Category: Windows Cardspace

Weaknesses of Strong Authentication?

Here is a piece by Robert Richardson from the CSI Blog .  He discusses what one of his colleages calls “some of the weaknesses or downright drawbracks of strong authentication methods”:

There's this author named Kathy Siena who's currently at the center of one of those firestorms that break out on the Web now and again. Some threatening material regarding her was posted on the Web, she blames some fairly prominent bloggers of being involved in one way or another, and the rest seems to be finger pointing and confusion.

One detail of the saga worth considering is that one of the implicated bloggers claims that actions were taken by someone using his identity and access to his passworded accounts (this is quoted from Kim Cameron's Blog):

I am writing this from a new computer, using an email address that will be deleted at the end of this.I am no longer me. My main machine despite my best efforts has been hacked, my accounts compromised including my email. and has been disconnected from the internet.

How did this happen? When did this happen?

This is, to be sure, something of doomsday scenario for an individual user–the complete breach of one's identity across all the systems one uses and cares about (I'm assuming that the person in question, Allen Harrell, is telling the truth about being hacked).

Kim Cameron writes this on his blog:

Maybe next time Allan and colleagues will be using Information Cards, not passwords, not shared secrets. This won’t extinguish either flaming or trolling, but it can sure make breaking in to someone’s site unbelievably harder – assuming we get to the point where our blogging software is safe too.

But I'm not convinced of this for a couple of reasons. First, Information Cards may or may not make breaking into someone's site unbelievably harder. Hackers sidestep the authentication process (strong or otherwise) all the time. Second, the perception of super-duper strong identity management may make it harder to prove that one's identity was in fact hacked.

InfoCard credentials are only more reliable if the system where they are being used is highly secure. If I'm using a given highly trusted credential from my system, but my system has been compromised, then the situation just looks worse for me when people start accusing me of misdeeds that were carried out in my name.

Many discussions about better credentialing begin from an underlying presumption that there will be a more secure operating system providing protection to the credentials and the subsystem that manages them. But at present, no one can point to that operating system. It certainly isn't Vista, however much improved its security may be.

Designing for Breach

I agree with Robert that credentials are only part of the story.  That's why I said, “assuming we get to the point where our blogging software is safe too.” 

Maybe that sounds simplistic.  What did I mean by “safe”? 

I'll start by saying I don't believe the idea of an unbreachable system is a useful operational concept.  If we were to produce such a system, we wouldn't know it.  The mere fact that a system hasn't been breached, or that we don't know how it could be, doesn't mean that a breach is not possible.  The only systems we can build are those that “might” be breached.

The way to design securely is to assume your system WILL be breached and create a design that mitigates potential damage.  There is nothing new in this – it is just risk management applied to security.

As a consequence, each component of the system must be isolated – to the extent possible –  in an attempt to prevent contagion from compromised pieces.

Security Binarism versus Probabilities

I know Robert will agree with me that one of the things we have to avoid at all costs is “security binarism”.  In this view, either something is secure or it isn't secure.  If its adherants can find any potential vulnerability in something, they conclude the whole thing is vulnerable, so we might as well give up trying to protect it.  Of course this isn't the way reality works – or the way anything real can be secured.

Let's use the analogy of physical security.  I'll conjure up our old friend, the problem of protecting a castle. 

You want a good outer wall – the higher and thicker the better.  Then you want a deep moat – full of alligators and poisonous snakes.  Why?  If someone gets over the wall, you want them to have to cross the moat.  If they don't drown in the moat, you want them to be eaten or bitten (those were the days!)  And after the moat, you would have another wall, with places to launch boiling oil, shoot arrows, and all the rest.  I could go on, but will spare you the obviousness of the excercise.

The point is, someone can breach the moat, but will then hit the next barrier.  It doesn't take a deep grasp of statistics to see that if there is a probability of breach associated with each of these components, the probability of breaking through to the castle keep is the product of all the probabilities.  So if you have five barriers, then even if each has a very high probability of breach (say 10%), the overall probability of breaking through all the barriers is just .001%.  This is what lies behind the extreme power of combining numerous defences – especially if breaking through each defence requires completely unrelated skills and resources.

But despite the best castle design, we all know that the conquering hero can still dress up as a priest and walk in through the drawbridge without being detected (I saw the movie).  In other words, there is a social engineering attack.

So, CardSpace may be nothing more than a really excellent moat.  There may be other ways into the castle.  But having a really great moat is in itself a significant advance in terms of “defence in depth”. 

Beyond that, Information Cards begin to frame many questions better than they have been framed in the past – questions like, “Why am I retaining data that creates potential liability?”

In terms of Robert's fear that strong authentication will lead to hallucinations of non-repudiation, I agree that this is a huge potential problem.   We need to start thinking about it and planning for it now.  CSI can play an important role in educating professionals, government and citizens about these issues. 

I recently expanded on these ideas here.

Christian shows his controls for Visual Studio

Christian Arnold has now done a video where he shows how simple it is to add Information Card support to the “out of the box” Visual Studio membership provider. He has written some really cool controls. 

I think Christian is right on target – at the head of the pack in terms of getting this type of tool out there.  He invites people to download his controls and try them out.

When I first ran the video from his page it chopped off the properties part of the screen – which is the interesting part.  If this happens just right mouse click on the player and select “full screen”. 

Jon Udell on the Sierra affair

Jon Udell put up this thought-inducing piece on the widely discussed Sierra affair earlier this week, picking up on my piece and the related comment by Richard Gray.   

Kim Cameron had the same reaction to the Sierra affair as I did: Stronger authentication, while no panacea, would be extremely helpful. Kim writes:

Maybe next time Allan and colleagues will be using Information Cards, not passwords, not shared secrets. This won’t extinguish either flaming or trolling, but it can sure make breaking in to someone’s site unbelievably harder.

Commenting on Kim’s entry, Richard Gray (or, more precisely, a source of keystrokes claiming to be one of many Richard Grays) objects on the grounds that all is hopeless so long as digital and real identities are separable:

For so long identity technical commentators have pushed the idea that a person’s digital identity and their real identity can be tightly bound together then suddenly, when the weakness is finally exposed everyone once again is forced to say ‘This digital identity is nothing more than a string puppet that I control. I didn’t do this thing, some other puppet master did.’

Yep, it’s a problem, and there’s no bulletproof solution, but we can and should make it a lot harder for the impersonating puppet master to seize control of the strings.

Elsewhere, Stephen O’Grady asks whether history (i.e., a person’s observable online track record) or technology (i.e., strong authentication) is the better defense.

My answer to Stephen is: You need both. I’ve never met Stephen in person, so in one sense, to me, he’s just another source of keystrokes claiming to represent a person. But behind those keystrokes there is a mind, and I’ve observed the workings of that mind for some years now, and that track record does, as Stephen says, powerfully authenticate him.

“Call me naive,” Stephen says, “but I’d like to think that my track record here counts for something.”

Reprising the comment I made on his blog: it counts for a lot, and I rely on mine in just the same way for the same reasons. But: counts for whom? Will the millions who were first introduced to Kathy Sierra and Chris Locke on CNN recently bother explore their track records and reach their own conclusions?

More to the point, what about Alan Herrell’s1 track record? I would be inclined to explore it but I can’t, now, without digging it out of the Google cache.

The best defense is a strong track record and an online identity that’s as securely yours as is feasible.

The identity metasystem that Kim Cameron has been defining, building, and evangelizing is an important step in the right direction. I thought so before I joined Microsoft, and I think so now.

It’s not a panacea. Security is a risk continuum with tradeoffs all along the way. Evaluating the risk and the tradeoffs, in meatspace or in cyberspace, is psychologically hard. Evaluating security technologies, in both realms, is intellectually hard. But in the long run we have no choice, we have to deal with these difficulties.

The other day I lifted this quote from my podcast with Phil Libin:

The basics of asymmetric cryptography are fundamental concepts that any member of society who wants to understand how the world works, or could work, needs to understand.

When Phil said, that my reaction was, “Oh, come on, I’d like to think that could happen but let’s get real. Even I have to stop and think about how that stuff works, and I’ve been aware of it for many years. How can we ever expect those concepts to penetrate the mass consciousness?”

At 21:10-23:00 in the podcast2, Phil answers in a fascinating way. Ask twenty random people on the street why the government can’t just print as much money as it wants, he said, and you’ll probably get “a reasonable explanation of inflation in some percentage of those cases.” That completely abstract principle, unknown before Adam Smith, has sunk in. Over time, Phil suggests, the principles of asymmetric cryptography, as they relate to digital identity, will sink in too. But not until those principles are embedded in common experiences, and described in common language.

Beyond Stephen O'Grady's piece, the reactions of Jon's readers are of interest too.  In fact, I'm going to post Richard's comments so that everyone gets to see them. 

6 year old installs keylogger

Here is a strange one via Pamela Dingle's eternal optimist:

How girl, 6, hacked into MP’s Commons computer

I assume a physical keyboard logger like this could still be used to steal an IdP username & password, even with all the secure desktop stuff that the CardSpace client has built in…

This kind of dongle plugs in between the keyboard and the computer.  So there is one simple solution:  don't type in secrets that could allow someone to gain access to your accounts. 

My view:

  1. CardSpace self-issued cards ( based on public key technology) and managed cards backed by a self-issued card or certificate would both be immune to this attack – assuming no physical access to the computer itself.
  2. Normal Kerberos login would be vulnerable.
  3. Username / password IdP's could be protected from this attack through use of the additional per-card secret described here – assuming non-InfoCard password access was not supported.
  4. One time password (OTP) systems would be unaffected. 

BTW, I now have OTP integrated with my own managed card demo code.  When used with CardSpace it has very nice security properties because the channel from CardSpace to the IdP is encrypted using information in the managed card and the password can never be reused.

Windows Financial Services “Best of the Blogs” list

I'm pleased to see the editors of Windows in Financial Services put identityblog on its “Best of the Blogs” list.   Welcome to any readers who “get here from there.” 

It's impressive for a publication so intensely focussed on financial services to invite its readers into a parallel universe which, as the editors put it, “…addresses the innumerable ramifications of this growing problem [identity theft – Kim]…”.  Yup.  There are definitely a lot of ramifications around here.

Identity theft is fast progressing as a huge threat to financial institutions everywhere, especially in the area of online banking.  In his “Identity Weblog,” Kim Cameron, Microsoft’s architect for identity, addresses innumerable ramifications of this growing problem, ranging from illegal sale of stolen credit card information on the Web, to whether or not schoolchildren should be fingerprinted, to technical solutions such as encryption. 

In an April 2nd entry, Kim answers questions from his readers about CardSpace, an encryption technology that can be enabled for .NET 2.0 through the use of Visual Studio 2005 Toolbox for Windows CardSpace. C lick below to read Kim’s advice on subjects such as how CardSpace prevents phishing – even when used in conjunction with passwords – and to find out how to ask him ID-related questions of your own.

So, welcome to any new readers and please make yourselves at home.  Extra bonus:  you'll have a chance to use CardSpace when posting comments.

Cobbler's children

Here's an “ouch that hurts” posting by Jackson Shaw at Quest:

I received this email today regarding my identity partner's account that I have at Microsoft. Isn't it unfortunate that given Active Directory Federation Services (ADFS) and CardSpace that I have to do this?

Shaw, Jackson, The password for the extranet account issued to blah\JShaw will expire on Mar 15 2007. Please proceed to the following URL to change the password: https://Home.EP.Microsoft.com/login.aspx

NOTE: Failure to change the password before the expiration date will result in the account being locked and access will no longer be provided.

Thank you, The Extranet Management Tool Team

For assistance, please contact your administrator, site owner or support team.

I have zero time to figure out who my administrator, site owner or support team is.

I do know my Quest userid and password and wouldn't it be nice if that just worked??

Jackson is right.  Everything about this is bizarre.  I too love those “contact your administrator” messages – best of all, when I'm the administrator, but in all other cases too. 

Anyway, we are now getting close to the point where Microsoft marketing and other sites will start to light up.

With the sheer number of sites we have, and the attacks on our perimeter, our IT guys have to go about this in an organized way.  I spoke with Microsoft's internal IT security architects not long ago and was amazed at how well they have thought through the implications of the claims-based approach, privacy issues, uses for CardSpace, and so on. 

Meanwhile a lot of our sites are tied to Windows Live ID, so when it turns on Information Card support, the benefits should start to be widely felt.

Today Jackson did a piece outlining the Laws of Identity and  concludes:

I installed WinFX the other night on my Windows XP system and created my own Information Cards and then used one to logon to Kim's blog – it worked! [He's so surprised? – Kim]

Now if I could a Quest property or two to accept either OpenIDs or InfoCards…

Hey, Jackson – let's get some live company-to-company interaction happening with the technologies we all want to introduce.  Why don't we approach the Extranet Management issue from both ends – you from the quest end, me from this end?  Maybe others would want to jump on as well… The proof of the shoe is in the walking.

P.S.  Why don't you talk with Pamela about getting onto blogging software that accepts Information Cards too?  Mike Jones has done it.

UPDATE: Here is a posting on our progress in getting ADFS (Federation Services) going on our extranet, so the collaboration proposed above should be “way simple”.  And it's good to see that Brian Puhl not only listened to your original comment but did so much to move things ahead.

Mike Jones and self-issued.info

Everyone who has met me has probably met my colleague Mike Jones, who put his work as a researcher at MSR on hold because he got so interested in user-centric identity and Information Cards.  He has now started to blog – check out the InfoCard showing Mike and Dale onstage at Novell Brainshare. 

For those new to Information Cards, you don't normally share an InfoCard with someone else.  This was truly a “they did it because they could” moment… 

On March 21st at Novell’s BrainShare 2007 conference, Dale Olds and I co-presented the session “Who are you? From Directories and Identity Silos to Ubiquitous User-Centric Identity”. Our presentation was a brief history of digital identity solutions, ranging from a password per application to interoperable user-centric digital identity using the Information Card metaphor and several steps in between.

demo self-issued cardThe coolest thing in the session was the first public demo of the Bandit/Higgins cross-platform Identity Selector. During the demo Dale and I both used the same self-issued Information Card (that I created on the BrainShare show floor 🙂 ) to log into a Bandit relying party site, Dale from Linux and me with Windows CardSpace. As Dale and Pat Felsted blogged, two days later the Bandits also demonstrated their selector running on the Mac. Also see Pat’s post on the Details of the Cross Platform Identity Selector.

Great progress towards enabling everyone to answer the question “Who are you?” online with the Information Card of their choice!

BTW, you'll see that Mike, like me, is using pamelaware for WordPress – and accepts comments through infocards.  If you use WordPress, you should check it out.

New CardSpace show

Richard Turner and Garrett Serack have been featured in a CardSpace episode on Microsoft's popular .NET Show:

The .NET Show hosts Microsoft's Richard Turner, product manager, and Garrett Serack, community product manager, to talk about how Microsoft CardSpace solves the problem of securely managing your digital identity on the web.

CardSpace supports an industry-wide secure method for allowing users to authenticate themselves to websites and applications that removes the need for users to remember countless account names and passwords.

Two new CardSpace videos by Richard Turner

My colleague Richard Turner  has just done a Channel 9 CardSpace Simple Demo that begins with a detailed look at the user experience, exploring many features of the interface, explaining why we put them there, and showing CardSpace working with both IE 7 and FireFox. 

It then moves on to a code walkthrough using visual studio, showing how to tweak your site so it accepts Information Cards (produced by CardSpace or other interoperable implementations).

I suspect the hardest part of enabling a site for Cardspace V1.0 is setting up the ssl certificate.  And Richard must agree, because he has gone the extra length and produced a second Channel 9 video that shows How to Configure IIS to Support Windows CardSpace.  I sure wish I had this when I started fooling around with this stuff!

The source code for the demo will be posted here this week.  Richard is working on other related videos as well.

CardSpace FAQ

As you can imagine, over the years I've answered plenty of questions about CardSpace and Information Cards.  In fact, the questions have been instrumental in shaping the theory and the implementation.  To help put together a definitive set of questions and answers, I'm going to share them on my blog.  I invite you to submit further questions and comments.  You can post directly by using an InfoCard, post on your own blog with a link back, or write to me using my i-name.

Would banks ever accept self-issued information cards?  How could they trust the information on them to be true?

In fact a number of banks have expressed interest in accepting self-issued cards (protected by pins) at their on-line banking sites. 

They see self-issued cards as a simple but improved credential when compared to a password.  Because a self-issued card is based on public key technology, the user never sees a secret that can be phished.  The self-issued card uses a 2048 bit RSA key when authenticating to a site – and there is no key-distribution problem.

These banks would not request or depend on the card's informational claims (name, address, etc).  The banks have already vetted the customer through their Know Your Customer (KYC) procedures.  So it is just the crypto that is of interest.

There are also banking sites that are more interested in issuing their own “managed cards” – for branding reasons, and as a way to provide their customers with single-signon to a constellation of services operated in unrelated data centers.

Finally, some banks are interested in using managed cards as a payment instrument within specific communities (for example, high value transactions), and as a way to get into new identity-related businesses.

How can managed cards ever help identity providers prevent phising, if all the end user has is a password? 

Once a user switches to CardSpace, phishing is not possible even when passwords are used as an IdP Credential.

That is because an Information Card reference is included as a part of the “Request Security Token” message sent to the IDP. It may include a second secret in its CardId, never released except encrypted to a certificate specified in the card's metadata. For example:

 

Even if the user is tricked into leaking her password, she doesn’t know the CardId and can’t leak it. If the IdP verifies that the correct CardId is present in the Request Security Token message (as well as the username and password), it is impossible for an attacker to phish the user.

Why can't you use smart cards, dongles, and one-time password devices with CardSpace?

You can.  Using a password is only one option for accessing IdPs.  CardSpace currently supports four authentication methods:

  1. Kerberos (as supported on *NIX systems and Active Directory):  This is typically useful when accessing an IdP from inside a firewall.
  2. X.509:  This allows conventional dongles, smart cards and soft certs to be used. Further since many devices (such as biometric sensors) integrate with windows by emulating an X.509 device, it supports these other authentication methods as well.
  3. Self-Issued Card:  In other words, the RSA keys present in one of your self-issued cards can be used to create a SAML token.
  4. Username / password:  The password can be generated by an OTP device if the IdP supports it, and this is an extremely safe option.