Post on 26-Mar-2015
Seven Perspectives onSeven Perspectives onCardSpaceCardSpace
Ronny BjonesRonny Bjones
Security StrategistSecurity Strategist
Microsoft CorporationMicrosoft Corporation
““The Laws of Identity”The Laws of Identity”The original researchThe original research
1.1. User control and consentUser control and consent
2.2. Minimal disclosure for a defined useMinimal disclosure for a defined use
3.3. Justifiable partiesJustifiable parties
4.4. Directional identityDirectional identity
5.5. Pluralism of operators and technologiesPluralism of operators and technologies
6.6. Human integrationHuman integration
7.7. Consistent experience across contextsConsistent experience across contextsJoin the discussion atJoin the discussion at www.identityblog.comwww.identityblog.com
Seven Perspectives on CardSpaceSeven Perspectives on CardSpace
1.1. Component of the identity metasystemComponent of the identity metasystem
2.2. Abstraction layer for authentication technologiesAbstraction layer for authentication technologies
3.3. Anti-phishing technologyAnti-phishing technology
4.4. User convenienceUser convenience
5.5. SecuritySecurity
6.6. PrivacyPrivacy
7.7. Development FrameworkDevelopment Framework
Perspective #1Perspective #1CardSpace as a component of CardSpace as a component of
the Identity Metasystemthe Identity Metasystem
•The need of an identity layer on the InternetThe need of an identity layer on the Internet
•InteroperabilityInteroperability
•Technology & Platform independenceTechnology & Platform independence
The Identity MetasystemThe Identity Metasystem
InternetServices
PartnersCustomers
Identity Metasystem
Extending the Reachof Information Workers
Extending the Reach of Applications
WS-* Web ServicesArchitecture
Framework for InteroperabilityFramework for Interoperability
TCP/IP of IdentitiesTCP/IP of Identities
Defined on open standards – WS*Defined on open standards – WS*
Extended by CardSpace’s definition of CLAIMSExtended by CardSpace’s definition of CLAIMS
http://download.microsoft.com/download/5/4/0/54091e0b-464c-4961-a934-d47f91b66228/infocard-techref-beta2-published.pdf
CardSpace is security token agnosticCardSpace is security token agnostic
SAML, Kerberos, X.509, customSAML, Kerberos, X.509, custom
Identity Providers can bridge different identity silosIdentity Providers can bridge different identity silos
Multiprotocol Federation Interoperability DemonstrationMultiprotocol Federation Interoperability Demonstration
Burton Group – Gerry Gebel - November 1th 2005Burton Group – Gerry Gebel - November 1th 2005
Protocol Drill DownProtocol Drill Down
Identity Provider(IP)
Relying Party(RP)
ClientClient would like to access a resource
RP provides identity requirements: format, claims & issuer of security token
1
2
User
3 Client shows which of known IPs can satisfy requirements
User selects an IP4
5Request to IPSecurity Token Service for security token providing user credentials
6
IP generates security token based on RP’s requirementswith display token and proof of possession for user
7User views display token andapproves the release of token
8
Token is released to RP with proof of possession RP reads claims and allows access
• Contains claims about my identity that I assert
• Not corroborated• Stored locally• Signed and encrypted to
prevent replay attacks
• Provided by banks, stores, government, clubs, etc
• Locally stored cards contain metadata only!
• Data stored by Identity Provider and obtained only when card submitted
CardSpace CardsCardSpace Cards
SELF - ISSUED MANAGED
Platform & Technology IndependentPlatform & Technology Independent
Third-party support for FirefoxThird-party support for Firefox
http://perpetual-motion.com/kevin/
Information Card support on MAC-SafariInformation Card support on MAC-Safari
http://www.identityblog.com/?p=579
Open Source InitiativesOpen Source Initiatives
Higgens Trust Framework ProjectHiggens Trust Framework Project
Perspective #2Perspective #2CardSpace as an abstraction CardSpace as an abstraction
layer for authentication layer for authentication mechanismsmechanisms
•Orchestrate the dead of the passwordOrchestrate the dead of the password
•Multi-factor AuthenticationMulti-factor Authentication
Root Causes of e-Identity TheftRoot Causes of e-Identity TheftLack of Lack of AwarenessAwareness
Vulnerabilities/Vulnerabilities/SpywareSpyware
Weak foundation Weak foundation provided by provided by password password systemssystems
Admin password
Admin.R386W
992 Days After Product Release
87
Released11/29/2000
Released09/28/2003
51
Abstraction LayerAbstraction Layer
eID CardseID Cards
Microsoft’s supportMicrosoft’s support
Enterprise ScenariosEnterprise Scenarios
Consumer ScenariosConsumer Scenarios
Perspective #3Perspective #3CardSpace as an anti-phishing CardSpace as an anti-phishing
technologytechnology
• Move away from ID/PasswordsMove away from ID/Passwords
• Human integrationHuman integration
How to remember all these passwords?How to remember all these passwords?
Identity CrisisIdentity Crisis
The Internet is a dangerous place!The Internet is a dangerous place!
Identity theft, spoofing, phishing, phraud, malwareIdentity theft, spoofing, phishing, phraud, malware
Username + password is weak and overwhelmedUsername + password is weak and overwhelmed
Poor choicePoor choice
Poor managementPoor management
Poor (re-)usePoor (re-)use
How do we safely, reliably identify a site to a user… How do we safely, reliably identify a site to a user…
……and a user to a site?and a user to a site?
““Good phishing sites fooled 90% of participants” - Good phishing sites fooled 90% of participants” - HarvardHarvard
Human Integration Human Integration
A simple, A simple,
consistent, consistent,
secure waysecure way
to represent identityto represent identity
Support cryptographicSupport cryptographic
verifiable, yet user-friendlyverifiable, yet user-friendly
Security TokensSecurity Tokens
Wallet MetaphorWallet Metaphor
A set of A set of claimsclaims someone someone makes about memakes about me
Claims are packaged as Claims are packaged as security tokenssecurity tokens
Many identities for many usesMany identities for many uses
Useful to distinguish from Useful to distinguish from profilesprofiles
Windows “CardSpace”Windows “CardSpace”
Enables federated claims-based identityEnables federated claims-based identityLingua franca for identity, roles & attributes that Lingua franca for identity, roles & attributes that builds on EIDbuilds on EID
Any identity/service provider can integrate using Any identity/service provider can integrate using public WS-* protocolspublic WS-* protocols
Identity provider support for:Identity provider support for:Windows Server with Active DirectoryWindows Server with Active Directory
PingID for Linux, UNIX, Apache, othersPingID for Linux, UNIX, Apache, others
More to come…More to come…
New credential common dialogNew credential common dialogOne-click loginOne-click login
Streamlines user registrationStreamlines user registration
Mitigates some common attackMitigates some common attackvectors (e.g. phishing)vectors (e.g. phishing)
Additional privacy benefits
Perspective #4Perspective #4CardSpace as a user CardSpace as a user
convenience technologyconvenience technology
DemoDemo
Perspective #5Perspective #5CardSpace as a security CardSpace as a security
technologytechnology
• Move away from ID/PasswordsMove away from ID/Passwords
• Secure Desktop integrationSecure Desktop integration
Secure CardSpace EnvironmentSecure CardSpace Environment
Runs under separate Runs under separate desktop and restricted desktop and restricted accountaccount
Isolates CardSpace Isolates CardSpace runtime from Windows runtime from Windows desktopdesktop
Deters hacking attempts Deters hacking attempts by user-mode processesby user-mode processes
Perspective #6Perspective #6CardSpace as a privacy CardSpace as a privacy enhancing technologyenhancing technology
• User control on revealing identity User control on revealing identity information information
• No unique identifiersNo unique identifiers
• Fine-grained Claims – mandates & identity Fine-grained Claims – mandates & identity attributesattributes
Many privacy concerns with existing identity Many privacy concerns with existing identity systemssystems
Microsoft PassportMicrosoft Passport
The systems reveal too much privacy-related informationThe systems reveal too much privacy-related information
Linkability of transactions because of unique identifier Linkability of transactions because of unique identifier (e.g. public keys)(e.g. public keys)
Privacy attributes of CardSpacePrivacy attributes of CardSpace
The user controls which data to reveal to the relying The user controls which data to reveal to the relying partyparty
No need for the relying party to copy all privacy related No need for the relying party to copy all privacy related informationinformation
A different identifier used for each relying partyA different identifier used for each relying party
Allows for fine-grained identity attributesAllows for fine-grained identity attributes
E.g. Claim (“Subject above 18”)E.g. Claim (“Subject above 18”)
Perspective #7Perspective #7CardSpace as a development CardSpace as a development
frameworkframework
• Integration into .NET Framework 3.0Integration into .NET Framework 3.0
• IE7 IntegrationIE7 Integration
• Easy integrationEasy integration
.NET At The Core.NET At The Core
• XPXP
• VistaVista
• W2k3W2k3
Building a Relying PartyBuilding a Relying Party
Four key tasksFour key tasks
Update user databaseUpdate user database
Create an association pageCreate an association page
Update the sign in pageUpdate the sign in page
Update the registration pageUpdate the registration page
Examples here in ASP.NET 2.0Examples here in ASP.NET 2.0
But can be done in PHP/Java/PERL/etc. if requiredBut can be done in PHP/Java/PERL/etc. if required
Create an association pageCreate an association page
<!-- ... --> <button onclick="javascript:return CardSpacelogin.submit();"> Update account with your Information Card </button>
<form name="CardSpacelogin" target="_self" method="post"> <object type="application/x-informationcard" name="xmlToken"> <param name="tokenType" value="urn:oasis:names:tc:SAML:1.0:assertion"> <param name="issuer“ value="http://schemas..../identity/issuer/self"> <param name="requiredClaims" value="http://.../claims/givenname, http://.../claims/surname, http://../claims/emailaddress, http://.../claims/privatepersonalidentifier"> </object> </form><!-- ... -->
Seven Perspectives on CardSpaceSeven Perspectives on CardSpace
1.1. Component of the identity metasystemComponent of the identity metasystem
2.2. Abstraction layer for authentication technologiesAbstraction layer for authentication technologies
3.3. Anti-phishing technologyAnti-phishing technology
4.4. User convenienceUser convenience
5.5. SecuritySecurity
6.6. PrivacyPrivacy
7.7. Development FrameworkDevelopment Framework
ResourcesResources
Windows Vista SecurityWindows Vista Security
http://www.microsoft.com/windows/longhorn/security.mspx
CardSpaceCardSpace
http://msdn2.microsoft.com/en-us/netframework/default.aspx
http://www.identityblog.com/
http://cardspace.netfx3.com
© 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.© 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.