Trustmark Definition (TD):
Access Control for Shared Secret Files

Metadata


Identifierhttps://trustmark.gtri.gatech.edu/operational-pilot/trustmark-definitions/access-control-for-shared-secret-files/1.0/
NameAccess Control for Shared Secret Files
Version1.0
Publication Date2015-09-18
Trustmark Defining Organization
Identifierhttps://trustmark.gtri.gatech.edu/
NameGeorgia Tech Research Institute
PRIMARY Contact
EmailTrustmarkFeedback@gtri.gatech.edu
Telephone404-407-8956
Mailing Address75 5th Street NW, Suite 900, Atlanta, GA 30308
DescriptionThis Trustmark Definition covers requirements on Credential Service Providers (CSPs) for access control requirements for shared secret files.
Target StakeholdersOrganizations that are interested in implementing or making use of digital identities in a manner that complies with widely accepted identity management standards and practices such as NIST Special Publication 800-63-2.
Target RecipientsCredential Service Providers (CSPs) whose token and credential management practices require formal vetting.
Target Relying PartiesRelying Parties (RPs) that wish to see evidence of the vetting of their Credential Service Provider (CSP) collaborators' token and credential management practices.
Target ProvidersOrganizations that audit or evaluate other organizations for compliance with widely accepted identity management standards and practices such as NIST Special Publication 800-63-2.
Provider CriteriaAny organization or business entity may act as a Trustmark Provider for trustmarks under this Trustmark Definition.
Assessor QualificationsAny individual employed or contracted by the Trustmark Provider may act as the assessor for trustmarks under this Trustmark Definition.
Trustmark Revocation CriteriaFor any trustmark issued under this Trustmark Definition, the Trustmark Provider must revoke the trustmark upon any condition whereby one or more Conformance Criteria cease to be satisfied.
Extension DescriptionThis Trustmark Definition requires no extension data.
Legal NoticeThis document and the information contained herein is provided on an "AS IS" basis, and the Georgia Tech Research Institute disclaims all warranties, express or implied, including but not limited to any warranty that the use of the information herein will not infringe any rights or any implied warranties or merchantability or fitness for a particular purpose. In addition, the Georgia Tech Research Institute disclaims legal liability for any loss incurred as a result of the use or reliance on the document or the information contained herein.
NotesThe Georgia Tech Research Institute (GTRI) has published this document with the support of the National Strategy for Trusted Identities in Cyberspace (NSTIC) via the National Institute of Standards and Technology (NIST). The views expressed herein do not necessarily reflect the official policies of GTRI, NIST or NSTIC; nor does mention of trade names, commercial practices, or organizations imply endorsement by the U.S. Government.

Conformance Criteria (1)


1: Protection of Shared Secret Files

The CSP MUST ensure that shared secret files are protected by discretionary access controls that limit access to only administrators and those applications that require access.
Citation(s)

Assessment Steps (1)


1: Evidence for the Protection of Shared Secret Files (EvidencefortheProtectionofSharedSecretFiles)

Is there evidence that the trustmark applicant protects shared secret files as required? Acceptable evidence may take the form of policies, procedures, practice statements, demonstrated technical capabilities, or assessment reports. Describe the evidence that demonstrates conformance.
Required Artifact(s)
  • EvidenceEvidence that Demonstrates Conformance

Issuance Criteria


yes(all)

Sources (3)


SP800-63-2
NIST Special Publication 800-63-2: Electronic Authentication Guideline. August 2013. Available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf.
TFPAP-LOA2
FICAM Trust Framework Solutions (TFS) Trust Framework Provider Adoption Process (TFPAP) for All Levels of Assurance, v2.0.2. March, 14, 2014. Appendix A-2: Assurance Level 2. Available at http://www.idmanagement.gov/sites/default/files/documents/FICAM_TFS_TFPAP_0.pdf.
TFPAP-LOA3
FICAM Trust Framework Solutions (TFS) Trust Framework Provider Adoption Process (TFPAP) for All Levels of Assurance, v2.0.2. March, 14, 2014. Appendix A-3: Assurance Level 3. Available at http://www.idmanagement.gov/sites/default/files/documents/FICAM_TFS_TFPAP_0.pdf.

Terms (45)


Applicant

A party undergoing the processes of registration and identity proofing.

Approved Cryptographic Method
FIPS approved or NIST recommended. An algorithm or technique that is either (1) specified in a FIPS or NIST Recommendation, or (2) adopted in a FIPS or NIST Recommendation.
Authentication Factor

A category of tokens that is either "something you know" (e.g., a password), "something you have" (e.g., a cryptographic key), or "something you are" (e.g., a fingerprint).

Authentication Protocol / Authentication Scheme

A defined sequence of messages between a claimant and a verifier that demonstrates that the claimant has possession and control of a valid token to establish his/her identity, and optionally, demonstrates to the claimant that he or she is communicating with the intended verifier. An authentication protocol may also define the generation of an authentication assertion to be provided to an RP.

Authentication Protocol Run

An exchange of messages between a claimant and a verifier that executes an authentication protocol and results in authentication, or authentication failure, between the two parties.

Claimant

A party whose identity is to be verified using an authentication protocol.

Credential

An object or data structure that authoritatively binds an identity (and optionally, additional attributes) to a token possessed and controlled by a subscriber. A credential may be maintained by the subscriber to which the credential was issued or by the CSP that issued the credential.

Credential Service Provider ( CSP )

An entity that issues or registers subscriber tokens and issues credentials to subscribers (i.e, a CSP conducts the issuance process). A CSP may encompass RAs and verifiers that it operates. A CSP may be an independent third party, or may issue credentials for its own use.

Established Policy, Procedure, or Practice Statement

A policy, procedure, or practice statement that has been formally adopted and put into use by an entity.

Established Technical Capability

The ability to accurately implement and maintain, as part of normal business operations, a technical mechanism for achieving some goal.

External RA Designee

An RA designee that is governed by an entity other than the CSP that it serves.

External Verifier Designee

A verifier designee that is governed by an entity other the CSP that it serves.

Federal Identity, Credential, and Access Management ( FICAM )

An initiative for implementing ICAM principles within the U.S. Federal Government.

Identity Proofing

The process by which a CSP and an RA collect and verify information about a person for the purpose of issuing credentials to that person.

Identity Provider ( IDP )
This term may be used either as a synonym to CSP, or to denote a system used to perform the token / credential validation functions of a CSP and the authentication and assertion issuance functions of a verifier.
Identity Relying Party ( identity RP )
see "RP"
Issuance

The process of issuing tokens or credentials to a subscriber of a CSP.

Look-Up Secret Token
A physical or electronic token that stores a set of secrets shared between the claimant and the CSP. The claimant uses the token to look up the appropriate secret(s) needed to respond to a prompt from the verifier (the token input).
Memorized Secret Token
A secret shared between the subscriber and the CSP.
Multi-Factor Token

A token that uses two or more factors to achieve authentication.

Multi-Stage Authentication

An authentication scheme, or series of authentication schemes used together, in which one token is used to obtain a second token.

Multi-Token Authentication

An authentication scheme in which the claimant presents token authenticators generated by two or more tokens (not using a multi-stage process) to prove his or her identity to the verifier. The combination of tokens is characterized by the combination of factors used by the tokens (both inherent in the manifestation of the tokens, and those used to activate the tokens).

National Institute of Standards and Technology ( NIST )
NIST is the federal technology agency that works with industry to develop and apply technology, measurements, and standards.
Out-of-Band Token
A physical token that is uniquely addressable and can receive a Verifier-selected secret for one-time use. The device is possessed and controlled by the Claimant and supports private communication over a channel that is separate from the primary channel for e-authentication. The token authenticator is the received secret and is presented to the Verifier using the primary channel for e-authentication.
Personally Identifiable Information ( PII )

Information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc.

Policy

A statement of criteria to which an entity is expected to conform.

Practice Statement

A formal statement of the practices followed by a party. A practice statement usually describes the policies and practices of the party and can become legally binding.

Pre-Registered Knowledge Token
A series of responses to a set of prompts or challenges. These responses may be thought of as a set of shared secrets. The set of prompts and responses are established by the Subscriber and CSP during the registration process.
Procedure

A sequence of steps that achieves some stated goal.

Process

See "procedure"

RA Designee
An RA designated by a particular CSP to conduct registration and/or identity proofing processes on behalf of that CSP. An RA designee may be governed directly by the relying CSP (e.g., a department or business unit of the CSP), or by an entity external to the relying CSP.
Registration

The process through which an applicant applies to become a subscriber of a CSP and an RA validates the identity of the applicant on behalf of the CSP. In other words, registration includes identity proofing and refers to the registration by an RA of the results of performing identity proofing on an applicant.

Registration And Issuance

The sequence of the registration and issuance processes.

Registration Authority ( RA )

An entity that establishes and vouches for the identity or attributes of a subscriber to a CSP. The RA may be an integral part of a CSP, or it may be independent of a CSP, but it has a relationship to the CSP(s). It is important for an RA to be trusted by the CSPs and applicants that it serves and RPs that rely on the identity proofing that it does.

Relying Party ( RP )

An entity that relies upon a subscriber's credentials or verifier's assertion of an identity, typically to process a transaction or grant access to an information system.

Shared Secret

A secret used in authentication that is known to the claimant and the verifier.

Shared Secret File

A file held by a CSP or verifier that contains secrets held between the CSP or verifier and its subscribers or claimants.

Single-Factor Token

A token that uses one of the three factors to achieve authentication.

Single-Token Authentication

An authentication scheme in which the claimant presents a single token authenticator to prove his or her identity to the verifier.

Subscriber

A party who has received a credential or token from a CSP.

Token

Something that a claimant possess and controls (typically a cryptographic module or password) that is used to authenticate the claimant's identity.

Token Authenticator

The output value generated by a token. This value is one that is provided to a protocol stack to prove that a claimant possess and controls a token. Protocol messages sent to a verifier are dependent upon the token authenticator, but may or may not explicitly contain it.

Trust Framework Provider Adoption Process ( TFPAP )
The Federal Identity, Credential, and Access Management (FICAM) Trust Framework Provider Adoption Process is a documented process by which the U.S. federal government approves Trust Framework Providers (TFPs) to perform the function of assessing and qualifying credential service providers (CSPs) under the FICAM Trust Framework Solutions (TFS) program.
Verifier

An entity that verifies a claimant's identity by verifying the claimant's possession and control of a token using an authentication protocol. To do this, the verifier may also need to validate credentials that link the token and identity and check their status.

Verifier Designee
A verifier designated by a particular CSP to conduct authentication protocol run processes on behalf of that CSP. A verifier designee may be governed by the CSP (e.g., a department or business unit of the CSP), or by an entity external to the CSP.