Presentation is loading. Please wait.

Presentation is loading. Please wait.

Windows CardSpace™ Adlai Maschiach Senior Consultant

Published byAmy Jody Rodgers Modified over 8 years ago

Similar presentations

Presentation on theme: "Windows CardSpace™ Adlai Maschiach Senior Consultant"— Presentation transcript:

1 Windows CardSpace™ Adlai Maschiach Senior Consultant http://blogs.microsoft.co.il/blogs/adlaim

2 .NET At The Core

3 Too much SOA

4 Who Are You? The Internet was built without a layer for Security or Identity

5 The Imperative To Connect

6 The Internet Identity Crisis Lack of Identity Online Phishing & Phraud Password fatigue Inconsistent, proprietary identification mechanisms

7 Phishing & Phraud Source: http://www.antiphishing.orghttp://www.antiphishing.org

8 Password Stealing Malicious Code URLs Source: http://www.antiphishing.orghttp://www.antiphishing.org

9 BBS Demo

10 Password Fatigue

11 Passport - Past attempts Microsoft Passport Code name “Hailstorm” Single sign on to the Internet Was not accepted by web sites outside of Microsoft Sites did not trust Microsoft to be in control of the Identity Microsoft was not a “justifiable party” Passport is used successfully by Microsoft sites Single identity cannot work for all contexts Live ID

12 CardSpace VS Passport CardSpacePassport The selection of what card (information) to send to a requesting web site Is decided by me, the user. I relay on Microsoft that it will send the required information to the web site. The client software is an “identity selector”, which uses WS-Trust messages. Login/Password of the Passport on a Microsoft MSN based HTML form. (non SSL) Identifiable information is held on the user’s PC or the identity provider. (re- use) Held by Microsoft.

13 CardSpace VS Passport CardSpacePassport At the server [Relying Party] – the server has user’s information At the server - people won’t use Microsoft as the man in the middle (!?!) Common User Experience (Cards)Experience varies between Identity Providers (Different Forms) Identity Provider to whom ever I choose Identity Provider for Microsoft properties Simpler LoginRedirection / Site Bounce

14 What we know Passwords shouldn’t be like “qwerty” Writing them in an accessible place isn’t the wisest move Echoing the letters while your on the phone won’t help you login faster When all fails, blame the System Administrator for creating an insecure environment

15 The Identity Metasystem Identity layer for the Internet Open, inclusive, standards-based model Built upon “The Laws of Identity” CardSpace is a client agent within the IDMS More details at http://www.identityblog.comhttp://www.identityblog.com

16 The Laws of Identity User Control and Consent Limited Disclosure for a Limited Use Fewest Parties Directed Identity More details at http://www.identityblog.comhttp://www.identityblog.com Pluralism of Operators and Technologies Human Integration Consistent Across Contexts

17 Windows CardSpace™ Easier Provides consistent user experience Replaces usernames and passwords with strong tokens Safer Protects users from phishing & phraud attacks Support for two-factor authentication Tokens are crypto- graphically strong Standards, standards, standards!! Built on WS-* Web Services Protocols Can be supported by websites on any technology & platform

18 CardSpace Environment Runs under separate desktop and restricted account Isolates CardSpace runtime from Windows desktop Deters hacking attempts by user-mode processes

19 Contains claims about my identity that I assert Not authenticated Stored locally Signed and encrypted to prevent replay attacks Provided by banks, stores, government, clubs, etc Locally stored cards contain metadata only! Data stored by Identity Provider and obtained only when card submitted CardSpace Cards Self IssuedManaged

20 Create & Login using Self Issued Card

21 Participants User Relying Party (website) Identity Provider

22 Example Scenario 1 Login With Self Issued Card

23 User Relying Party (website) Login With Self Issued Card

24 Select Self Issued Card User Relying Party (website)

25 User Relying Party (website) Create Token From Card

26 User Relying Party (website) Encrypt, Sign, Return Token

27 ASPX Click here to sign in <param name="requiredClaims" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" />

28 CodeBehind (C#) protected void Page_Load(object sender, EventArgs e) { string xmlToken = Request.Params["xmlToken"]; if (xmlToken == null || xmlToken.Equals("")) ShowError("Token presented was null"); else { TokenHelper tokenHelper = new TokenHelper(xmlToken, "www.fabrikam.com"); givenname.Text = tokenHelper.GetClaim(ClaimTypes.GivenName); surname.Text = tokenHelper.GetClaim(ClaimTypes.Surname); email.Text = tokenHelper.GetClaim(ClaimTypes.Email); }

29 CodeBehind (C#) public partial class Login_aspx : System.Web.UI.Page { protected void Page_Load(object sender, EventArgs e) { string xmlToken = Request["xmlToken"]; Token token = new TokenProcessor.Token(xmlToken); // Lookup the account using the uniqueId string username = MembershipHelper.GetUser(token.UniqueID); if (username != null) { MembershipUser user = Membership.GetUser(username); // give the cookie back to the browser FormsAuthentication.SetLoginCookie(user.UserName, false); }

30 Example Scenario 2 Login With Managed Card

31 User Relying Party (website) Login With Managed Card

32 Select Managed Card User Relying Party (website)

33 Select Managed Card Identity Provider User Auth’: X509, Kerb, SIC, U/PWD …

34 Relying Party (website) Identity Provider Request Security Token (RST) User

35 Return Token RST Response (RSTR) Relying Party (website) Identity Provider User

36 Information Cards PPIDs are unique to the user WebSite relationship Websites will have common and consistent user experience Reduced drop-off using simplified sign-up Ridding our selves from common knowledge questions like “what is your dog’s name?” - Use cryptography

37 Enabling Information Cards Preparation [SSL/EVC] Sign In Association Recovery Visuals

38 Code Example Building A Relying Party

39 Building a Relying Party Four key tasks Update user database Create an association page Update the sign in page Update the registration page Examples here in ASP.NET 2.0 But can be done in PHP/Java/PERL/etc. if required

40 Preparing Your Database tbl_InformationCards PKUniqueID FKUserID PPID IssuerID aspnet_Users PKUserID FirstName LastName eMail

41 Sign In Experience Perform Client Side Detection Does The Browser Support Information Cards ? Cards ? Card Enabled Web Page SimpleLogin/Password NO YES

42 Sign In Experience

43 Sign In Process Is this card associated with an account ? 1.Is associated to existing e-mail account 2.Create new account 3.Choose different Card Login the user NO YES <html> Welcome Back </html>

44 Sign In leads to association 1.Is associated to existing e-mail account 2.Create new account 3.Choose different Card RecoveryScenario 1 Start Over Account Creation 2 3

45 Association – existing account 1.Is associated to existing e-mail account 2.Create new account 3.Choose different Card Authenticate Via: 1.1 Username/Password 1.2 Proof of an account (email) 1 Login / Password eMail 1.1 1.2

46 Association – Account Creation 1.Is associated to existing e-mail account 2.Create new account 3.Choose different Card 2 Login / Password OptionalValidation The User is Logged In <html>Welcome</html>

47 SAML Security Assertion Markup language. Open standard http://www.oasis-open.org/.http://www.oasis-open.org/ Single sign on. Assertion based. “Think locally, act globally”. CardSpace uses SAML 2.0 ECP Profile “Enhanced Client Proxy”.

48 SAML http://msdn2.microsoft.com/en-us/library/aa395199.aspx Claims in Self Issued Cards Given Name = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname";http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname Email Address = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress";http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress Surname = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname ";http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname Street Address = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddress";http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddress Locality = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality";http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality State/Province = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince";http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince

49 SAML Postal Code = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcode";http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcode Country = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country";http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country Home Phone = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/homephone";http://schemas.xmlsoap.org/ws/2005/05/identity/claims/homephone Other Phone = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone";http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone Mobile Phone = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone";http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone Date of Birth = " http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirth"; http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirth Gender = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/gender";http://schemas.xmlsoap.org/ws/2005/05/identity/claims/gender PPID = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier";http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier Web site = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/website";http://schemas.xmlsoap.org/ws/2005/05/identity/claims/website

50 Summary

51 http://cardspace.netfx3.com Consistent authentication for digital identities Reduces chances of being phished Adopting takes little developer effort CardSpace Summary

52 Resources cardspace.netfx3.comcardspace.netfx3.com – CardSpace samples and technical Info www.identityblog.comwww.identityblog.com – Kim Cameron’s Blog (Identity Architect) http://blogs.msdn.com/richardt/ http://blogs.msdn.com/richardt/ – Richard Turner, CardSpace Program Manager www.fearthecowboy.comwww.fearthecowboy.com – Garrett Serack,CardSpace Community Program Manager http://www.marcmercuri.com/http://www.marcmercuri.com/ - Marc Mercuri http://www.codecomplete.de/blogs/digitalidentity/http://www.codecomplete.de/blogs/digitalidentity/ - Christian Arnold http://blogs.microsoft.co.il/blogs/adlaim/http://blogs.microsoft.co.il/blogs/adlaim/ - Adlai Maschiach

Download ppt "Windows CardSpace™ Adlai Maschiach Senior Consultant"

Similar presentations

Seven Perspectives on CardSpace Ronny Bjones Security Strategist Microsoft Corporation.

Seven Perspectives on CardSpace Ronny Bjones Security Strategist Microsoft Corporation.
Advances in Digital Identity

Advances in Digital Identity
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
InfoCard and the Identity Metasystem Kim Cameron, Chief Architect of Identity Microsoft.

InfoCard and the Identity Metasystem Kim Cameron, Chief Architect of Identity Microsoft.
Lori Fitterling LI843 SSL Secured Sockets Layer. What is Secure Sockets Layer (SSL)? It is protection of data transferred over the Internet using encryption.

Lori Fitterling LI843 SSL Secured Sockets Layer. What is Secure Sockets Layer (SSL)? It is protection of data transferred over the Internet using encryption.
Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug 2013 - scotthel.me.

Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug scotthel.me.
11 steve plank (“planky”) identity architect microsoft uk.

11 steve plank (“planky”) identity architect microsoft uk.
Windows CardSpace and the Identity Metasystem Glen Gordon Developer Evangelist, Microsoft

Windows CardSpace and the Identity Metasystem Glen Gordon Developer Evangelist, Microsoft
By: Ansuya Chauhan.

By: Ansuya Chauhan.
.NET Framework V3.0 Mike Taulty Developer & Platform Group Microsoft Ltd

.NET Framework V3.0 Mike Taulty Developer & Platform Group Microsoft Ltd
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Mashing Up with User-Centric Identity America Online LLC John Panzer, Praveen Alavilli.

Mashing Up with User-Centric Identity America Online LLC John Panzer, Praveen Alavilli.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Online Security Tuesday April 8, 2003 Maxence Crossley.

Online Security Tuesday April 8, 2003 Maxence Crossley.
The Laws of Identity and Cardspace Charles Young Solidsoft.

The Laws of Identity and Cardspace Charles Young Solidsoft.
Microsoft Passport www.passport.com Waldemar Swiercz.

Microsoft Passport Waldemar Swiercz.
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.
An Introduction to Information Card Barry Dorrans Charteris plc

An Introduction to Information Card Barry Dorrans Charteris plc
Delivering Excellence in Software Engineering ® 2006. EPAM Systems. All rights reserved. ASP.NET Authentication.

Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
INDUSTRY FILING LETTER OF APPLICATION PAT GOULDEN AND PHIL NELSON.

INDUSTRY FILING LETTER OF APPLICATION PAT GOULDEN AND PHIL NELSON.

Similar presentations

Ads by Google