Microsoft: CardSpace attack works but was too rigged

Microsoft is disputing that its CardSpace authentication management technology can be hacked despite a research paper that outlines a proof-of-concept attack.

Microsoft is disputing that its CardSpace authentication management technology can be hacked despite a research paper that outlines a proof-of-concept attack.

CardSpace manages personal information that might be needed to access certain Web sites or conduct e-commerce transactions. CardSpace, which ships in the Windows Vista OS, keeps personal information in virtual cards stored on the computer.

Also, that information can be held by a trusted organization that acts as an identity provider. That provider can then tell another Web site the information is valid. An encrypted token is sent to the Web site, which reduces the chance of identity theft.

In a sometimes sarcastic retort, Kim Cameron, who is Microsoft's chief identity architect in the Connected Systems Division, wrote that the attack requires key defenses to be lowered before the attack would work, a scenario that's unlikely in a real attack.

"For the attack to succeed, the user has to bring full administrative power to bear against her own system," Cameron wrote on his blog. "In my view, the students did not compromise CardSpace."

The researchers' paper is bad press for Microsoft and CardSpace, which the company hopes will develop become widely used for identity management.

The researchers, from the Horst Gortz Institute for IT Security at Ruhr University in Bochum, Germany, wrote in their paper it is possible to intercept the authentication tokens from CardSpace. The tokens could be reused by hackers to gain access or use other functions on another Web site.

However, intercepting the token comes after several key defenses have been breached and warnings ignored, Cameron wrote.

First, the PC's DNS (Domain Name System) configuration must be modified so that the PC's browser goes to a malicious Web site even if the proper domain name is typed in, a technique known as pharming.

Once the DNS settings have been changed, the PC's browser must be convinced the malicious Web site is not a fraudulent site. Browsers such as Internet Explorer have a mechanism that checks a Web site's certificate -- an encrypted electronic document that verifies the domain name visited belongs to the Web site the browser is looking at.

Part of the attack also involves tricking a user to upload a fake root certificate that would not trip Internet Explorer's phishing alarms. Cameron writes that installing the bogus certificate must overcome another defense, which "requires a complex manual override."

Sebastian Gajek, one of the authors of the report, said via instant message on Monday that it isn't necessary to get the user to install a fake certificate. The browser's phishing alarm might go off, but "we argue that most of the users would ignore the warning" as some studies have shown, Gajek said.

The CardSpace protocol itself seems to be sound, Gajek said. But there are continuing security problems with how Web browsers interact with DNS, that, in combination with CardSpace, make the identity management technology vulnerable, he said.

Nonetheless, Cameron posted a video disparaging the research. "The students invite you to poison your system for them," Cameron says in the video. "If you drink this poison, which they are unable to administer themselves, your system will be vulnerable to their attack."

While Cameron acknowledges the authentication token can be obtained, the information in the token, such as a log-in or password, is encrypted.

Xuan Chen and Christian Lohr, IT security students, wrote the paper. Jorg Schwenk, a professor and chairman of Network and Data Security at the institute, and Gajek acted as advisers. The paper is posted on the school's Web site.

Gajek said he did not know if the attack would work with other federated identity management protocols and their implementations in browsers.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?