Microsoft: CardSpace attack works but was too rigged

Microsoft is disputing that its CardSpace authentication management technology can be hacked despite a research paper that outlines a proof-of-concept attack.

Microsoft is disputing that its CardSpace authentication management technology can be hacked despite a research paper that outlines a proof-of-concept attack.

CardSpace manages personal information that might be needed to access certain Web sites or conduct e-commerce transactions. CardSpace, which ships in the Windows Vista OS, keeps personal information in virtual cards stored on the computer.

Also, that information can be held by a trusted organization that acts as an identity provider. That provider can then tell another Web site the information is valid. An encrypted token is sent to the Web site, which reduces the chance of identity theft.

In a sometimes sarcastic retort, Kim Cameron, who is Microsoft's chief identity architect in the Connected Systems Division, wrote that the attack requires key defenses to be lowered before the attack would work, a scenario that's unlikely in a real attack.

"For the attack to succeed, the user has to bring full administrative power to bear against her own system," Cameron wrote on his blog. "In my view, the students did not compromise CardSpace."

The researchers' paper is bad press for Microsoft and CardSpace, which the company hopes will develop become widely used for identity management.

The researchers, from the Horst Gortz Institute for IT Security at Ruhr University in Bochum, Germany, wrote in their paper it is possible to intercept the authentication tokens from CardSpace. The tokens could be reused by hackers to gain access or use other functions on another Web site.

However, intercepting the token comes after several key defenses have been breached and warnings ignored, Cameron wrote.

First, the PC's DNS (Domain Name System) configuration must be modified so that the PC's browser goes to a malicious Web site even if the proper domain name is typed in, a technique known as pharming.

Once the DNS settings have been changed, the PC's browser must be convinced the malicious Web site is not a fraudulent site. Browsers such as Internet Explorer have a mechanism that checks a Web site's certificate -- an encrypted electronic document that verifies the domain name visited belongs to the Web site the browser is looking at.

Part of the attack also involves tricking a user to upload a fake root certificate that would not trip Internet Explorer's phishing alarms. Cameron writes that installing the bogus certificate must overcome another defense, which "requires a complex manual override."

Sebastian Gajek, one of the authors of the report, said via instant message on Monday that it isn't necessary to get the user to install a fake certificate. The browser's phishing alarm might go off, but "we argue that most of the users would ignore the warning" as some studies have shown, Gajek said.

The CardSpace protocol itself seems to be sound, Gajek said. But there are continuing security problems with how Web browsers interact with DNS, that, in combination with CardSpace, make the identity management technology vulnerable, he said.

Nonetheless, Cameron posted a video disparaging the research. "The students invite you to poison your system for them," Cameron says in the video. "If you drink this poison, which they are unable to administer themselves, your system will be vulnerable to their attack."

While Cameron acknowledges the authentication token can be obtained, the information in the token, such as a log-in or password, is encrypted.

Xuan Chen and Christian Lohr, IT security students, wrote the paper. Jorg Schwenk, a professor and chairman of Network and Data Security at the institute, and Gajek acted as advisers. The paper is posted on the school's Web site.

Gajek said he did not know if the attack would work with other federated identity management protocols and their implementations in browsers.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?