Token Decryption Service for CardSpace

Via Richard Turner's blog, the announcement of an architecturally superior  token decryption component devised by Dominick Baier at leastprivilege.com

Dominick  and Richard have blogged previously about mitigating the dangers involved in allowing web middleware and front-end software to process encrypted payloads.  Decrypting a payload involves access to a private key.  The broader the range of applications that can get to the key, the greater the attack surface.  This led to discussions about:

  1. Re-factoring the token decryption code into an assembly that runs under full trust whilst the site runs under partial trust
  2. Building a Token Decryption Service to which you can pass your encrypted blob and you get back a list of claims, PPID and issuer key.

And that is exactly the problem Dominick has tackled:

Web Applications that want to decrypt CardSpace tokens need read access to the SSL private key. But you would increase your attack surface tremendously if you directly grant this access to the worker process account of your application. I wrote about this in more detail here and Richard Turner followed up here.

Together with my colleagues at Thinktecture (thanks Christian and Buddhike for code reviewing and QA) I wrote an out-of-proc token decryption service that allows decrypting tokens without having to have direct access to the private key in the application, the idea is as follows:

Your web application runs under its normal least privilege account with no read access to the private key. The token decryption service runs as an NT service on the same machine under an account that has read access. Whenever the application has to decrypt a token, it hands the encrypted token to the token decryption service which (in this version) simply uses the TokenProcessor to return a list of claims, a unique ID and the issuer key.

The token decryption service is implemented as a WCF service that uses named pipes to communicate with the applications. To make sure that only authorized applications can call into the service, the application(s) have to be member of a special Windows group called “TokenDecryptionUsers” (can be changed in configuration to support multiple decryption services on the same machine). I also wrote a shim for the WCF client proxy that allows using this service from partially trusted web applications.

The download contains binaries, installation instructions and the full source code. I hope this helps CardSpace adopters to improve the security of their applications and servers. If you have any comments or questions – feel free to contact me.

The approach is a good example of the “alligators and snakes” approach I discussed here recently.

Christian shows his controls for Visual Studio

Christian Arnold has now done a video where he shows how simple it is to add Information Card support to the “out of the box” Visual Studio membership provider. He has written some really cool controls. 

I think Christian is right on target – at the head of the pack in terms of getting this type of tool out there.  He invites people to download his controls and try them out.

When I first ran the video from his page it chopped off the properties part of the screen – which is the interesting part.  If this happens just right mouse click on the player and select “full screen”. 

newtelligence CardSpace API

Sergey Shishkin reports that a new developer's kit will be released by newtelligence AG.

newtelligence AG announces plans to release the newtelligence CardSpace SDK, a Software Development Kit for Microsoft Windows CardSpace. The SDK, based on newtelligence expertise in information security, will help developers build more robust CardSpace-enabled application on the .NET platform – with ease.Microsoft .NET Framework 3.0 was released in November 2006 and introduced Windows CardSpace – a user-centric digital identity solution.

CardSpace allows developers to leverage federated security and single sign-on in their solutions. As a leading security expert company, newtelligence investigated .NET Framework 3.0 and Windows CardSpace starting from its early, pre-released versions and developed technology samples to clearly demonstrate to customers the underlying technology as well as provide best practices for its use.

Although CardSpace is based on the standardized web service security protocols (WS-* standards), developing CardSpace-enabled applications is challenging. Developers have to possess solid knowledge not only in web service security protocols but also in cryptography and XML.

newtelligence SDK for Windows CardSpace will provide a comprehensible API for key CardSpace application scenarios: Programmatic creation of managed information cards; requesting and validating security tokens in Microsoft Windows and web applications; and issuing security tokens. Use of the API will increase software security and developer productivity: Writing secure software is simplified and less software coding is required to achieve the desired, secure functionality. To aid understanding of the SDK and of CardSpace in general, a reference application and additional code samples covering different aspects of the API usage will accompany the SDK.

The newtelligence CardSpace SDK will contain complete source code of the API and is intended for personal use only. For more information regarding availability, licensing or reuse of the SDK, please contact us.

One of Sergey's readers comments:

How about just releasing it instead of announcing the announcement ;)

Sergey responds:

Dominick, the work is in progress now. The release is of course the goal :)

I'm glad to see Dominick so itchy.  Sergey says he will host a discussion about the API on his blog.

New CardSpace show

Richard Turner and Garrett Serack have been featured in a CardSpace episode on Microsoft's popular .NET Show:

The .NET Show hosts Microsoft's Richard Turner, product manager, and Garrett Serack, community product manager, to talk about how Microsoft CardSpace solves the problem of securely managing your digital identity on the web.

CardSpace supports an industry-wide secure method for allowing users to authenticate themselves to websites and applications that removes the need for users to remember countless account names and passwords.

Two new CardSpace videos by Richard Turner

My colleague Richard Turner  has just done a Channel 9 CardSpace Simple Demo that begins with a detailed look at the user experience, exploring many features of the interface, explaining why we put them there, and showing CardSpace working with both IE 7 and FireFox. 

It then moves on to a code walkthrough using visual studio, showing how to tweak your site so it accepts Information Cards (produced by CardSpace or other interoperable implementations).

I suspect the hardest part of enabling a site for Cardspace V1.0 is setting up the ssl certificate.  And Richard must agree, because he has gone the extra length and produced a second Channel 9 video that shows How to Configure IIS to Support Windows CardSpace.  I sure wish I had this when I started fooling around with this stuff!

The source code for the demo will be posted here this week.  Richard is working on other related videos as well.

New Visual Studio Toolkit for CardSpace

If you use visual studio and are interested in CardSpace, you'll be interested in Christian Arnold's brand new “Visual Studio 2005 Toolbox for Windows CardSpace”.  It looks like it makes the task of CardSpace enabling .NET 2.0 apps as easy as pie.  I'm out of the country now but can't wait to try it.

You can download the tools here.  Christian also runs what he calls a “little support forum“.

The ToolBox provides an easy way to use Windows CardSpace in your ASP.NET 2.0 Web-Application to register and validate your users. It´s also possible to use the controls to receive a SAML token and get the decrypted values of provided claims. The token decrypting process is build based on the community sample.

The install process looks pretty straightforward – you just add the tools to your toolbox:

 

That adds two new controls to your Visual Studio 2005 ToolBox:

Here's a taste of how you use the CreateCardSpaceUserWizard Control:

 

You need to add a little configuration:

<cc1:CreateCardSpaceUserWizard ID=”CreateCardSpaceUserWizard1″ runat=”server” BuildInRegistration=”False” OnUserRegistered=”CreateCardSpaceUserWizard1_UserRegistered1″>

<cc1:IdentityClaim ClaimUri= “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier” />

<cc1:IdentityClaim ClaimUri= “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress” />

</cc1:CreateCardSpaceUserWizard>

Christian explains that this causes the system to request the privatepersonalidentifier and the emailadress of a new user powered with CardSpace or other Information Card identity selector.

He explains that by defining the claim

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

the control will store the emailaddress automatically, so you don't have not to worry about this :-)

After registration the control will fire the UserRegistered Event. The eventargs will tell you the result of the operation and the provided claims as a NameValueCollection.
 
Christian goes on to explain how to use the system with the default ASP.NET 2.0 Membership-Provider. 

Clearly, there are a great many sites built on this Membership-provider technology and the emergence of this toolkit in the identity ecosystem is a major event.

Bandit and Higgins hit interop milestone

I was so snowed under trying to work against time for the OpenID annoucement at RSA that I missed blogging another imporant milestone that has been reached by the identity community.  This report on progress in the Higgins and Bandit side of the house is great news for everyone:

The Bandit and Eclipse Higgins Projects today announced the achievement of a key milestone in the development of open source identity services. Based on working code from the two projects and the larger community of open source developers, the teams have created a reference application that showcases open source identity services that are interoperable with Microsoft’s Windows* CardSpace* identity management system and enable Liberty Alliance-based identity federation via Novell® Access Manager. This reference application is a first-of-its-kind open source identity system that features interoperability with leading platforms and protocols. This ground-breaking work will be demonstrated at the upcoming RSA Conference in San Francisco.

“There are two basic requirements for translating the potential of recent identity infrastructure developments into real-world benefits for users: interoperability and a consistent means of developing identity-aware applications,” said Jamie Lewis, CEO and research chair of Burton Group. “First, vendors must deliver on their promise to enable interoperability between different identity systems serving different needs. Second, developers need a consistent means of creating applications that leverage identity while masking many of the underlying differences in those systems from the programmer. The Bandit and Eclipse Higgins interoperability demonstration shows progress on the path toward these goals. And the fact that they are open source software projects increases the potential that the identity infrastructure will emerge as a common, open system for the Internet.”

The Bandit and Higgins projects are developing open source identity services to help individuals and organizations by providing a consistent approach to managing digital identity information regardless of the underlying technology. This reference application leverages the information card metaphor that allows an individual to use different digital identity ‘I-Cards’ to gain access to online sites and services. This is the metaphor used in the Window’s CardSpace identity management system that ships with the Vista* operating system.

“Windows CardSpace is an implementation of Microsoft’s vision of an identity metasystem, which we have promoted as a model for identity interoperability,” said Kim Cameron, architect for identity and access at Microsoft. “It’s rewarding to see the Bandit and Higgins projects, as well as the larger open source community, embracing this concept and delivering on the promise of identity interoperability.”

The open source technology developed by Bandit and Higgins enables initial integration between a non-Liberty Alliance identity system and a Liberty Alliance-based federated identity system provided by Novell Access Manager. Specifically, these technologies enable Novell Access Manager to authenticate a user via a Microsoft infocard (CardSpace) and consume identity information from an external identity system. It will further show that identity information from Novell Access Manager can be used within an infocard system. This is a significant step forward in the integration of separate identity systems to deliver a seamless experience for the user as demonstrated by the reference application.

“The Liberty Alliance project fully supports the development of open source identity services that advance the deployment of Liberty-enabled federation and Web Services as part of the broader Internet identity layer,” said Brett McDowell, executive director of the Liberty Alliance. “The open source community’s embrace of Liberty Alliance protocols is validation of the benefits this technology provides, and we salute the Bandit and Higgins teams for their role in making the technology more broadly accessible.”

Higgins is an open source software project that is developing an extensible, platform-independent, identity protocol-independent software framework to support existing and new applications that give users more convenience, privacy and control over their identity information. The reference application leverages several parts of Higgins including an identity abstraction layer called the Identity Attribute Service (IdAS). To support a dynamic environment where sources of identity information may change, it is necessary to provide a common means to access identity and attribute information from across multiple identity repositories. The IdAS virtualizes identity sources and provides a unified view of identity information. Different identity stores or identity management systems can connect to the IdAS via “context providers” and thus provide interoperability among multiple systems.

“Many groups have been working towards the goals of Internet identity interoperability,” said Paul Trevithick, technology lead for the Higgins project. “This milestone represents a major step in having multiple open source projects work together to support multi-protocol interoperability.”

The Bandit project, sponsored by Novell, is focused on delivering a consistent approach to enterprise identity management challenges, including secure access and compliance reporting. The Bandit team’s contributions to the reference application include the development of multiple “context providers” that plug into the Higgins Identity Attribute Service (IdAS) abstraction layer to provide access to identity information across disparate identity stores. It also showcases the role engine and audit reporting capabilities in development by the Bandit community.

“The development of this reference application would not have been possible without the collaboration and contribution of the wider Internet identity community,” said Dale Olds, Bandit project lead and distinguished engineer for Novell. “This is the first of many milestones we are working towards as both the Bandit and Higgins communities strive to enable interoperable, open source identity services.”

So congratulations to Bandit, Higgins and everyone else who made this happen – this is great stuff, and the identity big bang is one step closer for it.

New InfoCard Profile documents available

Arun Nanda, Mike Jones, and others both at Microsoft and Ping have been working very hard for a long time now to make sure the profile we used to build our prototypes, and then our product, was being fully shared with everyone else who wanted to interoperate.  This has also involved an ongoing attempt to make sure the profile was clear enough to be useful.

Today I'm posting new versions that I think are a lot clearer (let me know!)  First, here is A Guide to Supporting Information Cards within Web Applications and Browsers as of the Information Card Profile V1.0.  I think anyone adding InfoCards to their site will find this document useful.

In addition I'm putting up two documents intended for people who really want to get into the details of how to implement the underlying toolkits and platforms.  Don't feel compelled to read them if you aren't doing this type of work!  They are part of the process of working with our colleagues in OSIS, Higgins, etc – those building Identity Selectors and the system software that powers managed card providers and claims transformers.  The papers will also be of interest to academics and people who really like to get way down into how things work.   You should begin with A Guide to Interoperating with the Infomation Card Profile V1.0.  I'll post the second document (the normative technical reference) in a couple of days.

I'm beginning by putting these docs up here so everyone in the identity community can get access to them ASAP.  Ultimately, they will appear in many other places, including MSDN.

 

Practical Guide To Certificate Installation for the Disinterested

It's a bit tricky to install certificates and keys, and harder still when you want to use the same certificate on both Windows and *NIX boxes.  Most of us don't have to install certificates very often (!), but that doesn't make it any easier! If you're like me you forget at least one of the annoying little essential details.

So partly in light of questions I've been receiving, and partly so next time I encounter these problems I remember how I answered them, I'm putting together what I hope might be a useful “Practical Guide to Certificate Installation for the Disinterested“.  In other words, I'm NOT discussing how to use certificates in production environments.

I'm kind of starting in the middle, but I've got three pieces ready so far.  If you're not familiar with this area, OpenSSL is an open source tool for managing certificates and IIS is Microsoft's Internet Information Server (i.e. Web server).  If you see problems with my instructions, please let me know.

Now for the pithy titles:

I'm also going to tackle the issue of creating InfoCard-compatible certs for testing and developing purposes.  If others want to add other sections let me know.

 

Information Cards supported on Community Server

Armand du Plessis at Impersonation Falure writes about his work to add Information Card support to his Community Server:

A couple of days ago I enabled experimental Windows Cardspace support on http://dotnet.org.za/. I mentioned that I'll post the source code and controls but with Tech-Ed Africa and some other work I never got around to posting it.

So now the updated Community Server files is available here and the source code for both the Community Server controls and the underlying ASP.NET controls available here.

To enable Community Server to make use of Information Cards for authentication the following steps are required :

  • Install and configure your site with a SSL certificate. (Make sure it's a certificate issued by a Certification Authority trusted by popular browsers so you don't make the same mistake as me. See this post for more info)
  • Grant access to the certificate's private key to your application pool user. Easiest method to do this is using the winhttpcertcfg.exe utility.
    • winhttpcertcfg -g -c CertLocation -s SubjectStr -a Account
  • Add your certificate's thumbprint to your web.config appSettings section so the Token processor helper class can find it :
    • The thumbprint can be obtained through the MMC Certificates snap-in.
  • Unzip the updated Community Server files over the CS web files. The following files will be replaced so make sure you've backed them up before this step :
    • \Themes\default\Masters\master.ascx
    • \Themes\default\Skins\Skin-EditProfile.ascx
    • \login.aspx

How it works is relatively straigth forward, kudos to the design of the Cardspace web integration and the Community Server SDK. A quick explanation :

The source consists of four core controls :

  1. Adp.CardSpace.InformationCardRequest - A very basic ASP.NET control that takes care of rendering the < object > element used to engage the Identity Selector with the desired claims the Relying Party wants from the Identity Provider. This can either be placed in the head of the page when working together with the InformationCardSubmit control, or as a standalone in a form body.
  2. Adp.CardSpace.InformationCardSubmit -  Another basic ASP.NET control that renders the required script and a button that can be used to engage the Identity Card Selector. It is meant for consumption by higer-level controls that can subscribe to it's OnTokenReady event which is fired when a postback triggered by the ICS happens.
  3. Adp.CommunityServer.Controls.Association – A Community Server control used in the profile section to allow a user to associate an Information Card with his/her account.
  4. Adp.CommunityServer.Controls.CardSpaceLogin – A Community Server control used to authenticate the user using his Information Card instead of the usual username/password.

The claim requirements is expressed through the Claims property on the Adp.Cardspace.InformationCardRequest control. This can be done programmatically or declaratively and the control added either to the page head or to a form body. Adding the control to the page head as done in the Community Server integration allows for fine grained control over when the Identity Selector is invoked without interfering with other form submit buttons on your page.

Below is an extract from master.ascx which embeds a request for two claims, email and PPID, into the page. (By default self-issued cards are accepted but this can be configured through the Issuer property on the control) 

< CS:Head runat="Server">
< meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
< CS:Style id="UserStyle" runat="server" visible = "true" />
< CS:Style id="s2" runat="server" visible = "true" Href="../style/Common.css" />
< CS:Style  runat="server" Href="../style/common_print.css" media="print" />
< CS:Script id="s" runat="server"  />
< ADP:InformationCardRequest ID="_xmlToken" runat="server" Claims-Capacity="4">
< ADP:ClaimDto ClaimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" Required="true" />
< ADP:ClaimDto ClaimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" Required="true" />
ADP:InformationCardRequest>
CS:Head>

 Where the Identity Selector trigger is required the Adp.Cardspace.InformationCardSubmit control is placed. The sole responsibilty of this control is to invoke the Identity Selector and raise an OnTokenReady event which can be consumed by other interested parties. Below is an extract from the Skin-CardspaceLogin.ascx (a Community Server control which uses the InformationCardSubmit control to obtain the encrypted token)

< ADP:InformationCardSubmit CssClass = "CommonTextButtonBig" runat="server" id="csSubmit" />

 That's all that's required to invoke the ICS. To decrypt and extract the token using the very useful TokenProcessor from the Microsoft samples the following code is required to hookup and handle the OnTokenReady event. (This code is in the above mentioned CardSpaceLogin control, a composite control utilizing the InformationCardSubmit control and other default Community Server Controls) 

protected override void  AttachChildControls()
{
submit = FindControl("csSubmit") as InformationCardSubmit;
message = FindControl("csMessage") as StatusMessage;
 
submit.OnTokenReady += new EventHandler(submit_OnTokenReady);

if ((submit == null) || (message == null))
throw new CSException(CSExceptionType.SkinNotSet);
}

The Token helper class takes care of decrypting and extracting all the tokens from the postback. (The token helper class is available in the samples on http://wcs.netfx3.com)

After breaking out the tokens we can access them through the indexed Claims property. All the claims we expressed in the InformationCardRequest control above is available for use in your code.  In the sample below the token's unique id is extracted and assigned to an extended profile attribute in Community Server.

void submit_OnTokenReady(object sender, TokenEventArgs e)
{
try {
Token token = new Token(e.TokenValue);

if(context.User.Email !=
token.Claims[System.IdentityModel.Claims.ClaimTypes.Email]) {

DisplayMessage(ResourceManager.GetString("Association_EmailMismatch",
CSUtil.CsResourceFilename), false);
return;
}
 
context.User.SetExtendedAttribute(CSUtil.CsExtendedAttributeName,
token.UniqueID);

Users.UpdateUser(context.User);
 
DisplayMessage(
ResourceManager.GetString("Association_Success",
CSUtil.CsResourceFilename),true);
 
}
catch (Exception e1) {
string displayMessage = ResourceManager.GetString("Association_GenericException",
CSUtil.CsResourceFilename);
 
CSException e2 = new CSException(CSExceptionType.UnknownError,
displayMessage, e1);

e2.Log();
 
DisplayMessage(displayMessage, false);
}
}

Some limitations in this implementation is that it currently don't detect whether or not the browser supports Infocards. Also triggering the Identity Selector through script currently don't seem to be supported by the Firefox Identity Selector plug-in.

Currently the implementation on dotnet.org.za still suffers from the use of the Starfield SSL certificate which requires users to first import the Intermediate Certificate as a trusted issuer before Cardspace will accept it. This will be rectified soon.

Links: