ISC 2009: Information Security pp 278-293 | Cite as
Risks of the CardSpace Protocol
Conference paper
Abstract
Microsoft has designed a user-centric identity metasystem encompassing a suite of various protocols for identity management. CardSpace is based on open standards, so that various applications can make use of the identity metasystem, including, for example, Microsoft Internet Explorer or Firefox (with some add-on). We therefore expect Microsoft’s identity metasystem to become widely deployed on the Internet and a popular target to attack. We examine the security of CardSpace against today’s Internet threats and identify risks and attacks. The browser-based CardSpace protocol does not prevent against replay of security tokens. Users can be impersonated and are potential victims of identity theft. We demonstrate the practicability of the flaw by presenting a proof of concept attack. Finally, we suggest several areas of improvement.
Keywords
CardSpace identity management analysisPreview
Unable to display preview. Download preview PDF.
References
- 1.Nanda, A.: A technical reference for the information card profile v1.0 (2006)Google Scholar
- 2.Liberty Alliance Project: Liberty Phase 2 final specifications (2003)Google Scholar
- 3.Kaler, C. (ed.): A.N.: Web Services Federation Language (WS-Federation), Version 1.0, BEA and IBM and Microsoft and RSA Security and VeriSign (2003)Google Scholar
- 4.OASIS Standard: Security assertion markup language, SAML (2002), http://www.oasis-open.org/committees/security/docs/
- 5.Cantor, S., Erdos, M.: Shibboleth-architecture draft v05 (2002)Google Scholar
- 6.Microsoft Corporation: .NET Passport documentation, in particular Technical Overview, and SDK 2.1 Documentation (started 1999) (2001)Google Scholar
- 7.Kormann, D., Rubin, A.: Risks of the passport single signon protocol. Computer Networks 33(1-6), 51–58 (2000)CrossRefGoogle Scholar
- 8.Groß, T.: Security analysis of the SAML single sign-on browser/artifact profile. In: ACSAC 2003. IEEE Computer Society, Los Alamitos (2003)Google Scholar
- 9.Groß, T., Pfitzmann, B.: SAML artifact information flow revisited. In: Workshop on Web Services Security. IEEE Computer Society, Los Alamitos (2006)Google Scholar
- 10.Pfitzmann, B., Waidner, M.: Analysis of liberty single-sign-on with enabled clients. IEEE Internet Computing 7(6), 38–44 (2003)CrossRefGoogle Scholar
- 11.Bertocci, V., Garrett Serack, C.B.: Understanding windows cardspace, pp. 224–247. Addison-Wesley, Reading (2007)Google Scholar
- 12.Personal communication with participants of dagstuhl seminar 09141 on web application security (March 2009)Google Scholar
- 13.Kaminsky, D.: It’s the end of the cache as we know it (2008), http://www.doxpara.com/DMK_BO2K8.ppt
- 14.Zuchlinski, G.: The anatomy of cross site scripting (2003)Google Scholar
- 15.Jovanovic, N., Kirda, E., Kruegel, C.: Preventing cross site request forgery attacks. In: Securecomm and Workshops, pp. 1–10 (2006)Google Scholar
- 16.Kirda, E., Krügel, C., Vigna, G., Jovanovic, N.: Noxes: a client-side solution for mitigating cross-site scripting attacks, pp. 330–337. ACM, New York (2006)Google Scholar
- 17.Stamm, S., Ramzan, Z., Jakobsson, M.: Drive-by pharming. In: Qing, S., Imai, H., Wang, G. (eds.) ICICS 2007. LNCS, vol. 4861, pp. 495–506. Springer, Heidelberg (2007)CrossRefGoogle Scholar
- 18.Jackson, C., Barth, A., Bortz, A., Shao, W., Boneh, D.: Protecting browsers from dns rebinding attacks. In: CCS 2007, pp. 421–431. ACM, New York (2007)Google Scholar
- 19.Karlof, C., Shankar, U., Tygar, J.D., Wagner, D.: Dynamic pharming attacks and locked same-origin policies for web browsers. In: CCS 2007, pp. 58–71. ACM, New York (2007)Google Scholar
- 20.Akritidis, P., Chin, W.Y., Lam, V.T., Sidiroglou, S., Anagnostakis, K.G.: Proximity breeds danger: emerging threats in metro-area wireless networks. In: SS 2007, pp. 1–16. USENIX Association (2007)Google Scholar
- 21.Gajek, S., Manulis, M., Pereira, O., Sadeghi, A.R., Schwenk, J.: Universally composable security analysis of TLS. In: Baek, J., Bao, F., Chen, K., Lai, X. (eds.) ProvSec 2008. LNCS, vol. 5324, pp. 313–327. Springer, Heidelberg (2008)CrossRefGoogle Scholar
- 22.Stevens, M., Sotirov, A., Appelbaum, J., Lenstra, A., Molnar, D., Osvik, D.A., de Weger, B.: Short chosen-prefix collisions for md5 and the creation of a rogue ca certificate. In: Crypto 2009. Springer, Heidelberg (to appear, 2009)Google Scholar
- 23.Dhamija, R., Tygar, J.D., Hearst, M.A.: Why phishing works. In: CHI, pp. 581–590. ACM, New York (2006)Google Scholar
- 24.Schechter, S., Dhamija, R., Ozment, A., Fischer, I.: The emperor’s new security indicators. In: Symposium on Security and Privacy, pp. 51–65. IEEE Computer Society, Los Alamitos (2007)Google Scholar
- 25.Herzberg, A.: Why Johnny can’t surf (safely)? attacks and defenses for web users. Elsevier Computers & Security 28(1-2), 63–71 (2009)CrossRefGoogle Scholar
- 26.Jackson, C., Simon, D.R., Tan, D.S., Barth, A.: An evaluation of extended validation and picture-in-picture phishing attacks. In: Dietrich, S., Dhamija, R. (eds.) FC 2007 and USEC 2007. LNCS, vol. 4886, pp. 281–293. Springer, Heidelberg (2007)CrossRefGoogle Scholar
- 27.Jackson, C., Barth, A.: Beware of finer-grained origins. In: W2SP 2008 (2008)Google Scholar
- 28.Oppliger, R., Hauser, R., Basin, D.: Ssl/tls session-aware user authentication. Computer 41(3), 59–65 (2008)CrossRefGoogle Scholar
- 29.Rescorla, E.: Keying material extractors for transport layer security (tls). IEFT Internet-Draft (2008)Google Scholar
- 30.Dierks, T., Allen, C.: RFC2246, The tls protocol version 1.0 (1999)Google Scholar
Copyright information
© Springer-Verlag Berlin Heidelberg 2009