idw – Informationsdienst Wissenschaft
Nachrichten, Termine, Experten
Nachrichten, Termine, Experten
Web 2.0 attacks break another identity management system
Two young researchers at Horst Görtz Institute for IT-security, Ruhr University Bochum have shown how to break Microsoft's novel identity management system CardSpace. They demonstrate not only the theoretical feasibility, but also the attack's practicability in of proof of concept that CarSpace does not guard against identity theft. More information detailing the attack and countermeasures can be found in their Technical Report: http://demo.nds.rub.de/cardspace
CardSpace: Promising technology to revolutionize Web authentication
Identity theft has become the fastest growing crime on the Internet. To alleviate the threats Microsoft has enrolled a novel Web authentication system called CardSpace. It bases on open standards, such that various applications can make use of the identity metasystem including commodity browsers like Microsoft Internet Explorer 7 or Firefox 2 (with some add-on). Due to the fact that Microsoft used open standards to design and implement the metasystem and many global players (e.g., Google, Yahoo, Verisign) have already announced to work closely with CardSpace, CardSpace authentication has the potential to become widely deployed on the Internet and replace the mature password-based authentication in many promising scenarios from eCommerce to eHealth or eVoting applications.
The idea of CardSpace
The idea of CardSpace authentication is perspicuous. Instead of using passwords, CardSpace organizes user's personal digital identities as visual information card (InfoCard). Simply by clicking on the card, a process of authentication is invoked which requires the user only to confirm the information to be transmitted. The identity metasystem and the underlying cryptographic protocols provide the remainder and assure that a security token is retrieved and forwarded to the requester. Loosely speaking, CardSpace acts like a "guarding angel" and protects the user from disclosing sensitive information to identity thieves.
The researchers from Bochum have implemented an attack against CardSpace and show that an identity thief may filch the authentication token issued by CardSpace. This is a crucial security problem. By replaying the token, they prove evidence that it is feasible to impersonate the user and gain access to the user's services. In order to demonstrate not only the feasibility, but also the attack's practicability, the researchers present a proof of concept implementation. Against this background, the young scientists conclude that it is realistic to expect attacks against CardSpace soon in the wild.
IT Security Research in Bochum
Prof. Schwenk's group is part of the Horst Görtz Institute for IT Security (HGI), one of the largest university-based security research centers in Europe [4]. Prof. Schwenk's group is internationally renowned for their work in Internet security and Applied Cryptography. Ruhr University Bochum has the most comprehensive offerings in IT security education (Bachelor, Master, distance learning) in Germany.
Further Information
Prof. Dr. rer. nat. Jörg Schwenk, Chair for Network and Data Security, Ruhr University Bochum, Universitätsstr. 150, 44780 Bochum, Germany, Phone: (+49) (0)234 / 32-26692, eMail: joerg.schwenk@nds.rub.de
http://msdn.microsoft.com/en-us/library/bb882216.aspx - Information about CardSpace
http://demo.nds.rub.de/cardspace - Technical Report
http://www.hgi.rub.de/index_en.html - Horst Görtz Institute
Criteria of this press release:
Information technology
transregional, national
Research results
English
You can combine search terms with and, or and/or not, e.g. Philo not logy.
You can use brackets to separate combinations from each other, e.g. (Philo not logy) or (Psycho and logy).
Coherent groups of words will be located as complete phrases if you put them into quotation marks, e.g. “Federal Republic of Germany”.
You can also use the advanced search without entering search terms. It will then follow the criteria you have selected (e.g. country or subject area).
If you have not selected any criteria in a given category, the entire category will be searched (e.g. all subject areas or all countries).
