1. CON 222 如何将网站身份认证向CardSpace迁移

2. 课程内容概述
为什么说密码成了互联网发展的瓶颈？
构建CardSpace网站需要什么条件？
迁移现有的网站到CardSpase步骤是什么？

3. 12/2/2018 4:46 AM
密码，让我又恨又爱。 3
© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4. Coordinating Services
Identity Management and Coordination Baked-in support for simple and secure access
# of Passwords
Company
User Name
Password
eBay
john658739
football
MSDN
gohawks
My Bank
My Account #
gohawks1
WSJ
My Broker
My SS#
Go#Hawks1 .
Mobile Identities
Speaker notes:
Background
Today, most of the online applications we write, whether they’re Web sites or Web services or rich browser-based applications, are protected by usernames and passwords. Many of these applications implement inconsistent requirements for usernames and passwords (some usernames are automatically generated based on an account ID, some are the user’s choice; Some usernames are based on addresses, some are not; Sometimes passwords accept non-alphanumeric characters (e.g. “ , #), sometimes they do not. （UserName/Passsword）
There are two fundamental problems with the traditional username/password approach to security. First, because of the inconsistent requirements across multiple Web sites, users are forced to create and remember an ever-growing list of username/password combinations (typically one for each Web site that they regularly interact with). This often leads to insecure practices, such as using the same username and password across several Web sites, or storing an unencrypted list of usernames and passwords on a computer or in hardcopy form.（SamePassword Cross Sites/Password on hard copy）
Second, usernames and passwords are susceptible to a growing threat from various forms of identity fraud including “phishing.” Phishing schemes trick consumers into releasing usernames and passwords to fraudulent Websites posing as familiar sites (see Figure 2). They take advantage of consumers’ inability to confirm the identity of who they’re dealing with (their Bank, a credit card company, an online business, etc).
The industry is actively engaged in finding a solution to identity-related fraud such as phishing. A growing number of online merchants, financial providers, and federal regulators are now realizing the inherent shortcomings of usernames/password-based security and are looking for a more secure alternative.
InfoCard
“InfoCard” is the codename for a new feature for Microsoft Windows that simplifies and improves the safety of accessing resources and sharing personal information on the Internet. It alleviates the problems of traditional online security mechanisms by reducing the reliance on usernames and passwords. By helping users better manage their personal information and control how it is released and to whom, “InfoCard” can facilitate more secure online experiences including online shopping, banking, and bill payment.
The “InfoCard” experience centers around a simple-to-use user interface that can metaphorically thought of as a “wallet.” Inside this wallet are various “cards” that can simply be thought of as more secure alternatives to usernames and passwords. These cards contain strong cryptographic information that can be used to login to Web sites that are InfoCard-enabled.
Transition to next slide:
To better understand the InfoCard experience, let’s take a look at a typical use case…
New Threats
Coordinating Services

5. 2006年上半年十大病毒及疫情报告 排名 感染数 中文名 1 471,363 灰鸽子 2 299,350 传奇盗贼 3 240,354
高波和瑞波 4
102,849
CHM木马 5
47,006
wmf恶意文件 6
44,246
QQ大盗 7
15,902 维京 8
12,183
传华木马 9
105
工行钓鱼木马 10 97
敲诈者
信息出自: 江民科技

6. 木马仍然是病毒主流
信息出自: 江民科技

7. 新闻回放 假工行网再现身 有消费者资金被盗(图) 黑客“放鸽”盗宽带账号 窃取3万余元玩网络游戏 网银存款丢失 数百用户欲联名起诉工行
工行回应网银被盗事件 称遭窃多因走漏密码
网上银行屡屡遭窃 黑客解密攻击全过程

8. 12/2/2018 4:46 AM
CardSpace简介 8
© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9. “InfoCard” 简化及提高系统登陆及认证的安全性 私人桌面 Self-issued cards Managed cards
分离的用户上下文
防止黑客攻击
Self-issued cards
不永固
本地存储
Managed cards 永固
存储在STS(Security Token Service)
Speaker notes:
The “InfoCard” UI can best be thought of as a wallet or a safe for storing InfoCards.
When the UI is invoked, InfoCard creates a separate private Windows desktop for the identity selection screen that lets users choose a card. This is the same mechanism used to isolate the Windows login screen (it runs in a separate user context), and it prevents hacking attacks by other locally-running processes.
Some of the cards displayed, known as “Personal Cards”, have been created by the user (as simple, yet more secure replacements for username/password combinations), while other cards are provided to the user by entities such as the user’s bank, employer, credit card company, airline mileage club, auto group, etc.
Before we talk about what is inside each InfoCard, it’s more important to note what’s not in an information card. No sensitive data is stored within the InfoCard itself. For example, an InfoCard created by my credit card company would not contain my credit card number. That information is always stored at the identity provider’s system (in this case my credit card provider) behind a Security Token Service (STS). Any time I need to access that information, InfoCard requests it from the identity provider who then encrypts it, sends it back to InfoCard, and InfoCard then forwards the encrypted information on to the Website. The key point is that sensitive information is never contained in a card, and so it’s never stored on the user’s machine.
The contents of an InfoCard include:
A JPEG or GIF file with the image of the card that the user sees on their screen, along with the name of the card that’s displayed,
One or more types of security token used for authentication,
A URL for the identity provider (so that we know where to get the information needed),
The date and time the information card was created,
An InfoCard reference, which is a globally unique identifier specified as a URI, for the card. This identifier is created by the identity provider that issues the card, and it’s passed back to that provider each time a security token is requested using this card.
Transition to next slide:
One of the most promising aspects of InfoCard is the way it communicates with identity providers and Websites…

10. “InfoCard” WS-* Web Services User Relying Party Identity Provider
12/2/2018
“InfoCard”
User
Relying Party
WS-*
Web Services
Identity Provider
Speaker notes:
We’ve identified the three key parties in an InfoCard interaction
The User (me)
The Relying Party (RP) – The Website requesting that you login/authenticate/provide information
The Identity Provider (IP) – The bank, credit card company, airline, employer, merchant who stores the sensitive information
The way these three parties communicate is using the broadly adopted Web services industry standards. That means that anyone can create any of the roles shown on this slide and interoperate with the other two roles:
If the Relying Party (the Website) is running PHP, no problem. They can accept InfoCards because the formats and protocols used to exchange information are based on industry standards.
If the Identity Provider (my employer) is running Linux, no problem for the same reason.
What about InfoCard itself though? While InfoCard itself is a Microsoft technology that runs on Windows, there’s nothing stopping other platforms (such as Mac or various flavors of Linux) of implementing an identity choosing mechanism like InfoCard.
Transition to next slide:
Speaking of communicating using Web services, let’s talk more about how we as developers can build Web services using WinFX…
© 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 10

11. “CardSpace” Speaker notes:
In this demo, we'll see how we can use InfoCard to login to a Car rental website and get a discount on my car rental without manually entering any personal information such as a user name and password.
Transition to next slide:
Now that we’ve seen the demo, let’s talk about the key feature areas of InfoCard…
“CardSpace” 11

12. 如何让网站支持CardSpace登录 12/2/2018 4:46 AM 12
© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

13. 如何让Web支持CardSpace 安装 .Net Framework 3.0 为Web Site安装证书
在网页中添加调用CardSpace Identity Selector的代码
更改Web.config

14. 在Web Site中使用证书 关于证书 在Web Site中安装证书 原理：非对称加密 作用：确认对方身份，加密信息
High Assurance (HA) 证书中嵌入的Logo
证书中的链接只起到验证作用
在Web Site中安装证书
安装证书
为IIS用户（如ASPNET）设置证书的读取权限
在Web Site中使用已安装的证书
Certificates Tools and Settings

15. 在网页中调用CardSpace的代码
<form id="form1" method="post" action="login1.aspx">
<button type="submit>Sign in with Info Card</button>
<object type="application/x-informationcard" name="xmlToken">
<param name="tokenType" value="urn:oasis:names:tc:SAML:1.0:assertion" />
<param name="issuer" value=" />
<param name="requiredClaims" value=“ , />
</object>
</form>

16. 参数说明 Instructs the browser to engage the ActiveX object
type="application/x-informationcard"
Instructs the browser to engage the ActiveX object
param name="tokenType"
Controls the token type the Identity Selector will emit; in this case a SAML 1.0 token
param name="issuer"
The Identity Provider’s URL that will provide the identity. In this case, a hard-wired URI that invokes the built-in self-issuing provider.
param name="requiredClaims"
The claims that the Relying Party is asking of the User to provide from the Identity Provider. The examples here are part of the pre-defined set for self-issued (personal) cards.

17. Web.Congfig
<configuration xmlns="
<compilation debug="true">
<assemblies>
<add assembly=“ System.IdentityModel.Selectors, Version= , Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
</assemblies>
</compilation>
</configuration>

18. 协议流程图 Security Token Server Browser w/ InfoCard Web Site Relying Party
2018/12/2
协议流程图
Browser w/ InfoCard 1
HTTP/GET (Protected Page) 
 Redirect – Login Page
Web Site
Login Page (HTML) with InfoCard tag
HTTP/GET (Login Page)  2 5
HTTP/GET|POST Target Page + Token 3
CardSpace lights up
User selects card
Front End Web Site
 Cookie + Browser Redirect 4
Getting token via WS-Mex and WS-Trust
Relying Party
安全令牌服务器实现 WS-Trust 协议并提供对声明转换的支持。
·依赖方提供要求的语句，这些语句根据 WS-SecurityPolicy 规范表示并通过 WS-MetadataExchange 协议利用。
·Identity Selector 实现一致的用户体验。
在由应用程序调用后，它执行依赖方和标识提供方（一个或多个）之间的协商；
为主体（例如，最终用户）显示“匹配的”标识提供方和依赖方的标识；
获取声明；以及在主体的监督下将它们提供给该应用程序。
Identity Provider (Managed or Self)
Security Token Server

19. 将Card与现有帐户绑定
将PPID与帐户主键关联

20. 登录时将对应帐户信息写入Cookies
protected void Page_Load(object sender, EventArgs e) {
// if the user is authenticated then just redirect back to the home page.
if (User != null && User.Identity != null && User.Identity.IsAuthenticated)
Response.Redirect("..");
// If an xmlToken is passed in the post, then this is an Infocard Post.
string xmlToken = Request["xmlToken"];
if (xmlToken != null && xmlToken.Trim() != "")
TokenHelper tokenHelper = new TokenHelper(xmlToken);
// Gets the Unique id from the token
string username = SqlMembershipProviderHelper.GetUser(tokenHelper.getUniqueID());
if (username != null)
MembershipUser user = Membership.GetUser(username);
if (user != null)
// give the cookie back to the browser.
FormsAuthentication.RedirectFromLoginPage(user.UserName, false); }

21. 其他资源 官方网站 白皮书 Blogs http://wcs.netfx3.com/
Microsoft’s Vision for an Identity System
Laws of Identity
Blogs
Kim Cameron
Andy Harjanto

22. 其他资源 中文WebCast Windows Vista 领航系列课程(8)：InfoCard概述 (Level 200)
Windows Vista 领航系列课程(9)：Windows CardSpace（原名InfoCard）概述（二） (Level 300)

23. Add link to external Community website
List top 3 newsgroups related to this slide 1 2 3
Advise when your next chat is
Next user group meeting you will be at
Add Other related 3rd party sites

24. 联系方式
renmin.cnblogs.com