Risks of the CardSpace Protocol

Authors:
Sebastian Gajek;Jörg Schwenk;Michael Steiner;Chen Xuan
Affiliations:
Horst Görtz Institute for IT-Security, Ruhr-University Bochum, Germany;Horst Görtz Institute for IT-Security, Ruhr-University Bochum, Germany;IBM T.J. Watson Research Center, USA;Horst Görtz Institute for IT-Security, Ruhr-University Bochum, Germany
Venue:
ISC '09 Proceedings of the 12th International Conference on Information Security
Year:
2009

Citing 15
Cited 1

Risks of the passport single signon protocol

Proceedings of the 9th international World Wide Web conference on Computer networks : the international journal of computer and telecommunications netowrking
Security Analysis of the SAML Single Sign-on Browser/Artifact Profile

ACSAC '03 Proceedings of the 19th Annual Computer Security Applications Conference
Analysis of Liberty Single-Sign-on with Enabled Clients

IEEE Internet Computing
Why phishing works

Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Noxes: a client-side solution for mitigating cross-site scripting attacks

Proceedings of the 2006 ACM symposium on Applied computing
The Emperor's New Security Indicators

SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
Dynamic pharming attacks and locked same-origin policies for web browsers

Proceedings of the 14th ACM conference on Computer and communications security
Protecting browsers from dns rebinding attacks

Proceedings of the 14th ACM conference on Computer and communications security
Proximity breeds danger: emerging threats in metro-area wireless networks

SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
SSL/TLS Session-Aware User Authentication

Computer
Understanding windows cardspace: an introduction to the concepts and challenges of digital identities

Understanding windows cardspace: an introduction to the concepts and challenges of digital identities
Universally Composable Security Analysis of TLS

ProvSec '08 Proceedings of the 2nd International Conference on Provable Security
Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate

CRYPTO '09 Proceedings of the 29th Annual International Cryptology Conference on Advances in Cryptology
Drive-by pharming

ICICS'07 Proceedings of the 9th international conference on Information and communications security
An evaluation of extended validation and picture-in-picture phishing attacks

FC'07/USEC'07 Proceedings of the 11th International Conference on Financial cryptography and 1st International conference on Usable Security

Protected login

FC'12 Proceedings of the 16th international conference on Financial Cryptography and Data Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

Microsoft has designed a user-centric identity metasystem encompassing a suite of various protocols for identity management. CardSpace is based on open standards, so that various applications can make use of the identity metasystem, including, for example, Microsoft Internet Explorer or Firefox (with some add-on). We therefore expect Microsoft's identity metasystem to become widely deployed on the Internet and a popular target to attack. We examine the security of CardSpace against today's Internet threats and identify risks and attacks. The browser-based CardSpace protocol does not prevent against replay of security tokens. Users can be impersonated and are potential victims of identity theft. We demonstrate the practicability of the flaw by presenting a proof of concept attack. Finally, we suggest several areas of improvement.