Microsoft: CardSpace attack works but was too rigged

Microsoft's chief identity architect disputes that CardSpace technology can be hacked, calling researchers' scenario unlikely in a real attack

Microsoft is disputing that its CardSpace authentication management technology can be hacked despite a research paper that outlines a proof-of-concept attack.

CardSpace manages personal information that might be needed to access certain Web sites or conduct e-commerce transactions. CardSpace, which ships in the Windows Vista OS, keeps personal information in virtual cards stored on the computer.

Also, that information can be held by a trusted organization that acts as an identity provider. That provider can then tell another Web site the information is valid. An encrypted token is sent to the Web site, which reduces the chance of identity theft.

In a sometimes sarcastic retort, Kim Cameron, who is Microsoft's chief identity architect in the Connected Systems Division, wrote that the attack requires key defenses to be lowered before the attack would work, a scenario that's unlikely in a real attack.

"For the attack to succeed, the user has to bring full administrative power to bear against her own system," Cameron wrote on his blog. "In my view, the students did not compromise CardSpace."

The researchers' paper is bad press for Microsoft and CardSpace, which the company hopes will develop become widely used for identity management.

The researchers, from the Horst Görtz Institute for IT Security at Ruhr University in Bochum, Germany, wrote in their paper it is possible to intercept the authentication tokens from CardSpace. The tokens could be reused by hackers to gain access or use other functions on another Web site.

However, intercepting the token comes after several key defenses have been breached and warnings ignored, Cameron wrote.

First, the PC's DNS configuration must be modified so that the PC's browser goes to a malicious Web site even if the proper domain name is typed in, a technique known as pharming.

Once the DNS settings have been changed, the PC's browser must be convinced the malicious Web site is not a fraudulent site. Browsers such as Internet Explorer have a mechanism that checks a Web site's certificate -- an encrypted electronic document that verifies the domain name visited belongs to the Web site the browser is looking at.

Part of the attack also involves tricking a user to upload a fake root certificate that would not trip Internet Explorer's phishing alarms. Cameron writes that installing the bogus certificate must overcome another defense, which "requires a complex manual override."

Sebastian Gajek, one of the authors of the report, said via instant message on Monday that it isn't necessary to get the user to install a fake certificate. The browser's phishing alarm might go off, but "we argue that most of the users would ignore the warning" as some studies have shown, Gajek said.

The CardSpace protocol itself seems to be sound, Gajek said. But there are continuing security problems with how Web browsers interact with DNS, that, in combination with CardSpace, make the identity management technology vulnerable, he said.

Nonetheless, Cameron posted a video disparaging the research. "The students invite you to poison your system for them," Cameron says in the video. "If you drink this poison, which they are unable to administer themselves, your system will be vulnerable to their attack."

While Cameron acknowledges the authentication token can be obtained, the information in the token, such as a log-in or password, is encrypted.

Xuan Chen and Christian Löhr, IT security students, wrote the paper. Jörg Schwenk, a professor and chairman of Network and Data Security at the institute, and Gajek acted as advisers. The paper is posted on the school's Web site.

Gajek said he did not know if the attack would work with other federated identity management protocols and their implementations in browsers.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Join the discussion
Be the first to comment on this article. Our Commenting Policies