An Introduction to CardSpace

8/3/2019 An Introduction to CardSpace

1/38

An Introduction to CardSpaceBarry DorransCharteris plc

[email protected]://idunno.orghttp://www.charteris.com/
http://idunno.org/http://www.charteris.com/http://www.charteris.com/http://idunno.org/


2/38

The Laws of Identity

User Control and Consent

Minimal Disclosure for a constrained use

Justifiable parties

Directed Identity

Pluralism of operators and technologies

Human integration Consistent experience across contexts


3/38

What is CardSpace?

http://cardspace.netfx3.com/Windows CardSpace is a piece of client softwarethat enables users to provide their digitalidentity to online services in a simple, secureand trusted way.
http://cardspace.netfx3.com/content/introduction.aspxhttp://cardspace.netfx3.com/content/introduction.aspx


4/38

.NET 3.0 Subsystems


5/38

CardSpace is not Passport

The client software is an identity selector

The user chooses what information is sent to arequesting web site.

An issuing server is an identity provider

Identifiable information is held on the users PC

or the identity provider. Developed by Kim Cameron, MS

Championed by external thought leaders likeDoc Searls & Lawrence Lessig


6/38

Information Cards

Personal (self-issued)Phone book information

ManagedSourced from 3rdParty AuthorityUsers cannot edit claims

Can be protected by various means(Username/Password, Kerberos, SmartCard etc)


7/38

The Identity Selector

Easier:No usernamesNo passwords

Consistent:Same UI

Safer:Avoids PhishingMulti-factorauthentication


8/38

The typical logon process

Login to identity provider

Token issued to client

Token sent to service provider

Token validated with identity provider

Output sent to client


9/38

The CardSpace logon process

Service Provider Requests Identity

CardSpace Identity Selector pops up

Token is built by Identity Selector(with Identity Provider)

Token sent to client

Output sent to client


10/38

CardSpace versus OpenID


11/38

CardSpace versus OpenID/PassportCardspace Open ID

Client side prompt(IE support/FireFox community code) HTML Form

Common User Experience Experience varies between IdentityProviders

Simpler Login Redirection / Site Bounce

Requires EV SSL No SSL required
http://www.codeplex.com/IdentitySelectorhttp://www.codeplex.com/IdentitySelector


12/38

The OpenID login process


13/38

Phishers versus OpenID/Passport


14/38

CardSpace with OpenID


15/38

Hello Cardspace


16/38

Hello Cardspace

Can also use binary behaviour

Unmanaged API via iecardie.dllGetToken() and GetBrowserToken()


17/38

CardSpace Security All communications security. Data encrypted in memory until use

Store is double encrypted and ACLed Resource provider can be concealed from the

Identity Provider Signing key for self-issued tokens varies for each

RP Users can protect cards with a PIN CardSpace runs on a private Windows Desktop

like UAC in Vista.


18/38

Extended Validation SSL


19/38

Phishing toolbars can get it wrong


20/38

SAML

Security Assertion Markup language.

Open standard http://www.oasis-open.org/.

Single sign on.

Assertion based.

Think locally, act globally.

CardSpace uses SAML 2.0 ECP ProfileEnhanced Client Proxy.
http://www.oasis-open.org/http://www.oasis-open.org/http://www.oasis-open.org/http://www.oasis-open.org/


21/38

SAML Encryption

Token is encrypted using WS-Security

.NET 3.0 provides classes to

Un-encrypt

Convert to SAML claims


22/38

SAML Encryption

Shows the token has been encrypted with

AES256 CBC Symmetric Algorithm

Both originator and recipient share the key


23/38

SAML Encryption

Shows the symmetric key is being conveyed viaRSA-OAEP-MGF1P (both an encoding method

and an algorithm) The sender has made up a transient key (AES)

Encrypted the transient key with the recipientSSL public key.


24/38

SAML Encryption

1dYJm11Qw2UDKuS7OsjY23k+vX4l5nHkKUC71ev7

jtDUC0dFn1mcWunmGV272bpXGHeyWIviv2SalkxjXErXBwO3hq9/dNyDfY7VvLRi5rOvn1Szgb71d0Xg

rKCvnUljhy9bSssSxtYgr4YOTkUV894z0yXS9omK

S0XNtm/dzr4=

The encrypted transient key


25/38

SAML Encryption77Ybo3C32JckPMD+lxm9t7KKxfQjMT8ojczrDs0i

HsxJ3Q6i3B04RAGrOivLfqMYzYP4lZXsM2lF8cUsaVOTY9KqsJjpOBwyk37n9tw7pV6E3SXkHtXx92xl5AqmjPeBdDI/syrIjgE1bpbn5sX5PpNoOmAbYSV2. . .Wvl2o5ABIqvToMV1bp16Ns1ImSgxuB074kmAvAUxb/LXPXq1Gwcz2YtyaHMYSUvzzzYRuDH9qu0R6748B/C1if4MeXHUqMPYaEQ+dhuzoVUMuy7/kQVP5ckb

B0asMSqIiJp5B4vecBe/aGQo9AYNEwPv4xAB5cvrPBEG4TCFtSVyJkn2LcdwNzqmNqIewGMxawwUPgxe D2w==

The encrypted message


26/38

The unencrypted message

Assertion Header
http://schemas.xmlsoap.org/ws/2005/%2005/identity/issuer/selfhttp://schemas.xmlsoap.org/ws/2005/%2005/identity/issuer/selfhttp://schemas.xmlsoap.org/ws/2005/%2005/identity/issuer/selfhttp://schemas.xmlsoap.org/ws/2005/%2005/identity/issuer/self


27/38


https://www.fabrikam.com/Demos/Reading/signin4.html

Time Constraints

Audience : Requesting page


28/38


https://www.fabrikam.com/Demos/Reading/signin4.html

Claims

Audience : Requesting page


29/38

The unencrypted messageBarry

wL6Xi5Z5uXQnSu40mRbkpljc5uKvf02HyASCo8uceNk=

Claims


30/38

Claims (1/4)

Anonymous

Authentication

AuthorizationDecision

Country

DateOfBirth

Dns Email

Gender


31/38

Claims (2/4) GivenName

Hash

HomePhone

Locality

MobilePhone

Name NameIdentifier

OtherPhone


32/38

Claims (3/4) PostalCode

PPID

RSA

SID

SPN

StateOrProvince StreetAddress

Surname


33/38

Claims (4/4) System

Thumbprint

Upn

URI

WebPage

X500DistinguishedName


34/38

Want to be an identity provider? EV SSL Certificate

Security Token Service and policy

Information Card creation and provisioning


35/38

Things to consider Self signed cards should be verified by other

means.

How do you measure trust of managed cards?

Branding is coming


36/38

Supported Platforms Vista, XP, and W2K3.

IE7

Only NTFS

Its all WS*, platform should not matter.

OSIS: open-source initiative to create an Identity

Selector that runs on multiple platforms.http://osis.netmesh.org/wiki/Main_Page
http://osis.netmesh.org/wiki/Main_Pagehttp://osis.netmesh.org/wiki/Main_Pagehttp://osis.netmesh.org/wiki/Main_Pagehttp://osis.netmesh.org/wiki/Main_Page


37/38

Conclusion

Now, with the debut of theInfoCard identity

management system, Microsoft is leading anetwork-wide effort to address the issue. To thoseof us long skeptical of the technology giant'sintentions, the plan seems too good to be true. Yet

the solution is not only right, it could be the mostimportant contribution to Internet security sincecryptography.

Lawrence Lessig, Wired Magazine, March 2006.


38/38

Further Reading http://cardspace.netfx3.com

Microsoft Reference site

http://www.identityblog.com/Kim Cameron (with PHP sample code)

http://www.perpetual-motion.com/

Firefox CardSpace Extension https://infocard.pingidentity.com/cardspace/Java CardSpace Implementations
http://cardspace.netfx3.com/http://www.identityblog.com/http://www.perpetual-motion.com/https://infocard.pingidentity.com/cardspace/https://infocard.pingidentity.com/cardspace/http://www.perpetual-motion.com/http://www.perpetual-motion.com/http://www.perpetual-motion.com/http://www.identityblog.com/http://cardspace.netfx3.com/

Documents

An Introduction to CardSpace