Proposal: Add Authentication Construct To Account Object

Status: Open
Comment Period Closes: TBD
Affects Backwards Compatibility: No
Relevant Issues:
https://github.com/CybOXProject/schemas/issues/114
https://github.com/CybOXProject/schemas/issues/91
https://github.com/CybOXProject/schemas/issues/122

Background Information

This proposal concerns the Account Object and the ability to associate authentication information with an account. Currently there is no place in CybOX for associating authentication credentials with an account.

Proposal

Add an Authentication structure to AccountObjectType for the purpose of specifying the authentication details of an account. This type will be accompanied by supporting controlled vocabularies and extension points. The following structures are being proposed as an addition to the Account Object schema.

The suggested Authentication structure will be of type AuthenticationType and contain the following fields:

Field	Description
Authentication_Type	The type of authentication that is used for this account. This field is driven by the `AuthenticationTypeVocab-1.0` controlled vocabulary described below.
Authentication_Token	The authentication token associated with this account. If the `Authentication_Type` field is set to `"Password"`, the `Authentication_Token` field may contain a password. If the `Authentication_Type` field is set to `"Cryptographic Key"`, this field may contain a key.
Token_PIN	A PIN used to unlock or decrypt the value stored in the `Authentication_Token` field.
Authenticated_Token_Protection_Mechanism	The method for protecting the authentication token of the account. This field is driven by the `AuthenticationTokenProtectionMechansimTypeVocab-1.0 described below.
Structured_Authentication_Mechanism	An extension point allowing authors to specify structured authentication information.

The suggested AuthenticationTypeVocab-1.0 would contain the following terms for describing authentication methods:

Term	Description
No Authentication	No authentication mechanism.
Password	Password based authentication.
Cryptographic Key	Cryptographic key based authentication.
Biometrics	Biometric authentication (e.g., fingerprints).
Physical Token	Physical authentication device (e.g., smart card, usb token, etc.).
Multifactor	Multiple authentication factors.

The suggested AuthenticationTokenProtectionMechanismTypeVocab-1.0 would contain the following terms for describing methods for protecting authentication tokens:

Term	Description
Plaintext	Authentication tokens are stored in plaintext.
Hashed	The authentication tokens have been hashed once, but not salted.
Salted Hash	The authentication tokens have been hashed and salted.
Iterative Hash	The authentication tokens have been hashed using an iterative hashing algorithm.
Encrypted	The authentication tokens have been encrypted and thus can be decrypted.

Impact

No other datatypes are effected by this change and there are no foreseen backwards compatibility issues.

Requested Feedback

Are the controlled vocabularies both specific and broad enough to support operational use cases?
What fields are required to support your operational use case?

Proposal: Add Authentication Construct To Account Object

Background Information

Proposal

Impact

Requested Feedback

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally