Windows CardSpace™ Adlai Maschiach Senior Consultant

.NET At The Core

Too much SOA

Who Are You? The Internet was built without a layer for Security or Identity

The Imperative To Connect

The Internet Identity Crisis Lack of Identity Online Phishing & Phraud Password fatigue Inconsistent, proprietary identification mechanisms

Phishing & Phraud Source:

Password Stealing Malicious Code URLs Source:

BBS Demo

Password Fatigue

Passport - Past attempts Microsoft Passport Code name “Hailstorm” Single sign on to the Internet Was not accepted by web sites outside of Microsoft Sites did not trust Microsoft to be in control of the Identity Microsoft was not a “justifiable party” Passport is used successfully by Microsoft sites Single identity cannot work for all contexts Live ID

CardSpace VS Passport CardSpacePassport The selection of what card (information) to send to a requesting web site Is decided by me, the user. I relay on Microsoft that it will send the required information to the web site. The client software is an “identity selector”, which uses WS-Trust messages. Login/Password of the Passport on a Microsoft MSN based HTML form. (non SSL) Identifiable information is held on the user’s PC or the identity provider. (re- use) Held by Microsoft.

CardSpace VS Passport CardSpacePassport At the server [Relying Party] – the server has user’s information At the server - people won’t use Microsoft as the man in the middle (!?!) Common User Experience (Cards)Experience varies between Identity Providers (Different Forms) Identity Provider to whom ever I choose Identity Provider for Microsoft properties Simpler LoginRedirection / Site Bounce

What we know Passwords shouldn’t be like “qwerty” Writing them in an accessible place isn’t the wisest move Echoing the letters while your on the phone won’t help you login faster When all fails, blame the System Administrator for creating an insecure environment

The Identity Metasystem Identity layer for the Internet Open, inclusive, standards-based model Built upon “The Laws of Identity” CardSpace is a client agent within the IDMS More details at

The Laws of Identity User Control and Consent Limited Disclosure for a Limited Use Fewest Parties Directed Identity More details at Pluralism of Operators and Technologies Human Integration Consistent Across Contexts

Windows CardSpace™ Easier Provides consistent user experience Replaces usernames and passwords with strong tokens Safer Protects users from phishing & phraud attacks Support for two-factor authentication Tokens are crypto- graphically strong Standards, standards, standards!! Built on WS-* Web Services Protocols Can be supported by websites on any technology & platform

CardSpace Environment Runs under separate desktop and restricted account Isolates CardSpace runtime from Windows desktop Deters hacking attempts by user-mode processes

Contains claims about my identity that I assert Not authenticated Stored locally Signed and encrypted to prevent replay attacks Provided by banks, stores, government, clubs, etc Locally stored cards contain metadata only! Data stored by Identity Provider and obtained only when card submitted CardSpace Cards Self IssuedManaged

Create & Login using Self Issued Card

Participants User Relying Party (website) Identity Provider

Example Scenario 1 Login With Self Issued Card

User Relying Party (website) Login With Self Issued Card

Select Self Issued Card User Relying Party (website)

User Relying Party (website) Create Token From Card

User Relying Party (website) Encrypt, Sign, Return Token

ASPX Click here to sign in <param name="requiredClaims" value=" />

CodeBehind (C#) protected void Page_Load(object sender, EventArgs e) { string xmlToken = Request.Params["xmlToken"]; if (xmlToken == null || xmlToken.Equals("")) ShowError("Token presented was null"); else { TokenHelper tokenHelper = new TokenHelper(xmlToken, " givenname.Text = tokenHelper.GetClaim(ClaimTypes.GivenName); surname.Text = tokenHelper.GetClaim(ClaimTypes.Surname); .Text = tokenHelper.GetClaim(ClaimTypes. ); }

CodeBehind (C#) public partial class Login_aspx : System.Web.UI.Page { protected void Page_Load(object sender, EventArgs e) { string xmlToken = Request["xmlToken"]; Token token = new TokenProcessor.Token(xmlToken); // Lookup the account using the uniqueId string username = MembershipHelper.GetUser(token.UniqueID); if (username != null) { MembershipUser user = Membership.GetUser(username); // give the cookie back to the browser FormsAuthentication.SetLoginCookie(user.UserName, false); }

Example Scenario 2 Login With Managed Card

User Relying Party (website) Login With Managed Card

Select Managed Card User Relying Party (website)

Select Managed Card Identity Provider User Auth’: X509, Kerb, SIC, U/PWD …

Relying Party (website) Identity Provider Request Security Token (RST) User

Return Token RST Response (RSTR) Relying Party (website) Identity Provider User

Information Cards PPIDs are unique to the user WebSite relationship Websites will have common and consistent user experience Reduced drop-off using simplified sign-up Ridding our selves from common knowledge questions like “what is your dog’s name?” - Use cryptography

Enabling Information Cards Preparation [SSL/EVC] Sign In Association Recovery Visuals

Code Example Building A Relying Party

Building a Relying Party Four key tasks Update user database Create an association page Update the sign in page Update the registration page Examples here in ASP.NET 2.0 But can be done in PHP/Java/PERL/etc. if required

Preparing Your Database tbl_InformationCards PKUniqueID FKUserID PPID IssuerID aspnet_Users PKUserID FirstName LastName

Sign In Experience Perform Client Side Detection Does The Browser Support Information Cards ? Cards ? Card Enabled Web Page SimpleLogin/Password NO YES

Sign In Experience

Sign In Process Is this card associated with an account ? 1.Is associated to existing account 2.Create new account 3.Choose different Card Login the user NO YES <html> Welcome Back </html>

Sign In leads to association 1.Is associated to existing account 2.Create new account 3.Choose different Card RecoveryScenario 1 Start Over Account Creation 2 3

Association – existing account 1.Is associated to existing account 2.Create new account 3.Choose different Card Authenticate Via: 1.1 Username/Password 1.2 Proof of an account ( ) 1 Login / Password

Association – Account Creation 1.Is associated to existing account 2.Create new account 3.Choose different Card 2 Login / Password OptionalValidation The User is Logged In <html>Welcome</html>

SAML Security Assertion Markup language. Open standard Single sign on. Assertion based. “Think locally, act globally”. CardSpace uses SAML 2.0 ECP Profile “Enhanced Client Proxy”.

SAML Claims in Self Issued Cards Given Name = " Address = " Surname = " "; Street Address = " Locality = " State/Province = "

SAML Postal Code = " Country = " Home Phone = " Other Phone = " Mobile Phone = " Date of Birth = " Gender = " PPID = " Web site = "

Summary

Consistent authentication for digital identities Reduces chances of being phished Adopting takes little developer effort CardSpace Summary

Resources cardspace.netfx3.comcardspace.netfx3.com – CardSpace samples and technical Info – Kim Cameron’s Blog (Identity Architect) – Richard Turner, CardSpace Program Manager – Garrett Serack,CardSpace Community Program Manager - Marc Mercuri - Christian Arnold - Adlai Maschiach