-
Notifications
You must be signed in to change notification settings - Fork 17
Proposal: Add Authentication Construct To Account Object
Status: Open
Comment Period Closes: 12/09/2013
Affects Backwards Compatibility: No
Relevant Issues:
https://github.com/CybOXProject/schemas/issues/114
https://github.com/CybOXProject/schemas/issues/91
https://github.com/CybOXProject/schemas/issues/122
This proposal concerns the Account Object and the ability to associate authentication information with an account. Currently there is no place in CybOX for associating authentication credentials with an account.
Add an Authentication structure to AccountObjectType for the purpose of specifying the authentication details of an account. This type will be accompanied by supporting controlled vocabularies and extension points. The following structures are being proposed as an addition to the Account Object schema.
The suggested Authentication structure will be of type AuthenticationType and contain the following fields:
| Field | Description |
|---|---|
| Authentication_Type | The type of authentication that is used for this account. This field is driven by the AuthenticationTypeVocab-1.0 controlled vocabulary described below. |
| Password | The password associated with this account. |
| Token_PIN | A PIN used to unlock a hardware authentication token. For example, this may be a smart card PIN. |
| Authenticated_Token_Protection_Mechanism | The method for protecting the authentication token of the account. This field is driven by the `AuthenticationTokenProtectionMechansimTypeVocab-1.0 described below. |
| Structured_Authentication_Mechanism | An extension point allowing authors to specify structured authentication information. |
The suggested AuthenticationTypeVocab-1.0 would contain the following terms for describing authentication methods:
| Term | Description |
|---|---|
| No Authentication | No authentication mechanism. |
| Password | Password based authentication. |
| Cryptographic Key | Cryptographic key based authentication. |
| Biometrics | Biometric authentication (e.g., fingerprints). |
| Physical Token | Physical authentication device (e.g., smart card, usb token, etc.). |
| Multifactor | Multiple authentication factors. |
The suggested AuthenticationTokenProtectionMechanismTypeVocab-1.0 would contain the following terms for describing methods for protecting authentication tokens:
| Term | Description |
|---|---|
| Plaintext | Authentication tokens are stored in plaintext. |
| Hashed | The authentication tokens have been hashed once, but not salted. |
| Salted Hash | The authentication tokens have been hashed and salted. |
| Iterative Hash | The authentication tokens have been hashed using an iterative hashing algorithm. |
| Encrypted | The authentication tokens have been encrypted and thus can be decrypted. |
No other datatypes are effected by this change and there are no foreseen backwards compatibility issues.
- Are the controlled vocabularies both specific and broad enough to support operational use cases?
- What fields are required to support your operational use case?