authentication.

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="230ac417-3b85-4031-9631-1c388203451c"><ac:plain-text-body><![CDATA[3. Any method allowed for NIST 800-63 Level 3 or 4.

No Salt in Hash [2]
]]></ac:plain-text-body></ac:structured-macro>
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="fe5867df-e7b5-4764-9f2a-820c9c0c92b1"><ac:plain-text-body><![CDATA[Not a FIPS approved method [2]
]]></ac:plain-text-body></ac:structured-macro>
Can support low str methods (LM, NTLM)

 

4.2.3.5 - Basic Protection of
Authentication Secrets (B)

1. Do not store passwords as plaintext. Limit access to admins
and apps that require access.

2. Do not transmit plaintext passwords over the network

Potential alternative credential issues
   (e.g., certs, cross-realm trust)
Cached credentials
Non-plaintext

 

4.2.3.6 - Strong Protection of
Authentication Secrets (S)

1a.  Any credential store with passwords used by the IdP
or verifier is subject to 4.2.3.4 and 4.2.8.

1b. Use Protected Channels when passwords are sent from
one credential store to another.

2. Use Protected Channels when passwords are sent between
services for verification purposes.

3. Have policies and procedures to minimize the risk of transient
password exposure to non-IdP apps.

Potential alternative credential issues
   (e.g., certs, cross-realm trust)
Cached credentials
   (claims "generally meets the standard")
Potential non-Protected Channels
Requires policy for 3rd party risk mitigation

 

4.2.5.1 - Resist Replay Attack
(B, S)

Ensure it's impractical to achieve authentication by recording
and replaying a previous authentication message.

Can support low str methods (LDAP bind, LM)
Kerb replay concerns

 

4.2.5.2 - Resist Eavesdropper
Attack (B, S)

Ensure it's impractical to learn the password or otherwise obtain
information that would allow impersonation of a subject by
network eavesdropping

Can support low str methods (LDAP bind, LM)

 

4.2.8.2.1 - Network Security (S)

Protected Channels should be used for communication
between IdMS systems.

 

 
  • No labels