8/3/2019 An Introduction to CardSpace
1/38
An Introduction to CardSpaceBarry DorransCharteris plc
[email protected]://idunno.orghttp://www.charteris.com/
http://idunno.org/http://www.charteris.com/http://www.charteris.com/http://idunno.org/8/3/2019 An Introduction to CardSpace
2/38
The Laws of Identity
User Control and Consent
Minimal Disclosure for a constrained use
Justifiable parties
Directed Identity
Pluralism of operators and technologies
Human integration Consistent experience across contexts
8/3/2019 An Introduction to CardSpace
3/38
What is CardSpace?
http://cardspace.netfx3.com/Windows CardSpace is a piece of client softwarethat enables users to provide their digitalidentity to online services in a simple, secureand trusted way.
http://cardspace.netfx3.com/content/introduction.aspxhttp://cardspace.netfx3.com/content/introduction.aspx8/3/2019 An Introduction to CardSpace
4/38
.NET 3.0 Subsystems
8/3/2019 An Introduction to CardSpace
5/38
CardSpace is not Passport
The client software is an identity selector
The user chooses what information is sent to arequesting web site.
An issuing server is an identity provider
Identifiable information is held on the users PC
or the identity provider. Developed by Kim Cameron, MS
Championed by external thought leaders likeDoc Searls & Lawrence Lessig
8/3/2019 An Introduction to CardSpace
6/38
Information Cards
Personal (self-issued)Phone book information
ManagedSourced from 3rdParty AuthorityUsers cannot edit claims
Can be protected by various means(Username/Password, Kerberos, SmartCard etc)
8/3/2019 An Introduction to CardSpace
7/38
The Identity Selector
Easier:No usernamesNo passwords
Consistent:Same UI
Safer:Avoids PhishingMulti-factorauthentication
8/3/2019 An Introduction to CardSpace
8/38
The typical logon process
Login to identity provider
Token issued to client
Token sent to service provider
Token validated with identity provider
Output sent to client
8/3/2019 An Introduction to CardSpace
9/38
The CardSpace logon process
Service Provider Requests Identity
CardSpace Identity Selector pops up
Token is built by Identity Selector(with Identity Provider)
Token sent to client
Output sent to client
8/3/2019 An Introduction to CardSpace
10/38
CardSpace versus OpenID
8/3/2019 An Introduction to CardSpace
11/38
CardSpace versus OpenID/PassportCardspace Open ID
Client side prompt(IE support/FireFox community code) HTML Form
Common User Experience Experience varies between IdentityProviders
Simpler Login Redirection / Site Bounce
Requires EV SSL No SSL required
http://www.codeplex.com/IdentitySelectorhttp://www.codeplex.com/IdentitySelector8/3/2019 An Introduction to CardSpace
12/38
The OpenID login process
8/3/2019 An Introduction to CardSpace
13/38
Phishers versus OpenID/Passport
8/3/2019 An Introduction to CardSpace
14/38
CardSpace with OpenID
8/3/2019 An Introduction to CardSpace
15/38
Hello Cardspace
8/3/2019 An Introduction to CardSpace
16/38
Hello Cardspace
Can also use binary behaviour
Unmanaged API via iecardie.dllGetToken() and GetBrowserToken()
8/3/2019 An Introduction to CardSpace
17/38
CardSpace Security All communications security. Data encrypted in memory until use
Store is double encrypted and ACLed Resource provider can be concealed from the
Identity Provider Signing key for self-issued tokens varies for each
RP Users can protect cards with a PIN CardSpace runs on a private Windows Desktop
like UAC in Vista.
8/3/2019 An Introduction to CardSpace
18/38
Extended Validation SSL
8/3/2019 An Introduction to CardSpace
19/38
Phishing toolbars can get it wrong
8/3/2019 An Introduction to CardSpace
20/38
SAML
Security Assertion Markup language.
Open standard http://www.oasis-open.org/.
Single sign on.
Assertion based.
Think locally, act globally.
CardSpace uses SAML 2.0 ECP ProfileEnhanced Client Proxy.
http://www.oasis-open.org/http://www.oasis-open.org/http://www.oasis-open.org/http://www.oasis-open.org/8/3/2019 An Introduction to CardSpace
21/38
SAML Encryption
Token is encrypted using WS-Security
.NET 3.0 provides classes to
Un-encrypt
Convert to SAML claims
8/3/2019 An Introduction to CardSpace
22/38
SAML Encryption
Shows the token has been encrypted with
AES256 CBC Symmetric Algorithm
Both originator and recipient share the key
8/3/2019 An Introduction to CardSpace
23/38
SAML Encryption
Shows the symmetric key is being conveyed viaRSA-OAEP-MGF1P (both an encoding method
and an algorithm) The sender has made up a transient key (AES)
Encrypted the transient key with the recipientSSL public key.
8/3/2019 An Introduction to CardSpace
24/38
SAML Encryption
1dYJm11Qw2UDKuS7OsjY23k+vX4l5nHkKUC71ev7
jtDUC0dFn1mcWunmGV272bpXGHeyWIviv2SalkxjXErXBwO3hq9/dNyDfY7VvLRi5rOvn1Szgb71d0Xg
rKCvnUljhy9bSssSxtYgr4YOTkUV894z0yXS9omK
S0XNtm/dzr4=
The encrypted transient key
8/3/2019 An Introduction to CardSpace
25/38
SAML Encryption77Ybo3C32JckPMD+lxm9t7KKxfQjMT8ojczrDs0i
HsxJ3Q6i3B04RAGrOivLfqMYzYP4lZXsM2lF8cUsaVOTY9KqsJjpOBwyk37n9tw7pV6E3SXkHtXx92xl5AqmjPeBdDI/syrIjgE1bpbn5sX5PpNoOmAbYSV2. . .Wvl2o5ABIqvToMV1bp16Ns1ImSgxuB074kmAvAUxb/LXPXq1Gwcz2YtyaHMYSUvzzzYRuDH9qu0R6748B/C1if4MeXHUqMPYaEQ+dhuzoVUMuy7/kQVP5ckb
B0asMSqIiJp5B4vecBe/aGQo9AYNEwPv4xAB5cvrPBEG4TCFtSVyJkn2LcdwNzqmNqIewGMxawwUPgxe D2w==
The encrypted message
8/3/2019 An Introduction to CardSpace
26/38
The unencrypted message
Assertion Header
http://schemas.xmlsoap.org/ws/2005/%2005/identity/issuer/selfhttp://schemas.xmlsoap.org/ws/2005/%2005/identity/issuer/selfhttp://schemas.xmlsoap.org/ws/2005/%2005/identity/issuer/selfhttp://schemas.xmlsoap.org/ws/2005/%2005/identity/issuer/self8/3/2019 An Introduction to CardSpace
27/38
The unencrypted message
https://www.fabrikam.com/Demos/Reading/signin4.html
Time Constraints
Audience : Requesting page
8/3/2019 An Introduction to CardSpace
28/38
The unencrypted message
https://www.fabrikam.com/Demos/Reading/signin4.html
Claims
Audience : Requesting page
8/3/2019 An Introduction to CardSpace
29/38
The unencrypted messageBarry
wL6Xi5Z5uXQnSu40mRbkpljc5uKvf02HyASCo8uceNk=
Claims
8/3/2019 An Introduction to CardSpace
30/38
Claims (1/4)
Anonymous
Authentication
AuthorizationDecision
Country
DateOfBirth
Dns Email
Gender
8/3/2019 An Introduction to CardSpace
31/38
Claims (2/4) GivenName
Hash
HomePhone
Locality
MobilePhone
Name NameIdentifier
OtherPhone
8/3/2019 An Introduction to CardSpace
32/38
Claims (3/4) PostalCode
PPID
RSA
SID
SPN
StateOrProvince StreetAddress
Surname
8/3/2019 An Introduction to CardSpace
33/38
Claims (4/4) System
Thumbprint
Upn
URI
WebPage
X500DistinguishedName
8/3/2019 An Introduction to CardSpace
34/38
Want to be an identity provider? EV SSL Certificate
Security Token Service and policy
Information Card creation and provisioning
8/3/2019 An Introduction to CardSpace
35/38
Things to consider Self signed cards should be verified by other
means.
How do you measure trust of managed cards?
Branding is coming
8/3/2019 An Introduction to CardSpace
36/38
Supported Platforms Vista, XP, and W2K3.
IE7
Only NTFS
Its all WS*, platform should not matter.
OSIS: open-source initiative to create an Identity
Selector that runs on multiple platforms.http://osis.netmesh.org/wiki/Main_Page
http://osis.netmesh.org/wiki/Main_Pagehttp://osis.netmesh.org/wiki/Main_Pagehttp://osis.netmesh.org/wiki/Main_Pagehttp://osis.netmesh.org/wiki/Main_Page8/3/2019 An Introduction to CardSpace
37/38
Conclusion
Now, with the debut of theInfoCard identity
management system, Microsoft is leading anetwork-wide effort to address the issue. To thoseof us long skeptical of the technology giant'sintentions, the plan seems too good to be true. Yet
the solution is not only right, it could be the mostimportant contribution to Internet security sincecryptography.
Lawrence Lessig, Wired Magazine, March 2006.
8/3/2019 An Introduction to CardSpace
38/38
Further Reading http://cardspace.netfx3.com
Microsoft Reference site
http://www.identityblog.com/Kim Cameron (with PHP sample code)
http://www.perpetual-motion.com/
Firefox CardSpace Extension https://infocard.pingidentity.com/cardspace/Java CardSpace Implementations
http://cardspace.netfx3.com/http://www.identityblog.com/http://www.perpetual-motion.com/https://infocard.pingidentity.com/cardspace/https://infocard.pingidentity.com/cardspace/http://www.perpetual-motion.com/http://www.perpetual-motion.com/http://www.perpetual-motion.com/http://www.identityblog.com/http://cardspace.netfx3.com/Top Related