idw – Informationsdienst Wissenschaft

Nachrichten, Termine, Experten

Grafik: idw-Logo
Grafik: idw-Logo

idw - Informationsdienst
Wissenschaft

Science Video Project
idw-Abo

idw-News App:

AppStore

Google Play Store



Instance:
Share on: 
05/30/2008 10:22

Young Researchers from RUB thwart CardSpace Authentication

Dr. Josef König Pressestelle
Ruhr-Universität Bochum

    Web 2.0 attacks break another identity management system

    Two young researchers at Horst Görtz Institute for IT-security, Ruhr University Bochum have shown how to break Microsoft's novel identity management system CardSpace. They demonstrate not only the theoretical feasibility, but also the attack's practicability in of proof of concept that CarSpace does not guard against identity theft. More information detailing the attack and countermeasures can be found in their Technical Report: http://demo.nds.rub.de/cardspace

    CardSpace: Promising technology to revolutionize Web authentication

    Identity theft has become the fastest growing crime on the Internet. To alleviate the threats Microsoft has enrolled a novel Web authentication system called CardSpace. It bases on open standards, such that various applications can make use of the identity metasystem including commodity browsers like Microsoft Internet Explorer 7 or Firefox 2 (with some add-on). Due to the fact that Microsoft used open standards to design and implement the metasystem and many global players (e.g., Google, Yahoo, Verisign) have already announced to work closely with CardSpace, CardSpace authentication has the potential to become widely deployed on the Internet and replace the mature password-based authentication in many promising scenarios from eCommerce to eHealth or eVoting applications.

    The idea of CardSpace

    The idea of CardSpace authentication is perspicuous. Instead of using passwords, CardSpace organizes user's personal digital identities as visual information card (InfoCard). Simply by clicking on the card, a process of authentication is invoked which requires the user only to confirm the information to be transmitted. The identity metasystem and the underlying cryptographic protocols provide the remainder and assure that a security token is retrieved and forwarded to the requester. Loosely speaking, CardSpace acts like a "guarding angel" and protects the user from disclosing sensitive information to identity thieves.
    The researchers from Bochum have implemented an attack against CardSpace and show that an identity thief may filch the authentication token issued by CardSpace. This is a crucial security problem. By replaying the token, they prove evidence that it is feasible to impersonate the user and gain access to the user's services. In order to demonstrate not only the feasibility, but also the attack's practicability, the researchers present a proof of concept implementation. Against this background, the young scientists conclude that it is realistic to expect attacks against CardSpace soon in the wild.

    IT Security Research in Bochum

    Prof. Schwenk's group is part of the Horst Görtz Institute for IT Security (HGI), one of the largest university-based security research centers in Europe [4]. Prof. Schwenk's group is internationally renowned for their work in Internet security and Applied Cryptography. Ruhr University Bochum has the most comprehensive offerings in IT security education (Bachelor, Master, distance learning) in Germany.

    Further Information

    Prof. Dr. rer. nat. Jörg Schwenk, Chair for Network and Data Security, Ruhr University Bochum, Universitätsstr. 150, 44780 Bochum, Germany, Phone: (+49) (0)234 / 32-26692, eMail: joerg.schwenk@nds.rub.de


    More information:

    http://msdn.microsoft.com/en-us/library/bb882216.aspx - Information about CardSpace
    http://demo.nds.rub.de/cardspace - Technical Report
    http://www.hgi.rub.de/index_en.html - Horst Görtz Institute


    Images

    Criteria of this press release:
    Information technology
    transregional, national
    Research results
    English


     

    Help

    Search / advanced search of the idw archives
    Combination of search terms

    You can combine search terms with and, or and/or not, e.g. Philo not logy.

    Brackets

    You can use brackets to separate combinations from each other, e.g. (Philo not logy) or (Psycho and logy).

    Phrases

    Coherent groups of words will be located as complete phrases if you put them into quotation marks, e.g. “Federal Republic of Germany”.

    Selection criteria

    You can also use the advanced search without entering search terms. It will then follow the criteria you have selected (e.g. country or subject area).

    If you have not selected any criteria in a given category, the entire category will be searched (e.g. all subject areas or all countries).