Closed dig-comments closed 7 years ago
Man-in-the-middle attacks are a general cybersecurity concept and this guideline is not an appropriate place for a tutorial on them. The use of authenticated protected channels such as TLS provides a high degree of resistance to man-in-the-middle attacks, and verifier impersonation resistance provides further protection particularly with respect to phishing and pharming.
Organization Name (N/A, if individual): CMS
Organization Type: 1
Document (63-3, 63A, 63B, or 63C): 800-63B
Reference (Include section and paragraph number): Section 4.1.2 (Authenticator and Verifier Requirements), Para 2 Section 4.2.2 (Authenticator and Verifier Requirements), Para 2 ,
Comment (Include rationale for comment): The concept of resistance to MitM attacks requires further explanation. (The inference is that an authenticated protected channel provides MitM resistance.)
While confidentiality is easy to understand, how an authenticated protected channel provides MitM protection is not as easily understood. If the channel is compromised, the MitM attack would have access to the authentication information.
Other strategies need to be employed to protect against reuse/replay of the authenticator.
There is no assurance that MitM attack protection strategies implemented by the Agency systems would meet the minimal requirements/functionality intended under NIST SP 800-63r3 when insufficient guidance is provided. Without proper guidance, the Agency implementations may be delayed, require revision, or even require re-engineering at some point in the future.
Suggested Change:
Organization Type: 1 = Federal, 2 = Industry, 3 = Academia, 4 = Self, 5 = Other