Scribd
Upload
23 views

An Introduction To CardSpace

This document provides an overview of CardSpace, an identity selector software developed by Microsoft that allows users to securely provide their digital identity to online services. CardSpace uses information cards containing user attributes and claims that are verifiable through identity providers. It aims to give users control over their personal information while simplifying the login process and increasing security compared to traditional username/password systems. The document discusses CardSpace's advantages over OpenID, how it uses SAML and encryption, and considerations for becoming an identity provider.

Uploaded by

سیفی عادل
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
23 views

An Introduction To CardSpace

This document provides an overview of CardSpace, an identity selector software developed by Microsoft that allows users to securely provide their digital identity to online services. CardSpace uses information cards containing user attributes and claims that are verifiable through identity providers. It aims to give users control over their personal information while simplifying the login process and increasing security compared to traditional username/password systems. The document discusses CardSpace's advantages over OpenID, how it uses SAML and encryption, and considerations for becoming an identity provider.

Uploaded by

سیفی عادل
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 38

An Introduction to CardSpace

Barry Dorrans Charteris plc [email protected] http://idunno.org http://www.charteris.com/

The Laws of Identity


User Control and Consent Minimal Disclosure for a constrained use Justifiable parties Directed Identity Pluralism of operators and technologies Human integration Consistent experience across contexts

What is CardSpace?
http://cardspace.netfx3.com/ Windows CardSpace is a piece of client software that enables users to provide their digital identity to online services in a simple, secure and trusted way.

.NET 3.0 Subsystems

CardSpace is not Passport


The client software is an identity selector The user chooses what information is sent to a requesting web site. An issuing server is an identity provider Identifiable information is held on the users PC or the identity provider. Developed by Kim Cameron, MS Championed by external thought leaders like Doc Searls & Lawrence Lessig

Information Cards
Personal (self-issued) Phone book information Managed Sourced from 3rd Party Authority Users cannot edit claims Can be protected by various means (Username/Password, Kerberos, SmartCard etc)

The Identity Selector


Easier: No usernames No passwords Consistent: Same UI Safer: Avoids Phishing Multi-factor authentication

The typical logon process


Login to identity provider Token issued to client Token sent to service provider Token validated with identity provider

Output sent to client

The CardSpace logon process


Service Provider Requests Identity CardSpace Identity Selector pops up Token is built by Identity Selector (with Identity Provider) Token sent to client Output sent to client

CardSpace versus OpenID

CardSpace versus OpenID/Passport


Cardspace Open ID
Client side prompt (IE support/FireFox community code) Common User Experience Simpler Login HTML Form

Experience varies between Identity Providers Redirection / Site Bounce

Requires EV SSL

No SSL required

The OpenID login process

Phishers versus OpenID/Passport

CardSpace with OpenID

Hello Cardspace
<object type="application/x-informationcard" name="xmlToken"> <param name="tokenType" value="urn:oasis:names:tc:SAML:1.0:assertion" /> <param name="requiredClaims" value="http://schemas.xmlsoap.org/ws/2005/05/iden tity/claims/givenname http://schemas.xmlsoap.org/ws/2005/05/identity/cl aims/surname http://schemas.xmlsoap.org/ws/2005/05/identity/cl aims/emailaddress http://schemas.xmlsoap.org/ws/2005/05/identity/cl aims/privatepersonalidentifier" /> </object>

Hello Cardspace
Can also use binary behaviour Unmanaged API via iecardie.dll GetToken() and GetBrowserToken()

CardSpace Security
All communications security. Data encrypted in memory until use Store is double encrypted and ACLed Resource provider can be concealed from the Identity Provider Signing key for self-issued tokens varies for each RP Users can protect cards with a PIN CardSpace runs on a private Windows Desktop like UAC in Vista.

Extended Validation SSL

Phishing toolbars can get it wrong

SAML
Security Assertion Markup language. Open standard http://www.oasis-open.org/. Single sign on. Assertion based. Think locally, act globally. CardSpace uses SAML 2.0 ECP Profile Enhanced Client Proxy.

SAML Encryption
Token is encrypted using WS-Security .NET 3.0 provides classes to
Un-encrypt Convert to SAML claims

SAML Encryption
<enc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/ xmlenc#aes256-cbc" /> Shows the token has been encrypted with AES256 CBC Symmetric Algorithm Both originator and recipient share the key

SAML Encryption
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/ xmlenc#rsa-oaep-mgf1p"> Shows the symmetric key is being conveyed via RSA-OAEP-MGF1P (both an encoding method and an algorithm) The sender has made up a transient key (AES) Encrypted the transient key with the recipient SSL public key.

SAML Encryption
<e:CipherValue> 1dYJm11Qw2UDKuS7OsjY23k+vX4l5nHkKUC71ev7 jtDUC0dFn1mcWunmGV272bpXGHeyWIviv2Salkxj XErXBwO3hq9/dNyDfY7VvLRi5rOvn1Szgb71d0Xg rKCvnUljhy9bSssSxtYgr4YOTkUV894z0yXS9omK S0XNtm/dzr4= </e:CipherValue>

The encrypted transient key

SAML Encryption
<enc:CipherData> <enc:CipherValue> 77Ybo3C32JckPMD+lxm9t7KKxfQjMT8ojczrDs0i HsxJ3Q6i3B04RAGrOivLfqMYzYP4lZXsM2lF8cUs aVOTY9KqsJjpOBwyk37n9tw7pV6E3SXkHtXx92xl 5AqmjPeBdDI/syrIjgE1bpbn5sX5PpNoOmAbYSV2 . . . Wvl2o5ABIqvToMV1bp16Ns1ImSgxuB074kmAvAUx b/LXPXq1Gwcz2YtyaHMYSUvzzzYRuDH9qu0R6748 B/C1if4MeXHUqMPYaEQ+dhuzoVUMuy7/kQVP5ckb B0asMSqIiJp5B4vecBe/aGQo9AYNEwPv4xAB5cvr PBEG4TCFtSVyJkn2LcdwNzqmNqIewGMxawwUPgxe D2w== </enc:CipherValue> </enc:CipherData>

The encrypted message

The unencrypted message


<saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="uuid:ba02cd5d-2652-4fbd-902a6f92e8300e6f" Issuer=http://schemas.xmlsoap.org/ws/2005/ 05/identity/issuer/self IssueInstant="2007-02-01T10:50:06.468Z">

Assertion Header

The unencrypted message


<saml:Conditions NotBefore="2007-02-01T10:50:06.468Z" NotOnOrAfter="2007-0201T11:50:06.468Z"> <saml:AudienceRestrictionCondition> <saml:Audience> https://www.fabrikam.com/Demos/Reading/signin4.html </saml:Audience> </saml:AudienceRestrictionCondition> </saml:Conditions>

Time Constraints Audience : Requesting page

The unencrypted message


<saml:Conditions NotBefore="2007-02-01T10:50:06.468Z" NotOnOrAfter="2007-0201T11:50:06.468Z"> <saml:AudienceRestrictionCondition> <saml:Audience> https://www.fabrikam.com/Demos/Reading/signin4.html </saml:Audience> </saml:AudienceRestrictionCondition> </saml:Conditions>

Claims Audience : Requesting page

The unencrypted message


<saml:Attribute AttributeName="givenname" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/ide ntity/claims"> <saml:AttributeValue>Barry</saml:AttributeValue> </saml:Attribute> <saml:Attribute AttributeName="privatepersonalidentifier" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/ide ntity/claims"> <saml:AttributeValue>wL6Xi5Z5uXQnSu40mRbkpljc5uKvf02HyASCo8uc eNk=</saml:AttributeValue> </saml:Attribute>

Claims

Claims (1/4)
Anonymous Authentication AuthorizationDecision Country DateOfBirth Dns Email Gender

Claims (2/4)
GivenName Hash HomePhone Locality MobilePhone Name NameIdentifier OtherPhone

Claims (3/4)
PostalCode PPID RSA SID SPN StateOrProvince StreetAddress Surname

Claims (4/4)
System Thumbprint Upn URI WebPage X500DistinguishedName

Want to be an identity provider?


EV SSL Certificate Security Token Service and policy Information Card creation and provisioning

Things to consider
Self signed cards should be verified by other means. How do you measure trust of managed cards? Branding is coming

Supported Platforms
Vista, XP, and W2K3. IE7 Only NTFS Its all WS*, platform should not matter. OSIS: open-source initiative to create an Identity Selector that runs on multiple platforms. http://osis.netmesh.org/wiki/Main_Page

Conclusion
Now, with the debut of the InfoCard identity management system, Microsoft is leading a network-wide effort to address the issue. To those of us long skeptical of the technology giant's intentions, the plan seems too good to be true. Yet the solution is not only right, it could be the most important contribution to Internet security since cryptography.
Lawrence Lessig, Wired Magazine, March 2006.

Further Reading
http://cardspace.netfx3.com Microsoft Reference site http://www.identityblog.com/ Kim Cameron (with PHP sample code) http://www.perpetual-motion.com/ Firefox CardSpace Extension https://infocard.pingidentity.com/cardspace/ Java CardSpace Implementations

You might also like