4. Application of Standard

4.1 Audience

The intended audiences for this Standard are those people responsible for the development, management and security of agency information and IT systems, including:

• technical analysts
• architects and developers
• information and IT managers and administrators
• IT security managers and administrators
• outsourcers and other parties providing IT or security services to agencies.

Readers of this Standard are assumed to be familiar with information security concepts and practices.

4.2 NZ e-GIF status

Upon approval by the NZ e-GIF Management Committee, this Standard will enter the NZ e-GIF as Under development (U), and graduate to Recommended (R) after a successful, documented implementation. This Standard is expected to graduate to Adopted (A) once there is a track record of proven successful implementation.

For guidance on agency responsibilities for compliance with NZ e-GIF standards at each status level, refer to the latest version of the NZ e-GIF (www.e.govt.nz).

4.3 Accessing advice on this Standard

Advice on this Standard can be obtained from:

e-GIF Operations
State Services Commission

Postal: PO Box 329, WELLINGTON
Phone: 04 495 6600
Fax: 04 495 6669
Email: e-gif@ssc.govt.nz
Web: www.e.govt.nz

The State Services Commission is the agency responsible for this Standard.

4.4 Interpretation

The following words, defined in Key Words for Use in RFCs to Indicate Requirement Levels (RFC 2119), are used in this Standard:

• ‘MUST’ – identifies a mandatory requirement for compliance with this Standard.
• ‘SHOULD’ – refers to practices that are advised or recommended.

Agencies deviating from a ‘SHOULD’, MUST document:

• the reason for the deviation
• an assessment of the residual risk resulting from the deviation
• a date by which the decision will be reviewed
• management’s approval of the above.

When cross-referencing sections of this Standard, only the number may be quoted.

The full titles of referenced documents cited in this Standard are given in the list of referenced documents at the end.

4.5 Document structure

Section 2 covers the scope of this Standard and also outlines further sources for those elements not covered by this Standard. Section 3 provides details on the NZ e-GIF authentication standards and also discusses the all-of-government authentication shared services. Section 5 briefly discusses vulnerabilities, threats and attacks. The requirements of this Standard are given in section 6.

4.6 Terms and definitions

For the purposes of this Standard, the following definitions apply:

General

Authentication

Process of establishing, to the required level of confidence, the identity of one or more parties to a transaction. Consists of identity management (establishing who you are) and logon management (confirming who you are). In particular, for this Standard authentication is used in the commonly understood sense of a customer logging onto a service with their username and authentication key. This is consistent with the logon management aspect of the general authentication definition above.

Authentication key

Method used by an individual to authenticate his or her identity over the Internet. Examples of authentication keys include passwords, one-time passwords, software tokens, hardware tokens and biometrics. Authentication keys are also referred to as keys.

Government Logon Service (GLS)

An all-of-government shared service that provides ongoing re-confirmation of online identity to participating agencies to the desired level of confidence.

Identity-related risk

Any risk for a particular service that results from an individual’s identity being incorrectly attributed. Also refer to the Evidence of Identity Standard for further details.

Initial password

Password that is issued to the customer and used only for the first authentication.

Identity Verification Service (IVS)

An all-of-government shared service that provides individuals with the option to verify their identity authoritatively, online, and in real-time with participating agencies to a passport-level of confidence.

Low Risk Category

Services in this category have been assessed as having a low level of identity-related risk. For further details, refer to the Evidence of Identity Standard.

Online service

Service that an agency offers through an interactive online delivery channel.

Password

Static secret, usually composed of keyboard characters, which is used as the authentication key.

Reset password

Password that is issued to the customer following identity verification procedures when the customer has forgotten his/her password or been locked out from the authentication system.

Strong password

Password that is resistant to brute force guessing, common password, dictionary and pre-knowledge guessing attacks.

Username

Construction of alphanumeric characters that is used to identify a customer within the authentication system (the username is used to identify the customer, or rather the authentication key, to the verifier as part of the authentication process).

Entities involved in the authentication process

Customer

Person who claims some identity, which undergoes the authentication process. The identity claim may be based on a username.

Verifier

Entity that performs the procedures for verifying the claim of identity for customers. The verifier and the service provider may be separate entities.

Password attacks

Brute force guessing attacks

Where an attacker tries to guess a specific customer’s password by trying every possible valid password (i.e. passwords that are made up from combinations from the set of valid password characters).

Common password attacks

Where an attacker tries commonly used passwords (such as obvious variations of ‘password’, ‘logon’, etc.) against all the usernames they know or can guess.

Dictionary attacks

Where an attacker tries every word from a collection, called a dictionary, against a username to find a legitimate password. The collection may be hashed or encrypted, depending on the way in which passwords are stored.

Key logger attacks

Malicious code or hardware attacks that capture the keystrokes of a customer with the intention of obtaining any password typed in by the customer.

Phishing attacks

Social engineering attacks that use forged web pages, emails, or other electronic communications to convince the customer to reveal their password or other sensitive information to the attacker.

Pre-knowledge guessing attacks

Where an attacker tries to guess a specific customer’s password, using knowledge of the customer’s personal details, preferences, etc.

Shoulder surfing attacks

Social engineering attacks where the attacker covertly observes the password when the customer enters it.

Social engineering attacks

Attacks that are aimed at obtaining authentication keys or data by fooling the customer into using an insecure authentication protocol, or into loading malicious code onto the customer’s computer. Attacks may also be aimed at the verification process, for example by trying to trick help desk staff into accepting a false story.