NIST Digital Identity Guidelines & Identity Proofing - Why Using A Public Key Infrastructure Is A Key Requirement

2023-04-12

Genuine Identity vs. Digital Identity

Every person and “entity” (computers, smartphones, internet-connected devices (IoT), applications and further endpoints) in today’s digital environment has a unique digital identity. A digital identity contains certain unique identifiers that allow systems, services, and applications to know who or what they are interacting with. To verify a person’s identity in the digital world and without human intervention, a combination of data and attributes is required to validate an identity.

A digital identity does not necessarily uniquely identify a person in all settings, but it is always identifiable within the context of a digital service. The genuine identity of the person behind a digital identity might not be known, even while it may convey a distinct and distinctive meaning within the context of a digital service. 

So, a digital identity is a representation of a real person, made up of unique identifiers or attributes. These identifiers could be a driving license number, an email address, or a passport number. 

There are also instances where the association with a real-life subject is needed by legislation (for example, the financial industry’s “Know Your Customer” standards) or to establish accountability for high-risk acts.

The purpose of establishing a digital identity is to establish trust between the identity holder and the person, organization, or system executing the digital transaction. It is important that organizations relying on digital identities adopt a robust set of procedures to determine whether an individual is who they say they are. This is particularly important when using online services where the strength of the evidence is paramount. Therefore, NIST has established these Digital Identity Guidelines which allow for certain types of evidence and methods of grading to determine the strength of the resulting assured digital identity.

NIST Key Recommendations for Identity Proofing

Here we look at the key recommendations that provide technical guidelines to organizations for the implementation of digital identity services.

1. Digital Identity Model

The SP 800-63 guidelines use digital identity models that reflect technologies and
architectures currently available in the market. These models have a variety of entities
and functions and vary in complexity. Simple models group various functions, such as creating subscriber accounts and providing attributes, under a single entity. More complex models separate these functions among a larger number of entities. The entities and their associated functions found in digital identity models include:

  • Applicant – the subject to be identity proofed.
  • Subscriber – the subject that has successfully completed the identity proofing process or has successfully completed authentication.
  • Claimant – the subject to be authenticated.

2. Expected Outcomes of Identity Proofing

The expected outcomes of identity proofing include:

  • Identity resolution: determine that the claimed identity corresponds to a single, unique individual within the context of the population of users the Credential Service Provider (CSP) CSP serves;
  • Evidence validation: confirm that all supplied evidence is genuine, authentic, and unexpired;
  • Attribute validation: confirm the accuracy of core attributes;
  • Identity verification: verify that the claimed identity is associated with the real-life person supplying the identity evidence; 
  • Fraud Prevention: mitigate attempts to gain fraudulent access to benefits, services, data, or assets.

3. Establishing strong identity-proofing processes to ensure that only legitimate users are able to access digital systems and resources

NIST feels that an unattended, fully remote Identity Assurance Level (IAL) 2 identity proofing workflow that provides security and convenience but does not need facial recognition should be included.

Within draft NIST SP 800-63A-4, an outline is provided detailing the basic flow for remote identity proofing and enrollment:

4. Evidence Validation & The Role of the Credential Service Provider

A Credential Service Provider (CSP) is a trusted entity whose functions include identity-proofing applicants to the identity service and the registration of authenticators to subscriber accounts. A CSP may be an independent third party.

Identity Resolution

The CSP SHALL collect evidence from the applicant according to one of the following options:

  • Two pieces of SUPERIOR evidence,
  • One piece of SUPERIOR evidence and one piece of STRONG evidence, 
  • Two pieces of STRONG evidence and one piece of FAIR evidence.

Superior evidence (4.3.3.3)
In order to be considered SUPERIOR, identity evidence SHALL meet all the following
requirements:

  • The issuing source of the evidence confirmed the claimed identity by following written procedures designed to enable it to have high confidence that the source knows the real-life identity of the subject. Such procedures are subject to recurring oversight by regulatory or publicly accountable institutions.
  • The issuing source visually identified the applicant and performed further checks to confirm the existence of that person.
  • The issuing process for the evidence ensured that it was delivered into the possession of the person to whom it relates.
  • The evidence contains at least one reference number that uniquely identifies the person to whom it relates.
  • The evidence contains a facial portrait or other biometric characteristics of the person to whom it relates.
  • The evidence includes digital information that is cryptographically signed.
  • The evidence includes physical security features that make it difficult to copy or reproduce.
  • The evidence includes an expiration date and is unexpired.

In the instance of one of the points above, ‘digital information that is cryptographically signed’ refers to the use of a digital signature. A digital signature is a method for secure authentication of  digital documents or messages, based on asymmetric cryptography. Using a Public Key Infrastructure (PKI) enables the required evidence containing cryptographically signed digital information by using public-private key pairs to create and issue digitally signed certificates to the entities. It therefore provides proof for the entity confirming the validation of its identity. 

Strong evidence (4.3.3.2) 

In order to be considered STRONG, identity evidence SHALL meet all the following
requirements:

  • The issuing source of the evidence confirmed the claimed identity through written procedures designed to enable it to form a reasonable belief that it knows the real-life identity of the person. Such procedures are subject to recurring oversight by regulatory or publicly-accountable institutions. For example, the Customer Identification Program guidelines established in response to the USA PATRIOT Act of 2001 or the [RedFlagsRule], under Sec. 114 of the Fair and Accurate Credit Transaction Act of 2003 (FACT Act).
  • There is a high likelihood that the evidence-issuing process would result in the delivery of the evidence to the person to whom it relates.
  • The evidence contains a reference number or other attributes that uniquely identify the person to whom it relates.
  • The evidence contains a facial portrait or other biometric characteristic of the person to whom it relates.
  • The evidence includes physical security features that make it difficult to copy or reproduce.
  • The evidence includes an expiration date and is unexpired.
Fair evidence (4.3.3.1)

In order to be considered FAIR, identity evidence SHALL meet all the following
requirements:

  • The issuing source of the evidence confirmed the claimed identity through an identity proofing process.
  • It can be reasonably assumed that the evidence issuing process would result in the delivery of the evidence to the person to whom it relates.
  • The evidence contains at least one reference number, a facial portrait, or sufficient attributes to uniquely identify the person to whom it relates.
  • The evidence has not expired or it expired within the previous six (6) months, or it was issued within the previous six (6) months if it does not contain an expiration date.

Evidence Validation

A CSP is required to validate all evidence collected to meet evidence collection requirements and all core attribute information that is required by the CSP identity service.

The CSP SHALL validate the genuineness of each piece of SUPERIOR evidence by
confirming the integrity of its cryptographic security features and validating any digital signatures.

The CSP SHALL validate the genuineness of each piece of STRONG evidence by one of the following:

  • Visual inspection by trained personnel,
  • The use of technologies that can confirm the integrity of physical security features and detect if the evidence is fraudulent or has been inappropriately modified,
  • If present, confirming the integrity of digital security features, including the validity of the issuer’s digital signature.

The authenticity and accuracy of identity evidence or attribute information that is cryptographically protected can be validated through verification of the digital signature on the evidence or the attribute data objects. The CSP SHALL use the public key of the issuing authority of the evidence to verify digitally signed evidence or attribute data objects.

One of the points above, ‘confirming the integrity of digital security features, including the validity of the issuer’s digital signature’ refers to the secure creation and issuance of digital certificates, signed by the Certification Authority (CA) as the core element of a PKI, and issued to the entity. In order to ensure highly secure generation of the private-public key pairs issued as the base for the certificate creation and issuance to the individual entities, a Hardware Security Module (HSM) is, therefore, a necessity for key generation in accordance to the highest security standards. HSMs act as the trust anchor for the identity of the entities as such as well as the certificates issued by the public key infrastructure.

Authenticators SP 800-63 4

The classic paradigm for authentication systems identifies three factors as the
cornerstones of authentication:

  • Something you know (e.g., a password)
  • Something you have (e.g., an ID badge or a cryptographic key)
  • Something you are (e.g., a fingerprint or other biometric characteristic data)

Authentication Process (4.3.4.1) 

The CSP SHALL validate the authenticity, accuracy, and currency of presented evidence
by:

  • Confirming the evidence is in the correct format and includes complete information
  • for the identity evidence type.
  • Confirming the evidence is not counterfeit and that it as not been tampered with.
  • Confirming any security features.

The CSP SHALL validate that the evidence is current through confirmation that its
expiration date has not passed or that evidence without an expiration date was issued within the previous six (6) months.

The authenticity and accuracy of identity evidence or attribute information that is
cryptographically protected can be validated through verification of the digital signature on the evidence or the attribute data objects. The CSP SHALL use the public key of the issuing authority of the evidence to verify digitally signed evidence or attribute data objects.

Evidence and Attribute Validation Methods

4.3.4.3 Acceptable methods for validating presented evidence include:

  • Visual and tactile inspection by trained personnel for in-person identity proofing,
  • Visual inspection by trained personnel for remote identity proofing,
  • Automated document validation processes using appropriate technologies,
  • Validation of attributes contained on the evidence with an authoritative or credible source.
  • Verification of the digital signature protecting digital evidence or attribute data objects using the public key of the issuing authority of the evidence.

In all instances of Evidence Validation, Public Key Infrastructure (PKI) becomes a major requirement. They work as enablers for trust relationships among the certified entities, confidentiality in their communication and integrity of data generated and exchanged by them.