![Page 1: Seven Perspectives on CardSpace Ronny Bjones Security Strategist Microsoft Corporation](https://reader033.vdocuments.us/reader033/viewer/2022061305/55144869550346284e8b4cf3/html5/thumbnails/1.jpg)
Seven Perspectives onSeven Perspectives onCardSpaceCardSpace
Ronny BjonesRonny Bjones
Security StrategistSecurity Strategist
Microsoft CorporationMicrosoft Corporation
![Page 2: Seven Perspectives on CardSpace Ronny Bjones Security Strategist Microsoft Corporation](https://reader033.vdocuments.us/reader033/viewer/2022061305/55144869550346284e8b4cf3/html5/thumbnails/2.jpg)
““The Laws of Identity”The Laws of Identity”The original researchThe original research
1.1. User control and consentUser control and consent
2.2. Minimal disclosure for a defined useMinimal disclosure for a defined use
3.3. Justifiable partiesJustifiable parties
4.4. Directional identityDirectional identity
5.5. Pluralism of operators and technologiesPluralism of operators and technologies
6.6. Human integrationHuman integration
7.7. Consistent experience across contextsConsistent experience across contextsJoin the discussion atJoin the discussion at www.identityblog.comwww.identityblog.com
![Page 3: Seven Perspectives on CardSpace Ronny Bjones Security Strategist Microsoft Corporation](https://reader033.vdocuments.us/reader033/viewer/2022061305/55144869550346284e8b4cf3/html5/thumbnails/3.jpg)
Seven Perspectives on CardSpaceSeven Perspectives on CardSpace
1.1. Component of the identity metasystemComponent of the identity metasystem
2.2. Abstraction layer for authentication technologiesAbstraction layer for authentication technologies
3.3. Anti-phishing technologyAnti-phishing technology
4.4. User convenienceUser convenience
5.5. SecuritySecurity
6.6. PrivacyPrivacy
7.7. Development FrameworkDevelopment Framework
![Page 4: Seven Perspectives on CardSpace Ronny Bjones Security Strategist Microsoft Corporation](https://reader033.vdocuments.us/reader033/viewer/2022061305/55144869550346284e8b4cf3/html5/thumbnails/4.jpg)
Perspective #1Perspective #1CardSpace as a component of CardSpace as a component of
the Identity Metasystemthe Identity Metasystem
•The need of an identity layer on the InternetThe need of an identity layer on the Internet
•InteroperabilityInteroperability
•Technology & Platform independenceTechnology & Platform independence
![Page 5: Seven Perspectives on CardSpace Ronny Bjones Security Strategist Microsoft Corporation](https://reader033.vdocuments.us/reader033/viewer/2022061305/55144869550346284e8b4cf3/html5/thumbnails/5.jpg)
The Identity MetasystemThe Identity Metasystem
InternetServices
PartnersCustomers
Identity Metasystem
Extending the Reachof Information Workers
Extending the Reach of Applications
WS-* Web ServicesArchitecture
![Page 6: Seven Perspectives on CardSpace Ronny Bjones Security Strategist Microsoft Corporation](https://reader033.vdocuments.us/reader033/viewer/2022061305/55144869550346284e8b4cf3/html5/thumbnails/6.jpg)
Framework for InteroperabilityFramework for Interoperability
TCP/IP of IdentitiesTCP/IP of Identities
Defined on open standards – WS*Defined on open standards – WS*
Extended by CardSpace’s definition of CLAIMSExtended by CardSpace’s definition of CLAIMS
http://download.microsoft.com/download/5/4/0/54091e0b-464c-4961-a934-d47f91b66228/infocard-techref-beta2-published.pdf
CardSpace is security token agnosticCardSpace is security token agnostic
SAML, Kerberos, X.509, customSAML, Kerberos, X.509, custom
Identity Providers can bridge different identity silosIdentity Providers can bridge different identity silos
Multiprotocol Federation Interoperability DemonstrationMultiprotocol Federation Interoperability Demonstration
Burton Group – Gerry Gebel - November 1th 2005Burton Group – Gerry Gebel - November 1th 2005
![Page 7: Seven Perspectives on CardSpace Ronny Bjones Security Strategist Microsoft Corporation](https://reader033.vdocuments.us/reader033/viewer/2022061305/55144869550346284e8b4cf3/html5/thumbnails/7.jpg)
Protocol Drill DownProtocol Drill Down
Identity Provider(IP)
Relying Party(RP)
ClientClient would like to access a resource
RP provides identity requirements: format, claims & issuer of security token
1
2
User
3 Client shows which of known IPs can satisfy requirements
User selects an IP4
5Request to IPSecurity Token Service for security token providing user credentials
6
IP generates security token based on RP’s requirementswith display token and proof of possession for user
7User views display token andapproves the release of token
8
Token is released to RP with proof of possession RP reads claims and allows access
![Page 8: Seven Perspectives on CardSpace Ronny Bjones Security Strategist Microsoft Corporation](https://reader033.vdocuments.us/reader033/viewer/2022061305/55144869550346284e8b4cf3/html5/thumbnails/8.jpg)
• Contains claims about my identity that I assert
• Not corroborated• Stored locally• Signed and encrypted to
prevent replay attacks
• Provided by banks, stores, government, clubs, etc
• Locally stored cards contain metadata only!
• Data stored by Identity Provider and obtained only when card submitted
CardSpace CardsCardSpace Cards
SELF - ISSUED MANAGED
![Page 9: Seven Perspectives on CardSpace Ronny Bjones Security Strategist Microsoft Corporation](https://reader033.vdocuments.us/reader033/viewer/2022061305/55144869550346284e8b4cf3/html5/thumbnails/9.jpg)
Platform & Technology IndependentPlatform & Technology Independent
Third-party support for FirefoxThird-party support for Firefox
http://perpetual-motion.com/kevin/
Information Card support on MAC-SafariInformation Card support on MAC-Safari
http://www.identityblog.com/?p=579
Open Source InitiativesOpen Source Initiatives
Higgens Trust Framework ProjectHiggens Trust Framework Project
![Page 10: Seven Perspectives on CardSpace Ronny Bjones Security Strategist Microsoft Corporation](https://reader033.vdocuments.us/reader033/viewer/2022061305/55144869550346284e8b4cf3/html5/thumbnails/10.jpg)
Perspective #2Perspective #2CardSpace as an abstraction CardSpace as an abstraction
layer for authentication layer for authentication mechanismsmechanisms
•Orchestrate the dead of the passwordOrchestrate the dead of the password
•Multi-factor AuthenticationMulti-factor Authentication
![Page 11: Seven Perspectives on CardSpace Ronny Bjones Security Strategist Microsoft Corporation](https://reader033.vdocuments.us/reader033/viewer/2022061305/55144869550346284e8b4cf3/html5/thumbnails/11.jpg)
Root Causes of e-Identity TheftRoot Causes of e-Identity TheftLack of Lack of AwarenessAwareness
Vulnerabilities/Vulnerabilities/SpywareSpyware
Weak foundation Weak foundation provided by provided by password password systemssystems
Admin password
Admin.R386W
992 Days After Product Release
87
Released11/29/2000
Released09/28/2003
51
![Page 12: Seven Perspectives on CardSpace Ronny Bjones Security Strategist Microsoft Corporation](https://reader033.vdocuments.us/reader033/viewer/2022061305/55144869550346284e8b4cf3/html5/thumbnails/12.jpg)
Abstraction LayerAbstraction Layer
![Page 13: Seven Perspectives on CardSpace Ronny Bjones Security Strategist Microsoft Corporation](https://reader033.vdocuments.us/reader033/viewer/2022061305/55144869550346284e8b4cf3/html5/thumbnails/13.jpg)
eID CardseID Cards
Microsoft’s supportMicrosoft’s support
Enterprise ScenariosEnterprise Scenarios
Consumer ScenariosConsumer Scenarios
![Page 14: Seven Perspectives on CardSpace Ronny Bjones Security Strategist Microsoft Corporation](https://reader033.vdocuments.us/reader033/viewer/2022061305/55144869550346284e8b4cf3/html5/thumbnails/14.jpg)
Perspective #3Perspective #3CardSpace as an anti-phishing CardSpace as an anti-phishing
technologytechnology
• Move away from ID/PasswordsMove away from ID/Passwords
• Human integrationHuman integration
![Page 15: Seven Perspectives on CardSpace Ronny Bjones Security Strategist Microsoft Corporation](https://reader033.vdocuments.us/reader033/viewer/2022061305/55144869550346284e8b4cf3/html5/thumbnails/15.jpg)
How to remember all these passwords?How to remember all these passwords?
![Page 16: Seven Perspectives on CardSpace Ronny Bjones Security Strategist Microsoft Corporation](https://reader033.vdocuments.us/reader033/viewer/2022061305/55144869550346284e8b4cf3/html5/thumbnails/16.jpg)
Identity CrisisIdentity Crisis
The Internet is a dangerous place!The Internet is a dangerous place!
Identity theft, spoofing, phishing, phraud, malwareIdentity theft, spoofing, phishing, phraud, malware
Username + password is weak and overwhelmedUsername + password is weak and overwhelmed
Poor choicePoor choice
Poor managementPoor management
Poor (re-)usePoor (re-)use
How do we safely, reliably identify a site to a user… How do we safely, reliably identify a site to a user…
……and a user to a site?and a user to a site?
““Good phishing sites fooled 90% of participants” - Good phishing sites fooled 90% of participants” - HarvardHarvard
![Page 17: Seven Perspectives on CardSpace Ronny Bjones Security Strategist Microsoft Corporation](https://reader033.vdocuments.us/reader033/viewer/2022061305/55144869550346284e8b4cf3/html5/thumbnails/17.jpg)
Human Integration Human Integration
A simple, A simple,
consistent, consistent,
secure waysecure way
to represent identityto represent identity
Support cryptographicSupport cryptographic
verifiable, yet user-friendlyverifiable, yet user-friendly
Security TokensSecurity Tokens
![Page 18: Seven Perspectives on CardSpace Ronny Bjones Security Strategist Microsoft Corporation](https://reader033.vdocuments.us/reader033/viewer/2022061305/55144869550346284e8b4cf3/html5/thumbnails/18.jpg)
Wallet MetaphorWallet Metaphor
A set of A set of claimsclaims someone someone makes about memakes about me
Claims are packaged as Claims are packaged as security tokenssecurity tokens
Many identities for many usesMany identities for many uses
Useful to distinguish from Useful to distinguish from profilesprofiles
![Page 19: Seven Perspectives on CardSpace Ronny Bjones Security Strategist Microsoft Corporation](https://reader033.vdocuments.us/reader033/viewer/2022061305/55144869550346284e8b4cf3/html5/thumbnails/19.jpg)
Windows “CardSpace”Windows “CardSpace”
Enables federated claims-based identityEnables federated claims-based identityLingua franca for identity, roles & attributes that Lingua franca for identity, roles & attributes that builds on EIDbuilds on EID
Any identity/service provider can integrate using Any identity/service provider can integrate using public WS-* protocolspublic WS-* protocols
Identity provider support for:Identity provider support for:Windows Server with Active DirectoryWindows Server with Active Directory
PingID for Linux, UNIX, Apache, othersPingID for Linux, UNIX, Apache, others
More to come…More to come…
New credential common dialogNew credential common dialogOne-click loginOne-click login
Streamlines user registrationStreamlines user registration
Mitigates some common attackMitigates some common attackvectors (e.g. phishing)vectors (e.g. phishing)
Additional privacy benefits
![Page 20: Seven Perspectives on CardSpace Ronny Bjones Security Strategist Microsoft Corporation](https://reader033.vdocuments.us/reader033/viewer/2022061305/55144869550346284e8b4cf3/html5/thumbnails/20.jpg)
Perspective #4Perspective #4CardSpace as a user CardSpace as a user
convenience technologyconvenience technology
![Page 21: Seven Perspectives on CardSpace Ronny Bjones Security Strategist Microsoft Corporation](https://reader033.vdocuments.us/reader033/viewer/2022061305/55144869550346284e8b4cf3/html5/thumbnails/21.jpg)
DemoDemo
![Page 22: Seven Perspectives on CardSpace Ronny Bjones Security Strategist Microsoft Corporation](https://reader033.vdocuments.us/reader033/viewer/2022061305/55144869550346284e8b4cf3/html5/thumbnails/22.jpg)
Perspective #5Perspective #5CardSpace as a security CardSpace as a security
technologytechnology
• Move away from ID/PasswordsMove away from ID/Passwords
• Secure Desktop integrationSecure Desktop integration
![Page 23: Seven Perspectives on CardSpace Ronny Bjones Security Strategist Microsoft Corporation](https://reader033.vdocuments.us/reader033/viewer/2022061305/55144869550346284e8b4cf3/html5/thumbnails/23.jpg)
Secure CardSpace EnvironmentSecure CardSpace Environment
Runs under separate Runs under separate desktop and restricted desktop and restricted accountaccount
Isolates CardSpace Isolates CardSpace runtime from Windows runtime from Windows desktopdesktop
Deters hacking attempts Deters hacking attempts by user-mode processesby user-mode processes
![Page 24: Seven Perspectives on CardSpace Ronny Bjones Security Strategist Microsoft Corporation](https://reader033.vdocuments.us/reader033/viewer/2022061305/55144869550346284e8b4cf3/html5/thumbnails/24.jpg)
Perspective #6Perspective #6CardSpace as a privacy CardSpace as a privacy enhancing technologyenhancing technology
• User control on revealing identity User control on revealing identity information information
• No unique identifiersNo unique identifiers
• Fine-grained Claims – mandates & identity Fine-grained Claims – mandates & identity attributesattributes
![Page 25: Seven Perspectives on CardSpace Ronny Bjones Security Strategist Microsoft Corporation](https://reader033.vdocuments.us/reader033/viewer/2022061305/55144869550346284e8b4cf3/html5/thumbnails/25.jpg)
Many privacy concerns with existing identity Many privacy concerns with existing identity systemssystems
Microsoft PassportMicrosoft Passport
The systems reveal too much privacy-related informationThe systems reveal too much privacy-related information
Linkability of transactions because of unique identifier Linkability of transactions because of unique identifier (e.g. public keys)(e.g. public keys)
![Page 26: Seven Perspectives on CardSpace Ronny Bjones Security Strategist Microsoft Corporation](https://reader033.vdocuments.us/reader033/viewer/2022061305/55144869550346284e8b4cf3/html5/thumbnails/26.jpg)
Privacy attributes of CardSpacePrivacy attributes of CardSpace
The user controls which data to reveal to the relying The user controls which data to reveal to the relying partyparty
No need for the relying party to copy all privacy related No need for the relying party to copy all privacy related informationinformation
A different identifier used for each relying partyA different identifier used for each relying party
Allows for fine-grained identity attributesAllows for fine-grained identity attributes
E.g. Claim (“Subject above 18”)E.g. Claim (“Subject above 18”)
![Page 27: Seven Perspectives on CardSpace Ronny Bjones Security Strategist Microsoft Corporation](https://reader033.vdocuments.us/reader033/viewer/2022061305/55144869550346284e8b4cf3/html5/thumbnails/27.jpg)
Perspective #7Perspective #7CardSpace as a development CardSpace as a development
frameworkframework
• Integration into .NET Framework 3.0Integration into .NET Framework 3.0
• IE7 IntegrationIE7 Integration
• Easy integrationEasy integration
![Page 28: Seven Perspectives on CardSpace Ronny Bjones Security Strategist Microsoft Corporation](https://reader033.vdocuments.us/reader033/viewer/2022061305/55144869550346284e8b4cf3/html5/thumbnails/28.jpg)
.NET At The Core.NET At The Core
• XPXP
• VistaVista
• W2k3W2k3
![Page 29: Seven Perspectives on CardSpace Ronny Bjones Security Strategist Microsoft Corporation](https://reader033.vdocuments.us/reader033/viewer/2022061305/55144869550346284e8b4cf3/html5/thumbnails/29.jpg)
Building a Relying PartyBuilding a Relying Party
Four key tasksFour key tasks
Update user databaseUpdate user database
Create an association pageCreate an association page
Update the sign in pageUpdate the sign in page
Update the registration pageUpdate the registration page
Examples here in ASP.NET 2.0Examples here in ASP.NET 2.0
But can be done in PHP/Java/PERL/etc. if requiredBut can be done in PHP/Java/PERL/etc. if required
![Page 30: Seven Perspectives on CardSpace Ronny Bjones Security Strategist Microsoft Corporation](https://reader033.vdocuments.us/reader033/viewer/2022061305/55144869550346284e8b4cf3/html5/thumbnails/30.jpg)
Create an association pageCreate an association page
<!-- ... --> <button onclick="javascript:return CardSpacelogin.submit();"> Update account with your Information Card </button>
<form name="CardSpacelogin" target="_self" method="post"> <object type="application/x-informationcard" name="xmlToken"> <param name="tokenType" value="urn:oasis:names:tc:SAML:1.0:assertion"> <param name="issuer“ value="http://schemas..../identity/issuer/self"> <param name="requiredClaims" value="http://.../claims/givenname, http://.../claims/surname, http://../claims/emailaddress, http://.../claims/privatepersonalidentifier"> </object> </form><!-- ... -->
![Page 31: Seven Perspectives on CardSpace Ronny Bjones Security Strategist Microsoft Corporation](https://reader033.vdocuments.us/reader033/viewer/2022061305/55144869550346284e8b4cf3/html5/thumbnails/31.jpg)
Seven Perspectives on CardSpaceSeven Perspectives on CardSpace
1.1. Component of the identity metasystemComponent of the identity metasystem
2.2. Abstraction layer for authentication technologiesAbstraction layer for authentication technologies
3.3. Anti-phishing technologyAnti-phishing technology
4.4. User convenienceUser convenience
5.5. SecuritySecurity
6.6. PrivacyPrivacy
7.7. Development FrameworkDevelopment Framework
![Page 32: Seven Perspectives on CardSpace Ronny Bjones Security Strategist Microsoft Corporation](https://reader033.vdocuments.us/reader033/viewer/2022061305/55144869550346284e8b4cf3/html5/thumbnails/32.jpg)
ResourcesResources
Windows Vista SecurityWindows Vista Security
http://www.microsoft.com/windows/longhorn/security.mspx
CardSpaceCardSpace
http://msdn2.microsoft.com/en-us/netframework/default.aspx
http://www.identityblog.com/
http://cardspace.netfx3.com
![Page 33: Seven Perspectives on CardSpace Ronny Bjones Security Strategist Microsoft Corporation](https://reader033.vdocuments.us/reader033/viewer/2022061305/55144869550346284e8b4cf3/html5/thumbnails/33.jpg)
© 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.© 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.