Risks of the passport single signon protocol
Proceedings of the 9th international World Wide Web conference on Computer networks : the international journal of computer and telecommunications netowrking
Security Analysis of the SAML Single Sign-on Browser/Artifact Profile
ACSAC '03 Proceedings of the 19th Annual Computer Security Applications Conference
Analysis of Liberty Single-Sign-on with Enabled Clients
IEEE Internet Computing
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Noxes: a client-side solution for mitigating cross-site scripting attacks
Proceedings of the 2006 ACM symposium on Applied computing
The Emperor's New Security Indicators
SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
Dynamic pharming attacks and locked same-origin policies for web browsers
Proceedings of the 14th ACM conference on Computer and communications security
Protecting browsers from dns rebinding attacks
Proceedings of the 14th ACM conference on Computer and communications security
Proximity breeds danger: emerging threats in metro-area wireless networks
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
Understanding windows cardspace: an introduction to the concepts and challenges of digital identities
Universally Composable Security Analysis of TLS
ProvSec '08 Proceedings of the 2nd International Conference on Provable Security
Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate
CRYPTO '09 Proceedings of the 29th Annual International Cryptology Conference on Advances in Cryptology
ICICS'07 Proceedings of the 9th international conference on Information and communications security
An evaluation of extended validation and picture-in-picture phishing attacks
FC'07/USEC'07 Proceedings of the 11th International Conference on Financial cryptography and 1st International conference on Usable Security
FC'12 Proceedings of the 16th international conference on Financial Cryptography and Data Security
Hi-index | 0.00 |
Microsoft has designed a user-centric identity metasystem encompassing a suite of various protocols for identity management. CardSpace is based on open standards, so that various applications can make use of the identity metasystem, including, for example, Microsoft Internet Explorer or Firefox (with some add-on). We therefore expect Microsoft's identity metasystem to become widely deployed on the Internet and a popular target to attack. We examine the security of CardSpace against today's Internet threats and identify risks and attacks. The browser-based CardSpace protocol does not prevent against replay of security tokens. Users can be impersonated and are potential victims of identity theft. We demonstrate the practicability of the flaw by presenting a proof of concept attack. Finally, we suggest several areas of improvement.