Microsoft: CardSpace attack works but was too rigged

Microsoft is disputing that its CardSpace authentication management technology can be hacked despite a research paper that outlines a proof-of-concept attack.

Microsoft is disputing that its CardSpace authentication management technology can be hacked despite a research paper that outlines a proof-of-concept attack.

CardSpace manages personal information that might be needed to access certain Web sites or conduct e-commerce transactions. CardSpace, which ships in the Windows Vista OS, keeps personal information in virtual cards stored on the computer.

Also, that information can be held by a trusted organization that acts as an identity provider. That provider can then tell another Web site the information is valid. An encrypted token is sent to the Web site, which reduces the chance of identity theft.

In a sometimes sarcastic retort, Kim Cameron, who is Microsoft's chief identity architect in the Connected Systems Division, wrote that the attack requires key defenses to be lowered before the attack would work, a scenario that's unlikely in a real attack.

"For the attack to succeed, the user has to bring full administrative power to bear against her own system," Cameron wrote on his blog. "In my view, the students did not compromise CardSpace."

The researchers' paper is bad press for Microsoft and CardSpace, which the company hopes will develop become widely used for identity management.

The researchers, from the Horst Gortz Institute for IT Security at Ruhr University in Bochum, Germany, wrote in their paper it is possible to intercept the authentication tokens from CardSpace. The tokens could be reused by hackers to gain access or use other functions on another Web site.

However, intercepting the token comes after several key defenses have been breached and warnings ignored, Cameron wrote.

First, the PC's DNS (Domain Name System) configuration must be modified so that the PC's browser goes to a malicious Web site even if the proper domain name is typed in, a technique known as pharming.

Once the DNS settings have been changed, the PC's browser must be convinced the malicious Web site is not a fraudulent site. Browsers such as Internet Explorer have a mechanism that checks a Web site's certificate -- an encrypted electronic document that verifies the domain name visited belongs to the Web site the browser is looking at.

Part of the attack also involves tricking a user to upload a fake root certificate that would not trip Internet Explorer's phishing alarms. Cameron writes that installing the bogus certificate must overcome another defense, which "requires a complex manual override."

Sebastian Gajek, one of the authors of the report, said via instant message on Monday that it isn't necessary to get the user to install a fake certificate. The browser's phishing alarm might go off, but "we argue that most of the users would ignore the warning" as some studies have shown, Gajek said.

The CardSpace protocol itself seems to be sound, Gajek said. But there are continuing security problems with how Web browsers interact with DNS, that, in combination with CardSpace, make the identity management technology vulnerable, he said.

Nonetheless, Cameron posted a video disparaging the research. "The students invite you to poison your system for them," Cameron says in the video. "If you drink this poison, which they are unable to administer themselves, your system will be vulnerable to their attack."

While Cameron acknowledges the authentication token can be obtained, the information in the token, such as a log-in or password, is encrypted.

Xuan Chen and Christian Lohr, IT security students, wrote the paper. Jorg Schwenk, a professor and chairman of Network and Data Security at the institute, and Gajek acted as advisers. The paper is posted on the school's Web site.

Gajek said he did not know if the attack would work with other federated identity management protocols and their implementations in browsers.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?