Get documents about "An Introduction to CardSpace
Document Sample
An Introduction to CardSpace
Barry Dorrans
Charteris plc
barryd@idunno.org
http://idunno.org
http://www.charteris.com/
The Laws of Identity
• User Control and Consent
• Minimal Disclosure for a constrained use
• Justifiable parties
• Directed Identity
• Pluralism of operators and technologies
• Human integration
• Consistent experience across contexts
What is CardSpace?
• http://cardspace.netfx3.com/
Windows CardSpace is a piece of client software
that enables users to provide their digital
identity to online services in a simple, secure
and trusted way.
.NET 3.0 Subsystems
CardSpace is not Passport
• The client software is an “identity selector”
• The user chooses what information is sent to a
requesting web site.
• An issuing server is an “identity provider”
• Identifiable information is held on the user’s PC
or the identity provider.
• Developed by Kim Cameron, MS
• Championed by external “thought leaders” like
Doc Searls & Lawrence Lessig
Information Cards
• Personal (self-issued)
“Phone book” information
• Managed
Sourced from 3rd Party “Authority”
Users cannot edit claims
Can be protected by various means
(Username/Password, Kerberos, SmartCard etc)
The Identity Selector
Easier:
Safer:
No usernames
Avoids Phishing
No passwords
Multi-factor
authentication
Consistent:
Same UI
The typical logon process
Login to identity provider
Token issued to client
Token sent to service provider
Token validated with identity provider
Output sent to client
The CardSpace logon process
Service Provider Requests Identity
CardSpace Identity Selector pops up
Token is built by Identity Selector
(with Identity Provider)
Token sent to client
Output sent to client
CardSpace versus OpenID
CardSpace versus OpenID/Passport
Cardspace Open ID
Client side prompt HTML Form
(IE support/FireFox community code)
Common User Experience Experience varies between Identity
Providers
Simpler Login Redirection / Site Bounce
Requires EV SSL No SSL required
The OpenID login process
Phishers versus OpenID/Passport
CardSpace with OpenID
“Hello Cardspace”
<object type="application/x-informationcard"
name="xmlToken">
<param name="tokenType"
value="urn:oasis:names:tc:SAML:1.0:assertion" />
<param name="requiredClaims"
value="http://schemas.xmlsoap.org/ws/2005/05/iden
tity/claims/givenname
http://schemas.xmlsoap.org/ws/2005/05/identity/cl
aims/surname
http://schemas.xmlsoap.org/ws/2005/05/identity/cl
aims/emailaddress
http://schemas.xmlsoap.org/ws/2005/05/identity/cl
aims/privatepersonalidentifier" />
</object>
“Hello Cardspace”
• Can also use binary behaviour
• Unmanaged API via iecardie.dll
GetToken() and GetBrowserToken()
CardSpace Security
• All communications security.
• Data encrypted in memory until use
• Store is double encrypted and ACLed
• Resource provider can be concealed from the
Identity Provider
• Signing key for self-issued tokens varies for each
RP
• Users can protect cards with a PIN
• CardSpace runs on a private Windows Desktop
like UAC in Vista.
Extended Validation SSL
Phishing toolbars can get it wrong
SAML
• Security Assertion Markup language.
• Open standard http://www.oasis-open.org/.
• Single sign on.
• Assertion based.
• “Think locally, act globally”.
• CardSpace uses SAML 2.0 ECP Profile
“Enhanced Client Proxy”.
SAML Encryption
• Token is encrypted using WS-Security
• .NET 3.0 provides classes to
▫ Un-encrypt
▫ Convert to SAML claims
SAML Encryption
<enc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/
xmlenc#aes256-cbc" />
• Shows the token has been encrypted with
AES256 CBC
• Symmetric Algorithm
• Both originator and recipient share the key
SAML Encryption
<e:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/
xmlenc#rsa-oaep-mgf1p">
• Shows the symmetric key is being conveyed via
RSA-OAEP-MGF1P (both an encoding method
and an algorithm)
• The sender has made up a transient key (AES)
• Encrypted the transient key with the recipient
SSL public key.
SAML Encryption
<e:CipherValue>
1dYJm11Qw2UDKuS7OsjY23k+vX4l5nHkKUC71ev7
jtDUC0dFn1mcWunmGV272bpXGHeyWIviv2Salkxj
XErXBwO3hq9/dNyDfY7VvLRi5rOvn1Szgb71d0Xg
rKCvnUljhy9bSssSxtYgr4YOTkUV894z0yXS9omK
S0XNtm/dzr4= </e:CipherValue>
• The encrypted transient key
SAML Encryption
<enc:CipherData>
<enc:CipherValue>
77Ybo3C32JckPMD+lxm9t7KKxfQjMT8ojczrDs0i
HsxJ3Q6i3B04RAGrOivLfqMYzYP4lZXsM2lF8cUs
aVOTY9KqsJjpOBwyk37n9tw7pV6E3SXkHtXx92xl
5AqmjPeBdDI/syrIjgE1bpbn5sX5PpNoOmAbYSV2
. . .
Wvl2o5ABIqvToMV1bp16Ns1ImSgxuB074kmAvAUx
b/LXPXq1Gwcz2YtyaHMYSUvzzzYRuDH9qu0R6748
B/C1if4MeXHUqMPYaEQ+dhuzoVUMuy7/kQVP5ckb
B0asMSqIiJp5B4vecBe/aGQo9AYNEwPv4xAB5cvr
PBEG4TCFtSVyJkn2LcdwNzqmNqIewGMxawwUPgxe D2w==
</enc:CipherValue>
</enc:CipherData>
• The encrypted message
The unencrypted message
<saml:Assertion MajorVersion="1"
MinorVersion="1"
AssertionID="uuid:ba02cd5d-2652-4fbd-902a-
6f92e8300e6f"
Issuer=http://schemas.xmlsoap.org/ws/2005/
05/identity/issuer/self
IssueInstant="2007-02-01T10:50:06.468Z">
• Assertion Header
The unencrypted message
<saml:Conditions
NotBefore="2007-02-01T10:50:06.468Z" NotOnOrAfter="2007-02-
01T11:50:06.468Z">
<saml:AudienceRestrictionCondition>
<saml:Audience>
https://www.fabrikam.com/Demos/Reading/signin4.html
</saml:Audience>
</saml:AudienceRestrictionCondition>
</saml:Conditions>
• Time Constraints
• Audience : Requesting page
The unencrypted message
<saml:Conditions
NotBefore="2007-02-01T10:50:06.468Z" NotOnOrAfter="2007-02-
01T11:50:06.468Z">
<saml:AudienceRestrictionCondition>
<saml:Audience>
https://www.fabrikam.com/Demos/Reading/signin4.html
</saml:Audience>
</saml:AudienceRestrictionCondition>
</saml:Conditions>
• Claims
• Audience : Requesting page
The unencrypted message
<saml:Attribute AttributeName="givenname"
AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/ide
ntity/claims">
<saml:AttributeValue>Barry</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName="privatepersonalidentifier"
AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/ide
ntity/claims">
<saml:AttributeValue>wL6Xi5Z5uXQnSu40mRbkpljc5uKvf02HyASCo8uc
eNk=</saml:AttributeValue>
</saml:Attribute>
• Claims
Claims (1/4)
• Anonymous
• Authentication
• AuthorizationDecision
• Country
• DateOfBirth
• Dns
• Email
• Gender
Claims (2/4)
• GivenName
• Hash
• HomePhone
• Locality
• MobilePhone
• Name
• NameIdentifier
• OtherPhone
Claims (3/4)
• PostalCode
• PPID
• RSA
• SID
• SPN
• StateOrProvince
• StreetAddress
• Surname
Claims (4/4)
• System
• Thumbprint
• Upn
• URI
• WebPage
• X500DistinguishedName
Want to be an identity provider?
• EV SSL Certificate
• Security Token Service and policy
• Information Card creation and provisioning
Things to consider
• Self signed cards should be verified by other
means.
• How do you measure trust of managed cards?
• Branding is “coming”
Supported Platforms
• Vista, XP, and W2K3.
• IE7
• Only NTFS
• It’s all WS*, platform should not matter.
• OSIS: open-source initiative to create an Identity
Selector that runs on multiple platforms.
http://osis.netmesh.org/wiki/Main_Page
Conclusion
“Now, with the debut of the Info-Card identity
management system, Microsoft is leading a
network-wide effort to address the issue. To those
of us long skeptical of the technology giant's
intentions, the plan seems too good to be true. Yet
the solution is not only right, it could be the most
important contribution to Internet security since
cryptography.”
Lawrence Lessig, Wired Magazine, March 2006.
Further Reading
• http://cardspace.netfx3.com
Microsoft Reference site
• http://www.identityblog.com/
Kim Cameron (with PHP sample code)
• http://www.perpetual-motion.com/
Firefox CardSpace Extension
• https://infocard.pingidentity.com/cardspace/
Java CardSpace Implementations
Related docs
