-
Notifications
You must be signed in to change notification settings - Fork 17
Proposal: Add Authentication Construct To Account Object
Ivan Kirillov edited this page Dec 10, 2013
·
11 revisions
Status: CLOSED
Comment Period Closes: 12/09/2013
Affects Backwards Compatibility: No
Relevant Issues:
https://github.com/CybOXProject/schemas/issues/114
https://github.com/CybOXProject/schemas/issues/91
https://github.com/CybOXProject/schemas/issues/122
This proposal concerns the Account Object and the ability to associate authentication information with an account. Currently there is no place in CybOX for associating authentication credentials with an account.
Add an Authentication structure to AccountObjectType for the purpose of specifying the authentication details of an account, with a multiplicity of 0..N to allow for multiple authentication types to be specified for a single account. This type will be accompanied by supporting controlled vocabularies and extension points. The following structures are being proposed as an addition to the Account Object schema.
The suggested Authentication structure will be of type AuthenticationType and contain the following fields:
| Field | Description |
|---|---|
| Authentication_Type | The type of authentication that is used for this account. This field is driven by the AuthenticationTypeVocab-1.0 controlled vocabulary described below. |
| Authentication_Data | The actual data used for authentication for the type specified in the Authentication_Type field. For example, if Authentication_Type is set to "Password", this would be the actual password value. |
| Authenticated_Token_Protection_Mechanism | The method (typically an algorithm) used for protecting the authentication token of the account. This field is driven by the `AuthenticationTokenProtectionMechanismTypeVocab-1.0 described below. |
| Structured_Authentication_Mechanism | An extension point allowing authors to specify structured authentication information. |
The suggested AuthenticationTypeVocab-1.0 would contain the following terms for describing authentication methods:
| Term | Description |
|---|---|
| No Authentication | No authentication mechanism. |
| Password | Password based authentication. |
| Cryptographic Key | Cryptographic key based authentication. |
| Biometrics | Biometric authentication (e.g., fingerprints). |
| Hardware Token | Authentication device stored in a physical form (e.g., smart card, usb token, etc.). |
| Software Token | Authentication device stored in software form. |
| Multifactor | Multiple authentication factors. |
The suggested AuthenticationTokenProtectionMechanismTypeVocab-1.0 would contain the following terms for describing methods for protecting authentication tokens:
| Term | Description |
|---|---|
| Plaintext | Authentication tokens are stored in plaintext. |
| Salted GOST Hash | The authentication tokens have been salted and hashed with the GOST hash algorithm. |
| Unsalted GOST Hash | The authentication tokens have been hashed with the GOST hash algorithm, without salting. |
| Salted HAVAL Hash | The authentication tokens have been salted and hashed with the HAVAL hash algorithm. |
| Unsalted HAVAL Hash | The authentication tokens have been hashed with the HAVAL hash algorithm, without salting. |
| Salted MD2 Hash | The authentication tokens have been salted and hashed with the MD2 hash algorithm. |
| Unsalted MD2 Hash | The authentication tokens have been hashed with the MD2 hash algorithm, without salting. |
| Salted MD4 Hash | The authentication tokens have been salted and hashed with the MD4 hash algorithm. |
| Unsalted MD4 Hash | The authentication tokens have been hashed with the MD4 hash algorithm, without salting. |
| Salted MD5 Hash | The authentication tokens have been salted and hashed with the MD5 hash algorithm. |
| Unsalted MD5 Hash | The authentication tokens have been hashed with the MD5 hash algorithm, without salting. |
| Salted PANAMA Hash | The authentication tokens have been salted and hashed with the PANAMA hash algorithm. |
| Unsalted PANAMA Hash | The authentication tokens have been hashed with the PANAMA hash algorithm, without salting. |
| Salted RadioGatun Hash | The authentication tokens have been salted and hashed with the RadioGatun hash algorithm. |
| Unsalted RadioGatun Hash | The authentication tokens have been hashed with the RadioGatun hash algorithm, without salting. |
| Salted RIPEMD Hash | The authentication tokens have been salted and hashed with the RIPEMD hash algorithm. |
| Unsalted RIPEMD Hash | The authentication tokens have been hashed with the RIPEMD hash algorithm, without salting. |
| Salted RIPEMD-128/256 Hash | The authentication tokens have been salted and hashed with the RIPEMD-128/256 hash algorithm. |
| Unsalted RIPEMD-128/256 Hash | The authentication tokens have been hashed with the RIPEMD-128/256 hash algorithm, without salting. |
| Salted RIPEMD-160 Hash | The authentication tokens have been salted and hashed with the RIPEMD-160 hash algorithm. |
| Unsalted RIPEMD-160 Hash | The authentication tokens have been hashed with the RIPEMD-160 hash algorithm, without salting. |
| Salted RIPEMD-320 Hash | The authentication tokens have been salted and hashed with the RIPEMD-320 hash algorithm. |
| Unsalted RIPEMD-320 Hash | The authentication tokens have been hashed with the RIPEMD-320 hash algorithm, without salting. |
| Salted SHA-0 Hash | The authentication tokens have been salted and hashed with the SHA-0 hash algorithm. |
| Unsalted SHA-0 Hash | The authentication tokens have been hashed with the SHA-0 hash algorithm, without salting. |
| Salted SHA-1 Hash | The authentication tokens have been salted and hashed with the SHA-1 hash algorithm. |
| Unsalted SHA-1 Hash | The authentication tokens have been hashed with the SHA-1 hash algorithm, without salting. |
| Salted SHA-256/224 Hash | The authentication tokens have been salted and hashed with the SHA-256/224 hash algorithm. |
| Unsalted SHA-256/224 Hash | The authentication tokens have been hashed with the SHA-256/224 hash algorithm, without salting. |
| Salted SHA-512/384 Hash | The authentication tokens have been salted and hashed with the SHA-512/384 hash algorithm. |
| Unsalted SHA-512/384 Hash | The authentication tokens have been hashed with the SHA-512/384 hash algorithm, without salting. |
| Salted SHA-3 Hash | The authentication tokens have been salted and hashed with the SHA-3 hash algorithm. |
| Unsalted SHA-3 Hash | The authentication tokens have been hashed with the SHA-3 hash algorithm, without salting. |
| Salted SHA-3-224 Hash | The authentication tokens have been salted and hashed with the SHA-3-224 hash algorithm. |
| Unsalted SHA-3-224 Hash | The authentication tokens have been hashed with the SHA-3-224 hash algorithm, without salting. |
| Salted SHA-3-256 Hash | The authentication tokens have been salted and hashed with the SHA-3-256 hash algorithm. |
| Unsalted SHA-3-256 Hash | The authentication tokens have been hashed with the SHA-3-256 hash algorithm, without salting. |
| Salted SHA-3-384 Hash | The authentication tokens have been salted and hashed with the SHA-3-384 hash algorithm. |
| Unsalted SHA-3-384 Hash | The authentication tokens have been hashed with the SHA-3-384 hash algorithm, without salting. |
| Salted SHA-3-512 Hash | The authentication tokens have been salted and hashed with the SHA-3-512 hash algorithm. |
| Unsalted SHA-3-512 Hash | The authentication tokens have been hashed with the SHA-3-512 hash algorithm, without salting. |
| Salted Tiger(2)-192/160/128 Hash | The authentication tokens have been salted and hashed with the Tiger(2)-192/160/128 hash algorithm. |
| Unsalted Tiger(2)-192/160/128 Hash | The authentication tokens have been hashed with the Tiger(2)-192/160/128 hash algorithm, without salting. |
| Salted WHIRLPOOL Hash | The authentication tokens have been salted and hashed with the WHIRLPOOL hash algorithm. |
| Unsalted WHIRLPOOL Hash | The authentication tokens have been hashed with the WHIRLPOOL hash algorithm, without salting. |
| Salted Skein-256 Hash | The authentication tokens have been salted and hashed with the Skein-256 hash algorithm. |
| Unsalted Skein-256 Hash | The authentication tokens have been hashed with the Skein-256 hash algorithm, without salting. |
| Salted Skein-512 Hash | The authentication tokens have been salted and hashed with the Skein-512 hash algorithm. |
| Unsalted Skein-512 Hash | The authentication tokens have been hashed with the Skein-512 hash algorithm, without salting. |
| Salted Skein-1024 Hash | The authentication tokens have been salted and hashed with the Skein-1024 hash algorithm. |
| Unsalted Skein-1024 Hash | The authentication tokens have been hashed with the Skein-1024 hash algorithm, without salting. |
| Salted Snefru-128 Hash | The authentication tokens have been salted and hashed with the Snefru-128 hash algorithm. |
| Unsalted Snefru-128 Hash | The authentication tokens have been hashed with the Snefru-128 hash algorithm, without salting. |
| Salted Snefru-256 Hash | The authentication tokens have been salted and hashed with the Snefru-256 hash algorithm. |
| Unsalted Snefru-256 Hash | The authentication tokens have been hashed with the Snefru-256 hash algorithm, without salting. |
| Iterative Hash | The authentication tokens have been hashed using an iterative hashing algorithm. |
| AES | The authentication tokens have been encrypted with the AES algorithm. |
| Blowfish | The authentication tokens have been encrypted with the Blowfish algorithm. |
| DES | The authentication tokens have been encrypted with the DES algorithm. |
| IDEA | The authentication tokens have been encrypted with the IDEA algorithm. |
| RC4 | The authentication tokens have been encrypted with the RC4 algorithm. |
| TEA | The authentication tokens have been encrypted with the Tiny Encryption Algorithm (TEA). |
No other datatypes are effected by this change and there are no foreseen backwards compatibility issues.
- Are the controlled vocabularies both specific and broad enough to support operational use cases?
- What fields are required to support your operational use case?
- Is the list of hashing and encryption algorithms in the AuthenticationTokenProtectionMechanismTypeVocab complete enough for general use? Are there any glaring missing algorithms that we should add?