idw – Informationsdienst Wissenschaft

Nachrichten, Termine, Experten

Grafik: idw-Logo
Science Video Project

idw-News App:


Google Play Store

30.05.2008 10:22

Young Researchers from RUB thwart CardSpace Authentication

Dr. Josef König Pressestelle
Ruhr-Universität Bochum

    Web 2.0 attacks break another identity management system

    Two young researchers at Horst Görtz Institute for IT-security, Ruhr University Bochum have shown how to break Microsoft's novel identity management system CardSpace. They demonstrate not only the theoretical feasibility, but also the attack's practicability in of proof of concept that CarSpace does not guard against identity theft. More information detailing the attack and countermeasures can be found in their Technical Report:

    CardSpace: Promising technology to revolutionize Web authentication

    Identity theft has become the fastest growing crime on the Internet. To alleviate the threats Microsoft has enrolled a novel Web authentication system called CardSpace. It bases on open standards, such that various applications can make use of the identity metasystem including commodity browsers like Microsoft Internet Explorer 7 or Firefox 2 (with some add-on). Due to the fact that Microsoft used open standards to design and implement the metasystem and many global players (e.g., Google, Yahoo, Verisign) have already announced to work closely with CardSpace, CardSpace authentication has the potential to become widely deployed on the Internet and replace the mature password-based authentication in many promising scenarios from eCommerce to eHealth or eVoting applications.

    The idea of CardSpace

    The idea of CardSpace authentication is perspicuous. Instead of using passwords, CardSpace organizes user's personal digital identities as visual information card (InfoCard). Simply by clicking on the card, a process of authentication is invoked which requires the user only to confirm the information to be transmitted. The identity metasystem and the underlying cryptographic protocols provide the remainder and assure that a security token is retrieved and forwarded to the requester. Loosely speaking, CardSpace acts like a "guarding angel" and protects the user from disclosing sensitive information to identity thieves.
    The researchers from Bochum have implemented an attack against CardSpace and show that an identity thief may filch the authentication token issued by CardSpace. This is a crucial security problem. By replaying the token, they prove evidence that it is feasible to impersonate the user and gain access to the user's services. In order to demonstrate not only the feasibility, but also the attack's practicability, the researchers present a proof of concept implementation. Against this background, the young scientists conclude that it is realistic to expect attacks against CardSpace soon in the wild.

    IT Security Research in Bochum

    Prof. Schwenk's group is part of the Horst Görtz Institute for IT Security (HGI), one of the largest university-based security research centers in Europe [4]. Prof. Schwenk's group is internationally renowned for their work in Internet security and Applied Cryptography. Ruhr University Bochum has the most comprehensive offerings in IT security education (Bachelor, Master, distance learning) in Germany.

    Further Information

    Prof. Dr. rer. nat. Jörg Schwenk, Chair for Network and Data Security, Ruhr University Bochum, Universitätsstr. 150, 44780 Bochum, Germany, Phone: (+49) (0)234 / 32-26692, eMail:

    Weitere Informationen: - Information about CardSpace - Technical Report - Horst Görtz Institute


    Merkmale dieser Pressemitteilung:



    Die Suche / Erweiterte Suche im idw-Archiv

    Sie können Suchbegriffe mit und, oder und / oder nicht verknüpfen, z. B. Philo nicht logie.


    Verknüpfungen können Sie mit Klammern voneinander trennen, z. B. (Philo nicht logie) oder (Psycho und logie).


    Zusammenhängende Worte werden als Wortgruppe gesucht, wenn Sie sie in Anführungsstriche setzen, z. B. „Bundesrepublik Deutschland“.


    Die Erweiterte Suche können Sie auch nutzen, ohne Suchbegriffe einzugeben. Sie orientiert sich dann an den Kriterien, die Sie ausgewählt haben (z. B. nach dem Land oder dem Sachgebiet).

    Haben Sie in einer Kategorie kein Kriterium ausgewählt, wird die gesamte Kategorie durchsucht (z.B. alle Sachgebiete oder alle Länder).