Skip to content

Proposal: Add Authentication Construct To Account Object

Ivan Kirillov edited this page Dec 5, 2013 · 11 revisions

Status: Open
Comment Period Closes: 12/09/2013
Affects Backwards Compatibility: No
Relevant Issues:
https://github.com/CybOXProject/schemas/issues/114
https://github.com/CybOXProject/schemas/issues/91
https://github.com/CybOXProject/schemas/issues/122

Background Information

This proposal concerns the Account Object and the ability to associate authentication information with an account. Currently there is no place in CybOX for associating authentication credentials with an account.

Proposal

Add an Authentication structure to AccountObjectType for the purpose of specifying the authentication details of an account, with a multiplicity of 0..N to allow for multiple authentication types to be specified for a single account. This type will be accompanied by supporting controlled vocabularies and extension points. The following structures are being proposed as an addition to the Account Object schema.

The suggested Authentication structure will be of type AuthenticationType and contain the following fields:

Field Description
Authentication_Type The type of authentication that is used for this account. This field is driven by the AuthenticationTypeVocab-1.0 controlled vocabulary described below.
Authentication_Data The actual data used for authentication for the type specified in the Authentication_Type field. For example, if Authentication_Type is set to "Password", this would be the actual password value.
Authenticated_Token_Protection_Mechanism The method (typically an algorithm) used for protecting the authentication token of the account. This field is driven by the `AuthenticationTokenProtectionMechanismTypeVocab-1.0 described below.
Structured_Authentication_Mechanism An extension point allowing authors to specify structured authentication information.

The suggested AuthenticationTypeVocab-1.0 would contain the following terms for describing authentication methods:

Term Description
No Authentication No authentication mechanism.
Password Password based authentication.
Cryptographic Key Cryptographic key based authentication.
Biometrics Biometric authentication (e.g., fingerprints).
Hardware Token Authentication device stored in a physical form (e.g., smart card, usb token, etc.).
Software Token Authentication device stored in software form.
Multifactor Multiple authentication factors.

The suggested AuthenticationTokenProtectionMechanismTypeVocab-1.0 would contain the following terms for describing methods for protecting authentication tokens:

Term Description
Plaintext Authentication tokens are stored in plaintext.
Salted GOST Hash The authentication tokens have been salted and hashed with the GOST hash algorithm.
Unsalted GOST Hash The authentication tokens have been hashed with the GOST hash algorithm, without salting.
Salted HAVAL Hash The authentication tokens have been salted and hashed with the HAVAL hash algorithm.
Unsalted HAVAL Hash The authentication tokens have been hashed with the HAVAL hash algorithm, without salting.
Salted MD2 Hash The authentication tokens have been salted and hashed with the MD2 hash algorithm.
Unsalted MD2 Hash The authentication tokens have been hashed with the MD2 hash algorithm, without salting.
Salted MD4 Hash The authentication tokens have been salted and hashed with the MD4 hash algorithm.
Unsalted MD4 Hash The authentication tokens have been hashed with the MD4 hash algorithm, without salting.
Salted MD5 Hash The authentication tokens have been salted and hashed with the MD5 hash algorithm.
Unsalted MD5 Hash The authentication tokens have been hashed with the MD5 hash algorithm, without salting.
Salted PANAMA Hash The authentication tokens have been salted and hashed with the PANAMA hash algorithm.
Unsalted PANAMA Hash The authentication tokens have been hashed with the PANAMA hash algorithm, without salting.
Salted RadioGatun Hash The authentication tokens have been salted and hashed with the RadioGatun hash algorithm.
Unsalted RadioGatun Hash The authentication tokens have been hashed with the RadioGatun hash algorithm, without salting.
Salted RIPEMD Hash The authentication tokens have been salted and hashed with the RIPEMD hash algorithm.
Unsalted RIPEMD Hash The authentication tokens have been hashed with the RIPEMD hash algorithm, without salting.
Salted RIPEMD-128/256 Hash The authentication tokens have been salted and hashed with the RIPEMD-128/256 hash algorithm.
Unsalted RIPEMD-128/256 Hash The authentication tokens have been hashed with the RIPEMD-128/256 hash algorithm, without salting.
Salted RIPEMD-160 Hash The authentication tokens have been salted and hashed with the RIPEMD-160 hash algorithm.
Unsalted RIPEMD-160 Hash The authentication tokens have been hashed with the RIPEMD-160 hash algorithm, without salting.
Salted RIPEMD-320 Hash The authentication tokens have been salted and hashed with the RIPEMD-320 hash algorithm.
Unsalted RIPEMD-320 Hash The authentication tokens have been hashed with the RIPEMD-320 hash algorithm, without salting.
Salted SHA-0 Hash The authentication tokens have been salted and hashed with the SHA-0 hash algorithm.
Unsalted SHA-0 Hash The authentication tokens have been hashed with the SHA-0 hash algorithm, without salting.
Salted SHA-1 Hash The authentication tokens have been salted and hashed with the SHA-1 hash algorithm.
Unsalted SHA-1 Hash The authentication tokens have been hashed with the SHA-1 hash algorithm, without salting.
Salted SHA-256/224 Hash The authentication tokens have been salted and hashed with the SHA-256/224 hash algorithm.
Unsalted SHA-256/224 Hash The authentication tokens have been hashed with the SHA-256/224 hash algorithm, without salting.
Salted SHA-512/384 Hash The authentication tokens have been salted and hashed with the SHA-512/384 hash algorithm.
Unsalted SHA-512/384 Hash The authentication tokens have been hashed with the SHA-512/384 hash algorithm, without salting.
Salted SHA-3 Hash The authentication tokens have been salted and hashed with the SHA-3 hash algorithm.
Unsalted SHA-3 Hash The authentication tokens have been hashed with the SHA-3 hash algorithm, without salting.
Salted SHA-3-224 Hash The authentication tokens have been salted and hashed with the SHA-3-224 hash algorithm.
Unsalted SHA-3-224 Hash The authentication tokens have been hashed with the SHA-3-224 hash algorithm, without salting.
Salted SHA-3-256 Hash The authentication tokens have been salted and hashed with the SHA-3-256 hash algorithm.
Unsalted SHA-3-256 Hash The authentication tokens have been hashed with the SHA-3-256 hash algorithm, without salting.
Salted SHA-3-384 Hash The authentication tokens have been salted and hashed with the SHA-3-384 hash algorithm.
Unsalted SHA-3-384 Hash The authentication tokens have been hashed with the SHA-3-384 hash algorithm, without salting.
Salted SHA-3-512 Hash The authentication tokens have been salted and hashed with the SHA-3-512 hash algorithm.
Unsalted SHA-3-512 Hash The authentication tokens have been hashed with the SHA-3-512 hash algorithm, without salting.
Salted Tiger(2)-192/160/128 Hash The authentication tokens have been salted and hashed with the Tiger(2)-192/160/128 hash algorithm.
Unsalted Tiger(2)-192/160/128 Hash The authentication tokens have been hashed with the Tiger(2)-192/160/128 hash algorithm, without salting.
Salted WHIRLPOOL Hash The authentication tokens have been salted and hashed with the WHIRLPOOL hash algorithm.
Unsalted WHIRLPOOL Hash The authentication tokens have been hashed with the WHIRLPOOL hash algorithm, without salting.
Iterative Hash The authentication tokens have been hashed using an iterative hashing algorithm.
Encrypted The authentication tokens have been encrypted and thus can be decrypted.

Impact

No other datatypes are effected by this change and there are no foreseen backwards compatibility issues.

Requested Feedback

  1. Are the controlled vocabularies both specific and broad enough to support operational use cases?
  2. What fields are required to support your operational use case?
Clone this wiki locally