usnistgov / 800-63-3

Home to public development of NIST Special Publication 800-63-3: Digital Authentication Guidelines
https://pages.nist.gov/800-63-3/
Other
703 stars 102 forks source link

The concept of resistance to MitM attacks requires further explanation. (The inference is that an authenticated protected channel provides MitM resistance.) #1384

Closed dig-comments closed 7 years ago

dig-comments commented 7 years ago

Organization Name (N/A, if individual): CMS

Organization Type: 1

Document (63-3, 63A, 63B, or 63C): 800-63B

Reference (Include section and paragraph number): Section 4.1.2 (Authenticator and Verifier Requirements), Para 2 Section 4.2.2 (Authenticator and Verifier Requirements), Para 2 ,

Comment (Include rationale for comment): The concept of resistance to MitM attacks requires further explanation. (The inference is that an authenticated protected channel provides MitM resistance.)

While confidentiality is easy to understand, how an authenticated protected channel provides MitM protection is not as easily understood. If the channel is compromised, the MitM attack would have access to the authentication information.

Other strategies need to be employed to protect against reuse/replay of the authenticator.

There is no assurance that MitM attack protection strategies implemented by the Agency systems would meet the minimal requirements/functionality intended under NIST SP 800-63r3 when insufficient guidance is provided. Without proper guidance, the Agency implementations may be delayed, require revision, or even require re-engineering at some point in the future.

Suggested Change:


Organization Type: 1 = Federal, 2 = Industry, 3 = Academia, 4 = Self, 5 = Other

jimfenton commented 7 years ago

Man-in-the-middle attacks are a general cybersecurity concept and this guideline is not an appropriate place for a tutorial on them. The use of authenticated protected channels such as TLS provides a high degree of resistance to man-in-the-middle attacks, and verifier impersonation resistance provides further protection particularly with respect to phishing and pharming.