Windows CardSpace and Information Cards Demo Script Prepared by: [Demo/Script Owner(s)] Version: 1.1 2007-10-02 Windows CardSpace is a Microsoft .NET Framework version 3.0 component that provides the consistent user experience required by the identity metasystem. It is specifically hardened against tampering and spoofing to protect the end user's digital identities and maintain end- user control. Key Messages: 1. Instead of typing information the user picks a card, so we no longer rely on user names and passwords. 2. Underlying that card we have public key cryptography. So instead of using a shared secret user name and password, we use what we’ve been using for a long time which is the ability to have public and private keys. 3. When we want to identify ourselves, rather than using user name and password, the identity provider (IP) generates a session key for us that is signed using a private key that only he has access to. So when we identify ourselves, only the owner of that private key can identify the user. 4. CardSpace will ensure that the key that identifies to a specific web site is different for each of every site that you go to. That means that if I go to a phishing site and I use my normal banking card at that site, because it’s a different site from my normal web site, they will get a completely different key to the one I use for my actual bank. 5. How do I identify myself against an IP? You have a relationship with your IP, your bank, your school, your government or whatever; it is pre- established. You go into your bank and say, I want to have an information card. Key Technologies: The following technologies are utilized within this demo: Technology / Product Version Link 1. Windows CardSpace Included in .Net 3.0 .NET Framework Runtime 3.0. Setup and Configuration Before starting the demo, Be sure that you have added some information cards to your system. You will use them to perform the demos. You need to create an information card and associate it to a user account to login to the following site: o http://sandbox.netfx3.com. To do this, click Join and provide the site with you Information Card. 2 CardSpace maintains a history of sites where a card has been presented. The UI presented to a user when visiting a site for the first time differs from that shown in subsequent visits, after an information card has already been presented. o https://www.cardspacedemos.com/FriendsWithCards. You will use this site to show the UI displayed when visiting a CardSpace enabled web site for the first time. It is important that you do not send an information card to this site before you start this demonstration. 3 Opening Statement CardSpace is a piece of software that sits on the client machine. It’s about authentication; the user takes advantage of Windows CardSpace to manage their identity and to provide their identity to websites and to web services. Windows CardSpace renders the user’s identity as a set of cards. So when they want to provide an identity to a site or service, they choose that card, and the request goes off to the identity provider behind the card to ask for a token and the associated claims, that the user can pass on to that web site or web service. Step-by-step Walkthrough Estimated time for setting up and configuring the demo: 2 minutes. Estimated time to complete the demo: 60 minutes. 4 Preview Card Details The main goal of this demo is to introduce the audience to information cards. The content has plenty of scripts and very few actions to perform. Action Script Screenshot 1. Navigate to Control Panel and run Let’s open CardSpace and visualize all the “Windows CardSpace” cards we have already issued. 2. Select one of the cards you have already We will select an existing card and see created what we have here. 5 3. Click “Preview” So you can see here, I have a whole bunch of different fields. Can speak here by their 4. Move the scrollbar to display all the card absence, things like credit card number and fields social security numbers. These are non risk personal fields; I can put my address here, my phone number. Of course a bad guy could tempt me to use my card and give him this information, but quite honestly, it would be easier for him to look me up in the phone book rather than try to hack these things of me. It will take them less time. So the self issued claims, what we own in our personal cards and self issued cards, are only a very limited set of information. When we deal with sensitive things like credit card numbers, bank account numbers, social security numbers and so on, the people that issue that information and provide the user with the card that enables the user to select the card and get 6 that information, are the people that should be managing it. These are the banks, health providers, the government, schools, and employers. Then the information is locked away, probably safe in some datacenter within a wonderfully secure employer, where we know that they aren’t going to release all of our employment details to anybody that asks. So in the case of the self issued card, who is the CardSpace IP (Identity Provider)? The answer is the user. So who is going to trust you? Well like I’ve said, when you go and register in a site, it’s you that is providing your information, so implicitly the site trusts you. And that is good for ninety percent of the cases. It’s only when you get to the sharp end, when you are paying for something or like a bank account, where you physically have to go into the bank and say, yes it’s me. And they check that it’s you, and then you have an account. But for the vast majority of sites, self issued identities are perfectly acceptable. With a self issued card, whenever you choose a card the same thing conceptually happens. A request goes to an STS (Security Token Services) to create a token with a signature on it, and that information is typically encrypted to the recipient website. 7 A self issued card is exactly the same as what we call a managed card, which is given to you by a third party IP. Only that in the former the STS, rather than being some web service at my bank, is a web service on my local machine. Navigating Sandbox website Action Script Screenshot 1. Launch Internet Explorer 7, set it full So to give you an example, here is a public screen website you can all go to, and play around with information cards. 2. Navigate to the http://sandbox.netfx3.com web site 8 3. Click “Sign In” (Sign In with your We can sign in using user name and Information Card) password or with my information card. Once I click sign in, it shows me the cards that I’ve used in this site before. 4. Provide an Information Card and click I can choose one of them and click send. So “Send” this is a self issued card and up there it says I am signed in. 5. Notice that in the top right menu you appear as “Signed in” with the user you That’s the experience, no user name, no provided in the information card password, I just choose my card and log in. 9 Navigating CardSpaceDemos website Action Script Screenshot 1. Switch to the browser window. Go to the So when you first access a website, you get https://www.cardspacedemos.com/Frien this dialog, and you choose whether to dsWithCards site send your information, if you trust the site, or back out. 2. Click on the “Sign In with your Information Card” button. The CardSpace card selector So indeed if I’m going to bank of America window will pop up every single week, I don’t get prompted with this dialog, or I do get it the first time but not subsequently. Basically, what it is saying is: this is the site information, it’s just basic SSL, and so it hasn’t been verified. 1 0 Note: If you have already presented and And I get this special warning: “the site information card to a site, the dialog information cannot be verified. Banks or displaying site information is not shown. A major Internet businesses usually choose to similar dialog can be displayed if you click better identify themselves for your the “Learn More about this site” protection.” hyperlink. This will show a dialog that is So this is to do with high assurance similar to the one displayed the first time certificates (HAC). you enter a site. If the recipient is using an HAC, you don’t get this warning. But this is just basically warning you that the recipient of the information you are about to send is not using HAC, it is using a normal SSL certificate. 3. In Internet Explorer, go to Let’s choose another one, let’s go to the https://sandbox.netfx3.com/Login.aspx sandbox site. 4. Click on the sign-in link, below the big So in here, for example, the dialog again is CardSpace logo. The login box will pop up. this. Again, this is just an SSL site. Again, Click on “Learn More About this Website” site information. So this is just an URL, the 1 1 DNS name behind it, the issuer, in this case Equifax. I get my little warning that it is just an SSL (not an HAC) certificate, and then I’m going to choose which card to send. That would pop the first time I get to a site and try to choose a card. If a certificate doesn’t change, then it will not prompt you with this screen. But if any of the certificate information changes, such as privacy statement, or if any of the other information that is important for that site changes, then you will get prompted again. 1 2 Submit a card without encryption (HTTP) Use this section only for internal events or presentations. Action Script Screenshot 1. Switch to the browser window and go to So this website, as you can see, is using http://infocard/site HTTP (point to the protocol, in the address bar). It’s no longer HTTPS. 2. Click on the “Submit a card” button. The card selection dialog will appear If I submit a card, it gives me a warning: 3. Choose a card to send and click on the “The information that you will send is not Send button. The dialog will close protected with encryption and can be viewed by others. Do not send a card that includes sensitive information”. So you are warned. 1 3 So I can send a card, and I can authenticate to the site. And it tells me who issued the card; in this case it’s a self-issued card. The token was not encrypted, and the information in the token was just the personal private identifier. This is the human readable version, and this is the actual value. 1 4 Summary The metasystem is this consistent experience regardless of which underlying technology you might choose to use. You can federate very easily, and the user centric digital identity is going to be everywhere. Actually adding information card support to your site or service is extremely easy. You just express the policy, you retrieve the token and you process it. 1 5
"CardSpace Demo Script"