Fitting Token-Based Authentication to FIPS 140-3 (G13a)
Token-based authentication is widely used for web, cloud, and single-sign-on applications. A cryptographic module providing stateless connections often relies on token-based authentication to avoid the burden of traditional PIN management. How does a token-based authentication method fit into the spectrum of role-based authentication vs. identity-based authentication in the FIPS world?
This talk explores the FIPS requirements on roles, services, and authentication. It dissects the requirements through answering intriguing questions: What is the authentication credential in the context of token-based authentication, and (2) how is the user identified and authenticated through the possession of a token? In addition, ISO/IEC 19790 states, “When a cryptographic module is reset, rebooted, powered off and subsequently powered on, the module shall [04.43] require the operator to be authenticated.” What does it mean for a crypto module providing stateless connections where the authentication status is not retained? Under a proper interpretation, is the referenced shall statement [04.43] trivially satisfied? Or is it impossible for such a module to meet the shall statement [04.43]?
There are ongoing discussions under a Request for Guidance (RFG) submitted to the CMVP for a FIPS 140-2 level 4 module implementing a token-based authentication mechanism. Depending on the outcome of the CMVP decision on this RFG, the presenters plan to share gained experience with the audience and pave the way for the token-based authentication to be validated under FIPS 140-3, which is a wrapper of ISO/IEC 19790.