Looks like StrikeForce's Patent at work.... htt
Post# of 82672
(Total Views: 268)
Posted On: 10/31/2017 2:28:10 PM
Looks like StrikeForce's Patent at work....
http://nvlpubs.nist.gov/nistpubs/SpecialPubli...00-63b.pdf
5.1.2.2 Look-Up Secret Verifiers
Verifiers of look-up secrets SHALL prompt the claimant for the next secret from their
authenticator or for a specific (e.g., numbered) secret. A given secret from an authenticator
SHALL be used successfully only once. If the look-up secret is derived from a grid card, each
cell of the grid SHALL be used only once.
Verifiers SHALL store look-up secrets in a form that is resistant to offline attacks. Look-up
secrets having at least 112 bits of entropy SHALL be hashed with an approved one-way function
as described in Section 5.1.1.2. Look-up secrets with fewer than 112 bits of entropy SHALL be
salted and hashed using a suitable one-way key derivation function, also described in Section
5.1.1.2. The salt value SHALL be at least 32 in bits in length and arbitrarily chosen so as to
minimize salt value collisions among stored hashes. Both the salt value and the resulting hash
SHALL be stored for each look-up secret.
For look-up secrets that have less than 64 bits of entropy, the verifier SHALL implement a ratelimiting
mechanism that effectively limits the number of failed authentication attempts that can
be made on the subscriber’s account as described in Section 5.2.2.
The verifier SHALL use approved encryption and an authenticated protected channel when
requesting look-up secrets in order to provide resistance to eavesdropping and MitM attacks.
5.1.3 Out-of-Band Devices
An out-of-band authenticator is a physical device that is uniquely addressable
and can communicate securely with the verifier over a distinct communications
channel, referred to as the secondary channel. The device is possessed and
controlled by the claimant and supports private communication over this
secondary channel, separate from the primary channel for e-authentication. An
out-of-band authenticator is something you have.
The out-of-band authenticator can operate in one of the following ways:
NIST SP 800-63B DIGITAL IDENTITY GUIDELINES:
AUTHENTICATION & LIFECYCLE MANAGEMENT
17
This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-63b
• The claimant transfers a secret received by the out-of-band device via the secondary
channel to the verifier using the primary channel. For example, the claimant may receive
the secret on their mobile device and type it (typically a 6-digit code) into their
authentication session.
• The claimant transfers a secret received via the primary channel to the out-of-band device
for transmission to the verifier via the secondary channel. For example, the claimant may
view the secret on their authentication session and either type it into an app on their
mobile device or use a technology such as a barcode or QR code to effect the transfer.
• The claimant compares secrets received from the primary channel and the secondary
channel and confirms the authentication via the secondary channel.
The secret's purpose is to securely bind the authentication operation on the primary and
secondary channel. When the response is via the primary communication channel, the secret also
establishes the claimant's control of the out-of-band device.
5.1.3.1 Out-of-Band Authenticators
The out-of-band authenticator SHALL establish a separate channel with the verifier in order to
retrieve the out-of-band secret or authentication request. This channel is considered to be out-ofband
with respect to the primary communication channel (even if it terminates on the same
device) provided the device does not leak information from one channel to the other without the
authorization of the claimant.
The out-of-band device SHOULD be uniquely addressable and communication over the
secondary channel SHALL be encrypted unless sent via the public switched telephone network
(PSTN). For additional authenticator requirements specific to the PSTN, see Section 5.1.3.3.
Methods that do not prove possession of a specific device, such as voice-over-IP (VOIP) or
email, SHALL NOT be used for out-of-band authentication.
The out-of-band authenticator SHALL uniquely authenticate itself in one of the following ways
when communicating with the verifier:
• Establish an authenticated protected channel to the verifier using approved cryptography.
The key used SHALL be stored in suitably secure storage available to the authenticator
application (e.g., keychain storage, TPM, TEE, secure element).
• Authenticate to a public mobile telephone network using a SIM card or equivalent that
uniquely identifies the device. This method SHALL only be used if a secret is being sent
from the verifier to the out-of-band device via the PSTN (SMS or voice).
If a secret is sent by the verifier to the out-of-band device, the device SHOULD NOT display the
authentication secret while it is locked by the owner (i.e., requires an entry of a PIN, passcode, or
biometric to view). However, authenticators SHOULD indicate the receipt of an authentication
secret on a locked device.
If the out-of-band authenticator sends an approval message over the secondary communication
channel — rather than by the claimant transferring a received secret to the primary
communication channel — it SHALL do one of the following
• The authenticator SHALL accept transfer of the secret from the primary channel which it
SHALL send to the verifier over the secondary channel to associate the approval with the
authentication transaction. The claimant MAY perform the transfer manually or use a
technology such as a barcode or QR code to effect the transfer.
• The authenticator SHALL present a secret received via the secondary channel from the
verifier and prompt the claimant to verify the consistency of that secret with the primary
channel, prior to accepting a yes/no response from the claimant. It SHALL then send that
response to the verifier.
5.1.3.2 Out-of-Band Verifiers
For additional verification requirements specific to the PSTN, see Section 5.1.3.3.
If out-of-band verification is to be made using a secure application, such as on a smart phone, the
verifier MAY send a push notification to that device. The verifier then waits for the
establishment of an authenticated protected channel and verifies the authenticator’s identifying
key. The verifier SHALL NOT store the identifying key itself, but SHALL use a verification
method (e.g., an approved hash function or proof of possession of the identifying key) to
uniquely identify the authenticator. Once authenticated, the verifier transmits the authentication
secret to the authenticator.
Depending on the type of out-of-band authenticator, one of the following SHALL take place:
• Transfer of secret to primary channel: The verifier MAY signal the device containing the
subscriber’s authenticator to indicate readiness to authenticate. It SHALL then transmit a
random secret to the out-of-band authenticator. The verifier SHALL then wait for the
secret to be returned on the primary communication channel.
• Transfer of secret to secondary channel: The verifier SHALL display a random
authentication secret to the claimant via the primary channel. It SHALL then wait for the
secret to be returned on the secondary channel from the claimant’s out-of-band
authenticator.
• Verification of secrets by claimant: The verifier SHALL display a random authentication
secret to the claimant via the primary channel, and SHALL send the same secret to the
out-of-band authenticator via the secondary channel for presentation to the claimant. It
SHALL then wait for an approval (or disapproval) message via the secondary channel.
In all cases, the authentication SHALL be considered invalid if not completed within 10 minutes.
In order to provide replay resistance as described in Section 5.2.8, verifiers SHALL accept a
given authentication secret only once during the validity period.
The verifier SHALL generate random authentication secrets with at least 20 bits of entropy using
an approved random bit generator [SP 800-90Ar1]. If the authentication secret has less than 64
bits of entropy, the verifier SHALL implement a rate-limiting mechanism that effectively limits
the number of failed authentication attempts that can be made on the subscriber’s account as
described in Section 5.2.2.
http://nvlpubs.nist.gov/nistpubs/SpecialPubli...00-63b.pdf
5.1.2.2 Look-Up Secret Verifiers
Verifiers of look-up secrets SHALL prompt the claimant for the next secret from their
authenticator or for a specific (e.g., numbered) secret. A given secret from an authenticator
SHALL be used successfully only once. If the look-up secret is derived from a grid card, each
cell of the grid SHALL be used only once.
Verifiers SHALL store look-up secrets in a form that is resistant to offline attacks. Look-up
secrets having at least 112 bits of entropy SHALL be hashed with an approved one-way function
as described in Section 5.1.1.2. Look-up secrets with fewer than 112 bits of entropy SHALL be
salted and hashed using a suitable one-way key derivation function, also described in Section
5.1.1.2. The salt value SHALL be at least 32 in bits in length and arbitrarily chosen so as to
minimize salt value collisions among stored hashes. Both the salt value and the resulting hash
SHALL be stored for each look-up secret.
For look-up secrets that have less than 64 bits of entropy, the verifier SHALL implement a ratelimiting
mechanism that effectively limits the number of failed authentication attempts that can
be made on the subscriber’s account as described in Section 5.2.2.
The verifier SHALL use approved encryption and an authenticated protected channel when
requesting look-up secrets in order to provide resistance to eavesdropping and MitM attacks.
5.1.3 Out-of-Band Devices
An out-of-band authenticator is a physical device that is uniquely addressable
and can communicate securely with the verifier over a distinct communications
channel, referred to as the secondary channel. The device is possessed and
controlled by the claimant and supports private communication over this
secondary channel, separate from the primary channel for e-authentication. An
out-of-band authenticator is something you have.
The out-of-band authenticator can operate in one of the following ways:
NIST SP 800-63B DIGITAL IDENTITY GUIDELINES:
AUTHENTICATION & LIFECYCLE MANAGEMENT
17
This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-63b
• The claimant transfers a secret received by the out-of-band device via the secondary
channel to the verifier using the primary channel. For example, the claimant may receive
the secret on their mobile device and type it (typically a 6-digit code) into their
authentication session.
• The claimant transfers a secret received via the primary channel to the out-of-band device
for transmission to the verifier via the secondary channel. For example, the claimant may
view the secret on their authentication session and either type it into an app on their
mobile device or use a technology such as a barcode or QR code to effect the transfer.
• The claimant compares secrets received from the primary channel and the secondary
channel and confirms the authentication via the secondary channel.
The secret's purpose is to securely bind the authentication operation on the primary and
secondary channel. When the response is via the primary communication channel, the secret also
establishes the claimant's control of the out-of-band device.
5.1.3.1 Out-of-Band Authenticators
The out-of-band authenticator SHALL establish a separate channel with the verifier in order to
retrieve the out-of-band secret or authentication request. This channel is considered to be out-ofband
with respect to the primary communication channel (even if it terminates on the same
device) provided the device does not leak information from one channel to the other without the
authorization of the claimant.
The out-of-band device SHOULD be uniquely addressable and communication over the
secondary channel SHALL be encrypted unless sent via the public switched telephone network
(PSTN). For additional authenticator requirements specific to the PSTN, see Section 5.1.3.3.
Methods that do not prove possession of a specific device, such as voice-over-IP (VOIP) or
email, SHALL NOT be used for out-of-band authentication.
The out-of-band authenticator SHALL uniquely authenticate itself in one of the following ways
when communicating with the verifier:
• Establish an authenticated protected channel to the verifier using approved cryptography.
The key used SHALL be stored in suitably secure storage available to the authenticator
application (e.g., keychain storage, TPM, TEE, secure element).
• Authenticate to a public mobile telephone network using a SIM card or equivalent that
uniquely identifies the device. This method SHALL only be used if a secret is being sent
from the verifier to the out-of-band device via the PSTN (SMS or voice).
If a secret is sent by the verifier to the out-of-band device, the device SHOULD NOT display the
authentication secret while it is locked by the owner (i.e., requires an entry of a PIN, passcode, or
biometric to view). However, authenticators SHOULD indicate the receipt of an authentication
secret on a locked device.
If the out-of-band authenticator sends an approval message over the secondary communication
channel — rather than by the claimant transferring a received secret to the primary
communication channel — it SHALL do one of the following
• The authenticator SHALL accept transfer of the secret from the primary channel which it
SHALL send to the verifier over the secondary channel to associate the approval with the
authentication transaction. The claimant MAY perform the transfer manually or use a
technology such as a barcode or QR code to effect the transfer.
• The authenticator SHALL present a secret received via the secondary channel from the
verifier and prompt the claimant to verify the consistency of that secret with the primary
channel, prior to accepting a yes/no response from the claimant. It SHALL then send that
response to the verifier.
5.1.3.2 Out-of-Band Verifiers
For additional verification requirements specific to the PSTN, see Section 5.1.3.3.
If out-of-band verification is to be made using a secure application, such as on a smart phone, the
verifier MAY send a push notification to that device. The verifier then waits for the
establishment of an authenticated protected channel and verifies the authenticator’s identifying
key. The verifier SHALL NOT store the identifying key itself, but SHALL use a verification
method (e.g., an approved hash function or proof of possession of the identifying key) to
uniquely identify the authenticator. Once authenticated, the verifier transmits the authentication
secret to the authenticator.
Depending on the type of out-of-band authenticator, one of the following SHALL take place:
• Transfer of secret to primary channel: The verifier MAY signal the device containing the
subscriber’s authenticator to indicate readiness to authenticate. It SHALL then transmit a
random secret to the out-of-band authenticator. The verifier SHALL then wait for the
secret to be returned on the primary communication channel.
• Transfer of secret to secondary channel: The verifier SHALL display a random
authentication secret to the claimant via the primary channel. It SHALL then wait for the
secret to be returned on the secondary channel from the claimant’s out-of-band
authenticator.
• Verification of secrets by claimant: The verifier SHALL display a random authentication
secret to the claimant via the primary channel, and SHALL send the same secret to the
out-of-band authenticator via the secondary channel for presentation to the claimant. It
SHALL then wait for an approval (or disapproval) message via the secondary channel.
In all cases, the authentication SHALL be considered invalid if not completed within 10 minutes.
In order to provide replay resistance as described in Section 5.2.8, verifiers SHALL accept a
given authentication secret only once during the validity period.
The verifier SHALL generate random authentication secrets with at least 20 bits of entropy using
an approved random bit generator [SP 800-90Ar1]. If the authentication secret has less than 64
bits of entropy, the verifier SHALL implement a rate-limiting mechanism that effectively limits
the number of failed authentication attempts that can be made on the subscriber’s account as
described in Section 5.2.2.
(1)
(0)Zerify Inc (ZRFY) Stock Research Links
WORDS TO LIVE BY:
Never argue with stupid people, they will drag you down to their level and then beat you with experience.
Get .... PrivacyLok https://cyberidguard.com/
Try SafeVchat: https://cyberidguard.com/
My comments are only my opinion and are not to be used for investment advice.
Please conduct your own due diligence before choosing to buy or sell any stock.
Never argue with stupid people, they will drag you down to their level and then beat you with experience.
Get .... PrivacyLok https://cyberidguard.com/
Try SafeVchat: https://cyberidguard.com/
My comments are only my opinion and are not to be used for investment advice.
Please conduct your own due diligence before choosing to buy or sell any stock.
Scroll down for more posts ▼