Skip to content.
|Networking government in New Zealand.

Amendment AS06/2008 (Rev 1.0)

This minor revision to AS06/2008 introduces minor changes in ‘3. Guide to Authentication Standards’; primarily the removal of some of the definitions added in AS06/2008 that were duplications of those already contained in the Guide.

NOTE: The New Zealand Security Assertion Messaging Standard (NZ SAMS) Version 1.0 and the Data formats for Identity Records Standard Version 1.1 are shortly to be published in their entirety. Amendments to these do not appear in Amendment AS06/2008.

1. Authentication Key Strengths Standard

All-of-government authentication services (3.2)

3.2 (All-of-government authentication services), is hereby amended by deleting paragraph 2 and substituting it with the following:

  • "The GLS is a website that allows people to access government online services more conveniently by using a common authentication mechanism appropriate to the service risk category established for the service. The IVS will allow people to establish their identity once so that they do not have to establish their identity separately with each agency that uses the IVS they transact with. See 4.6 for definitions of the GLS and IVS."

3.2 is hereby further amended by deleting paragraph 4 and substituting it with the following:

  • "Where agencies adopt one or more of these shared services, they must adopt the standards relating to the functions of those services. Adopting the service relieves agencies of some (but not all) obligations regarding standards adoption, since the service itself implements the standards applicable to its area of responsibility. However, significant areas of the standards under the responsibility of the agency remain, such as risk assessments and agency web site controls."

Terms and definitions (4.6)

4.6 (Terms and definitions), is hereby amended by:

  • deleting the term "Proof of possession protocol" and its accompanying definition from the table.

4.6 (Terms and definitions), is hereby further amended by adding two new definitions under the Authentication keys section of the table as follows:

  • "Weak mutual authentication – Where one authenticating party can use duplicity to obtain authentication keys or data which they may later use to fraudulently authenticate themselves."
  • Strong mutual authentication – Where two authenticating parties can authenticate reliably without revealing any authentication keys or data that may be used subsequently to fraudulently authenticate by posing as the other party. With strong mutual authentication the authentication process provides confidence in the other parties claimed identity, but does not leave either party with any information that may later be used to impersonate the other party."

4.6 (Terms and definitions), is hereby further amended by deleting the definition of "one-time password" and substituting it with the following:

  • "One-time password systems utilise a series of passwords in the authentication process. Each password of the series is called a one-time password as they are all distinct and unpredictable (or at least distinct and unpredictable with a very high probability). Many methods are based on a static shared base secret that is used to generate the distinct authentication secrets. Other common methods use collections of passwords that are distributed to customers."

Authentication protocols: threats and attacks (5.2)

5.2 (Authentication protocols: threats and attacks), is hereby amended by deleting bullet point 3 and substituting it with the following:

  • "Man-in-the-middle and verifier impersonation attacks can be resisted in a limited way by using similar protections as described above for eavesdropper and session hijacking attacks, this is effectively weak mutual authentication. Combining the channel encryption with additional cryptographic techniques improves protection against these attacks and is effectively strong mutual authentication (for example, using a mutual handshake exchange based around cryptography and cryptographic keys held by the customer and the verifier, such as TLS in authentication mode, achieves strong mutual authentication)."

Requirements for online services in the Moderate Risk Category (6.9)

6.9 (Requirements for online services in the Moderate Risk Category), is hereby amended by deleting the entire clause and substituting it with the following:

"When the online service is in the Moderate Risk Category, agencies MUST:

  1. Use at least two-factor authentication to authenticate the customer, using one of the following authentication keys:
    1. a one-time password system combined with a password
    2. a one-time password device that requires per-session local activation with a password or biometric
    3. a software token that requires per-session local activation with a password or biometric.
  2. Protect the authentication exchange using GCSB approved encryption technology conforming to the requirements of SIGS and NZSIT 402.
  3. Ensure the authentication process is resistant to replay, eavesdropper and session hijacking attacks.
  4. Use weak mutual authentication in cases where a one-time password is used to authenticate the customer (refer 5.2).
  5. Use strong mutual authentication in cases where a software token is used to authenticate the customer (refer 5.2)."

Requirements for online services in the High Risk Category (6.10)

6.10 (Requirements for online services in the High Risk Category), is hereby amended by deleting the entire clause and substituting it with the following:

"When the online service is in the High Risk Category, agencies MUST:

  1. Use at least two-factor authentication to authenticate the customer.
  2. Authenticate the customer using (at least) a hardware token that requires per-session local activation with a password or biometric.
  3. Protect the authentication exchange using GCSB approved encryption technology conforming to the requirements of SIGS and NZSIT 402.
  4. Ensure the authentication process is resistant to replay, eavesdropper and session hijacking attacks.
  5. Use strong mutual authentication (refer 5.2)."

2. Password Standard

All-of-government authentication services (3.2)

3.2 (All-of-government authentication services), is hereby amended by deleting paragraph 2 and substituting it with the following:

  • "The GLS is a website that will allow people to access government online services more conveniently by using a common authentication mechanism appropriate to the service risk category established for the service. The IVS will allow people to establish their identity once so that they do not have to establish their identity separately with each agency that uses the IVS they transact with. See 4.6 for definitions of the GLS and IVS."

3.2 is hereby further amended by deleting paragraphs 4 and 5 and substituting them with the following:

  • "Where agencies adopt one or more of these shared services, they must adopt the standards relating to the functions of those services. Adopting the service relieves agencies of some (but not all) obligations regarding standards adoption, since the service itself implements the standards applicable to its area of responsibility. However, significant areas of the standards under the responsibility of the agency remain, such as risk assessments and agency web site controls."

Password construction (6.4)

6.4 (Password construction) sub-clause 6.4.2, is hereby amended by deleting the sub-clause and substituting it with the following:

"Passwords MUST be a minimum of seven (7) characters. Passwords SHOULD contain characters from at least three (3) of the following sets:"

  1. Lowercase characters (a-z).
  2. Uppercase characters (A-Z).
  3. Digits (0-9).
  4. Punctuation and special characters (for example,!@#$%^&*).

These requirements MUST be enforced by the system."

Password management (6.5)

6.5 (Password management), is hereby amended by deleting sub-clause 6.5.1 and substituting it with the following:

"6.5.1(A) Agencies MUST:

  1. Protect passwords in storage and during the online authentication exchange. (Requirements for the authentication exchange protection of passwords are detailed in the Authentication Key Strengths Standard.)
  2. Require the customer to change an initial logon or a reset password immediately following authentication with that password."

"6.5.1(B) Agencies SHOULD:

  1. Require passwords to be changed at least every 90 days.
  2. Retain a password history of at least the last six (6) passwords used by a customer.
  3. Ensure that the customer does not use a password form their password history."

6.5 is hereby further amended by deleting sub-clause 6.5.5 and substituting it with the following:

  • "6.5.5 Agencies MUST ensure that the full password is not visible on the screen when entered."

3. Guide to Authentication Standards

Misuse and abuse of identity (3.2)

3.2 (Misuse and abuse of identity), is hereby amended by deleting the word "stolen", where it appears in two instances, and substituting them with the word "assumed".

3.2 is hereby further amended by adding to the bullet-points the following:

  • "damage to credibility of process."

All-of-government authentication services (3.5)

3.5 (All-of-government authentication services), is hereby amended by deleting paragraph 2 and substituting it with the following:

  • "The GLS is a website that allows people to access government online services more conveniently by using a common authentication mechanism appropriate to the service risk category established for the service. The IVS will allow people to establish their identity once so that they do not have to establish their identity separately with each agency that uses the IVS they transact with. See Appendix A for definitions of the GLS and IVS."

3.5 is hereby further amended by deleting paragraph 4 and substituting it with the following:

  • "Where agencies adopt one or more of these shared services, they must adopt the standards relating to the functions of those services. Adopting the service relieves agencies of some (but not all) obligations regarding standards adoption, since the service itself implements the standards applicable to its area of responsibility. However, significant areas of the standards under the responsibility of the agency remain, such as risk assessments and agency web site controls."

Definitions (Appendix A)

Appendix A (Definitions), is hereby amended by deleting the term "Proof of possession protocol" and its accompanying definition from the table.

Appendix A is hereby further amended by adding two new definitions as follows:

  • "Weak mutual authentication – Where one authenticating party can use duplicity to obtain authentication keys or data which they may later use to fraudulently authenticate themselves."
  • "Strong mutual authentication – Where two authenticating parties can authenticate reliably without revealing any authentication keys or data that may be used subsequently to fraudulently authenticate by posing as the other party. With strong mutual authentication the authentication process provides confidence in the other parties claimed identity, but does not leave either party with any information that may later be used to impersonate the other party."

Appendix A is hereby further amended by deleting the definition of one-time password and substituting it with the following:

  • "One-time password systems utilise a series of passwords in the authentication process. Each password of the series is called a one-time password as they are all distinct and unpredictable (or at least distinct and unpredictable with a very high probability). Many methods are based on a static shares base secret that is used to generate the distinct authentication secrets. Other common methods use collections of passwords that are distributed to customers."

Appendix A – (Definitions) is hereby amended by deleting from the Definition of 'Identity – misuse and abuse', the word "stolen" and substituting it with the word "assumed".

Appendix A is hereby further amended by deleting from the Definition of 'Identity theft', the words "Theft or".

Appendix A is hereby further amended by adding the following Term and Definition:

  • "Party - Party means a person in this Standard. However, the CIQ v3.0 Specifications use the term party to mean a person or an organisation."

Appendix A is hereby further amended by adding the Terms and Definitions as detailed in the Schedule.

(Explanation – these additional terms and definitions were introduced as a result of the subsequent publishing of the New Zealand Security Assertion Messaging Standard, v1.0 June 2008).


[ Previous | Next ]