Security of Microsoft's Identity Metasystem and CardSpace

Conference: KiVS 2007 - Kommunikation in Verteilten Systemen - 15. ITG/GI-Fachtagung
02/26/2007 - 03/02/2007 at Bern, Schweiz

Proceedings: KiVS 2007

Pages: 12Language: englishTyp: PDF

Personal VDE Members are entitled to a 10% discount on this title

Oppliger, Rolf (eSECURITY Technologies, Beethovenstrasse 10, CH-3073 Gümligen)
Gajek, Sebastian (Ruhr University Bochum, Universitätsstrasse 150, D-44780 Bochum)
Hauser, Ralf (PrivaSphere AG, Jupiterstrasse 49, CH-8032 Zürich)

Microsoft has designed and proposed an identity metasystem that is user-centric and consistent with open Web services (WS-*) standards. An implementation of the metasystem is, for example, available in the .NET Framework 3.0. It interfaces to the user by providing an identity selector named CardSpace (formerly codenamed InfoCard). Various applications can make use of CardSpace, including, for example, Microsoft Internet Explorer 7. We therefore expect Microsoft’s identity metasystem and CardSpace to become widely deployed on the Internet and a popular target to attack. In this paper, we elaborate on the security of Microsoft’s identity metasystem and CardSpace.