Praise for Understanding Windows CardSpace “Windows CardSpace, and identity selectors like it for non-Windows platforms, will quickly bring information cards to the forefront as the authentication mechanism of choice for end-users—at last significantly reducing the pain and risks involved in username and password authentication Vittorio, Garrett, and Caleb are three really super smart guys who know CardSpace and the underlying technologies and standards intimately In this book, they provide the perfect amount of detail on the very real risks of today’s application security models, followed by an overview of relevant cryptography and WS* protocols, and then they dig right in to common scenarios for deploying CardSpace while also explaining important underlying parts of the CardSpace technology to help you understand what’s going on under the hood If you aren’t sure if CardSpace is right for your applications, you should read this book and find out why If you are planning to implement a CardSpace solution, you should absolutely read every page of this book to gain insight into otherwise not well-documented information about the technology.” —Michele Leroux Bustamante, Chief Architect, IDesign and Microsoft Regional Director “Identity management is a challenging and complex subject, involving traces of cryptography and network security along with a human element Windows CardSpace and this book both attempt—successfully—to unravel those complexities Touching on all the major points of CardSpace and identity management in general, this book comprehensively explains the ‘what’ and the ‘how’ of this new Microsoft technology.” —Greg Shields, Resident Editor, Realtime Windows Server Community, Contributing Editor, Redmond Magazine and MCP Magazine “Learn about CardSpace from the people who built and influenced it!” —Dominick Baier, Security Consultant, thinktecture “Chock full of useful, actionable information covering the ‘whys,’ ‘whats,’ and ‘hows’ of employing safer, easier-to-use, privacy-preserving digital identities Insightful perspectives on topics, from cryptography and protocols to user interfaces and online threats to businesses drivers, make this an essential resource!” —Michael B Jones, Director of Identity Partnerships, Microsoft “It’s one of the most serious problems facing anybody using the Internet Simply put, today’s digital world expects secure and user-centric applications to protect personal information The shift is clear in the demand to make the user the center of their digital universe The question is, how you build these kinds of applications? What are the key components? Unfortunately, identity is often one of the most overlooked and least understood aspects of any application design Starting with the basics and building from there, this book helps answer these questions using comprehensive, practical explanations and examples that address these very problems It’s a must-read for application developers building any type of Internet-based application.” —Thom Robbins, Director NET Framework Platform Marketing, Microsoft, Author Understanding Windows CardSpace Independent Technology Guides David Chappell, Series Editor The Independent Technology Guides offer serious technical descriptions of important new software technologies of interest to enterprise developers and technical managers These books focus on how that technology works and what it can be used for, taking an independent perspective rather than reflecting the position of any particular vendor These are ideal first books for developers with a wide range of backgrounds, the perfect place to begin mastering a new area and laying a solid foundation for further study They also go into enough depth to enable technical managers to make good decisions without delving too deeply into implementation details The books in this series cover a broad range of topics, from networking protocols to development platforms, and are written by experts in the field They have a fresh design created to make learning a new technology easier All titles in the series are guided by the principle that, in order to use a technology well, you must first understand how and why that technology works Titles in the Series Brian Arkills, LDAP Directories Explained: An Introduction and Analysis, 0-201-78792-X David Chappell, Understanding NET, Second Edition, 0-321-19404-7 Eric Newcomer, Greg Lomow, Understanding SOA with Web Services, 0-321-18086-0 Eric Newcomer, Understanding Web Services: XML, WSDL, SOAP, and UDDI, 0-201-75081-3 For more information check out informit.com/aw Understanding Windows CardSpace An Introduction to the Concepts and Challenges of Digital Identities Vittorio Bertocci Garrett Serack Caleb Baker Upper Saddle River, NJ New York Cape Town Toronto Sydney Boston Montreal Tokyo Indianapolis London Singapore San Francisco Munich Paris Mexico City Madrid Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks Where those designations appear in this book, and the publisher was aware of a trademark claim, the designations have been printed with initial capital letters or in all capitals The authors and publisher have taken care in the preparation of this book, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions No liability is assumed for incidental or consequential damages in connection with or arising out of the use of the information or programs contained herein The publisher offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales, which may include electronic versions and/or custom covers and content particular to your business, training goals, marketing focus, and branding interests For more information, please contact: U.S Corporate and Government Sales (800) 382-3419 corpsales@pearsontechgroup.com For sales outside the United States please contact: International Sales international@pearsoned.com Visit us on the web: www.informit.com/aw Library of Congress Cataloging-in-Publication Data Bertocci, Vittorio Understanding Windows CardSpace : an introduction to the concepts and challenges of digital identities / Vittorio Bertocci, Garrett Serack, Caleb Baker p cm Includes index ISBN 0-321-49684-1 (pbk : alk paper) Windows CardSpace Computer security Computer networks—Access control Identity theft—Prevention Web services I Serack, Garrett II Baker, Caleb, 1974- III Title QA76.9.A25B484 2008 005.8—dc22 2007044217 Copyright © 2008 Pearson Education, Inc All rights reserved Printed in the United States of America This publication is protected by copyright, and permission must be obtained from the publisher prior to any prohibited reproduction, storage in a retrieval system, or transmission in any form or by any means, electronic, mechanical, photocopying, recording, or likewise For information regarding permissions, write to: Pearson Education, Inc Rights and Contracts Department 501 Boylston Street, Suite 900 Boston, MA 02116 Fax (617) 671 3447 ISBN-13: 978-0-321-49684-3 ISBN-10: 0-321-49684-1 Text printed in the United States on recycled paper at R.R Donnelley in Crawfordsville, Indiana First printing December 2007 Editor-in-Chief Karen Gettman Acquisitions Editor Joan Murray Senior Development Editor Chris Zahn Managing Editor Gina Kanouse Project Editor Betsy Harris Copy Editor Keith Cline Indexer Erika Millen Proofreader Language Logistics, LLC Technical Reviewers Dominick Baier Eric Ray Greg Shields Publishing Coordinator Kim Boedigheimer Cover Designer Sandra Schroeder Compositor Bronkella Publishing To our families This page intentionally left blank Contents Foreword Preface Part I xv xviii SETTING THE CONTEXT THE PROBLEM The Advent of Profitable Digital Crime The Dawn of Cracking The Vandalism and Bravado Era: Viruses and Worms The Rush to Web 2.0 and Asset Virtualization 10 Malware and Identity Theft 16 A Business on the Rise 27 Passwords: Ascent and Decline Ascent Decline 29 29 33 The Babel of Cryptography Cryptography: A Minimal Introduction HTTP and HTTPS: The King Is Naked 36 38 46 ix 340 Identity Providers Figure 7-1 user CardSpace shows the contents of the display token to the Roaming with Information Cards A significant percentage of users use more than one computer— often one at work and another at home While a user can import the same Managed Information Card on multiple computers and use it in multiple places, there is one side effect when doing so: a Managed Information Card that is used with a nonauditing STS (where the IP doesn’t request the identity of the RP) CardSpace generates a new master key for that card when it is imported The master key is used to generate a unique identifier (per the RP site) that can be passed to the RP, so that the RP identifies a return visitor Because the master key is generated at import time, each computer passes a different unique identifier to the RP, making the RP believe the user is not the same as one using the same card imported on another computer To allow users to An Organization’s Identity 341 roam, CardSpace enables them to export their cards (Personal and Managed Cards) to a PIN-protected archive (a CRDS file), which they can then copy to another computer and import into CardSpace and have the cards work the same as on the original computer An Organization’s Identity As an IP, an organization must maintain their identity, too The identity of the IP is asserted by the details in the SSL certificate that is used to sign the tokens generated by the STS In a standard SSL certificate, usually only ownership of the site domain is checked; other information, such as company name and location, is not verified by the Certificate Authority (CA) In 2007, the CAs began to provide Extended Validation (EV) SSL certificates, which are issued to organizations that meet certain criteria for proving their identity to the CA, including verification of the physical office where the organization can be reached These certificates come at a premium price Because the CA is providing verified information about the IP in the certificate, the RP should use the validated fields to track the identity of the IP In an EV certificate, the subject name contains OLSC fields— Organization, Location, State, and Country Relying on these fields to recognize the certificate allows the organization to renew or replace the EV SSL certificate with one from any CA, without having to explicitly notify the RPs The IP also has the opportunity to express their identity (and provide brand recognition) by embedding an image into the Managed Card, which is displayed in the CardSpace Identity Selector Figure 7-2 shows an example of a branded Managed Card The certificate path is the chain of certificates back to the root 342 Identity Providers Figure 7-2 Importing a Managed Card branded with a corporate logo Summary The role of the identity provider is pivotal for the entire Identity Metasystem model Many businesses and authorities are suitable to expand their online operations and become identity providers In this chapter we enumerated some of the considerations and requirements that should be taken into account while planning an IP Index A accepting Managed Cards at websites, 244-246 Personal Cards at websites, 243-244 Access Denied errors, 236 accessibility, 283 accounts associating Information Cards with, 288 creating, 288-291 maintenance, 297 recovering, 291-293 Active Directory Federation Services (ADFS), 327 ad hoc connections to services, 329 addresses MEX addresses, 201 WS-Addressing, 144 ADFS (Active Directory Federation Services), 327 age-restricted markets, 332 airline mileage cards, 311 algorithms, asymmetric key, 39-41 applications, connecting to, 330 AreCardsSupported() function, 279-282 Argument Error, 236 asset virtualization, 10-16 associating Information Cards with accounts, 288 assuming consent, 324-325 asymmetric key algorithms, 39-41 attacks brute-force attacks, 39 information-entering phase, 17-20 information-processing phase, 24-26 information-storing phase, 24-26, 131 information-transfer phase, 21-24 man-in-the-middle attacks, 22-24 phishing CardSpace and, 180 definition, 18 growth of, 19-20 step-by-step process, 18-19 targeted phishing, 19 SQL injection, 26 AudienceRestrictionCondition (SAML), 241, 246-247 auditing IPs, 246-247 authentication alternative security measures, 293-294 authentication levels (IPs), 314-315 brokered trust, 134-136, 161 canonical scenario, 132-134, 159-161 CardSpace AreCardsSupported() function, 279-283 CardsNotSupported class, 281-282 CardsSupported class, 281-282 Don’t Have Your Card? link, 283 overview, 277-278 Remember Me Next Time check box, 283 Sign In with Your Information Card button, 283 training users to look for Information Card sign-in, 285 What Is This? link, 283 343 344 Index certificate-based client authentication corporate smartcards and intranet certificates, 60-62 eIDs (electronic IDs), 65-69 overview, 60 SSL (secure sockets layer), 62-65 challenges of transporting credentials, 79-84 extended authentication, 272 HTTPS, 52-57 hybrid authentication, 275 issued token-based authentication definition, 70 Kerberos, 72-76 overview, 69-71 SAML (Security Assertion Markup Language), 76-79 Managed Cards, 197-198 multifactor authentication, 334 overview, 57-59 password authentication, 31, 289 providing strong authentication to RPs, 333 server authentication challenges, 35-36 overview, 38 simple authentication, 272 AuthenticationContext WCF object, 260 authorization See authentication auto club cards, 310 B Baker, Caleb, biographical information, xxvii-xxviii Bertocci, Vittorio, biographical information, xxvi-xxvii binding types wsFederationHttpBinding binding type, 257 wsHttpBinding binding type, 256 blind credentials, 10, 31 blogs commenting on, 329 identityblog.com, 92 branded Managed Cards, 341 brokered trust, 134-136, 161 brokering trusted interactions, 181-184 browser extension (Information Card) HTML syntax, 226 issuer property, 228-229 IssuerPolicy property, 229 OptionalClaims property, 230 overview, 224-225 PrivacyUrl property, 231 PrivacyVersion property, 231 RequiredClaims property, 229-230 TokenType property, 230-231 within Web forms, 227-228 XHTML syntax, 227 browser tokens, getting from CardSpace, 267 browsers, 162 brute-force attacks, 39 business reasons for becoming IPs Internet commerce, 333 managing identities for your organization, 325-327 managing identities used by other organizations, 327-331 providing claims-based services, 331-332 providing strong authentication to RPs, 333 buttons, Sign In with Your Information Card, 283 C calculating site-specific card IDs, 195 calling CardSpace from WCF (Windows Communication Foundation), 256-258 Cameron, Kim, 92-93 See also seven laws of identity canonical scenario (authentication), 132-134, 159-161 CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart), 273 Card Security Code (CSC), 293 CardsNotSupported class, 281-282 CardSpace implementation account maintenance, 297 advantages brokered trusted interactions, 181-184 consistent user experience, 177-181 overview, 177 associating Information Cards with accounts, 288 authentication accessibility, 283 AreCardsSupported() function, 279-282 CardsNotSupported class, 281-282 CardsSupported class, 281-282 Don’t Have Your Card? link, 283 overview, 277-278 Remember Me Next Time check box, 283 Sign In with Your Information Card button, 283 What Is This? link, 283 CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart), 273 certificates, 192 creating accounts, 288-291 database changes, 276-277 deployment scenarios See deployment scenarios (CardSpace) Disable CardSpace option, 204-207 disabling, 206-207 Firefox, 177 Index handling unknown cards, 286-287 HTTPS login page, 173 Information Cards See Information Cards limitations, 205 Managed Card Import page, 204, 208-209 management tasks creating and editing Personal Cards, 212-214 Management mode, 211 moving cards between computers, 214-215, 218 overview, 210 NET Framework 3.5, 218-220 overview, 161-164, 169, 274 passive user notification, 296-297 phishing and, 180 preparation, 275-276 private desktop, 204-206 prompting users for Information Cards, 294-295 recovering accounts, 291-293 Relying Party Identification page, 204, 207-208 server synchronization, 275 sign-in process, 285-286 supported applications, 175 system requirements, 176 training users to look for Information Card sign-in, 285 walkthroughs, 169 from user’s perspective, 170-172 from web developer’s perspective, 173-175 CardsSupported class, 281-282 CAs (certification authorities), 44 Cascading Style Sheets, 281-282 certificate-based client authentication corporate smartcards and intranet certificates, 60-62 digital certificates definition, 45 Extended Validation (EV) SSL certificates, 209, 271, 276, 341 intranet certificates, 60-62 migration issues, 320 root certificates, 45 soft certificates, 62 X.509 certificates, 45, 192, 197 eIDs (electronic IDs), 65-69 overview, 60 SSL (secure sockets layer), 62-65 certification authorities (CAs), 44 character mapping table, 195 ciphertext, 39 claim transformers, 126-129, 158 claims claim-based identities, 124, 157 claim-based programming, 272 claim-based services, providing, 331-332 definition, 114 Managed Cards, 202-203 WCF (Windows Communication Foundation), 260-261 classes CardsNotSupported, 281-282 CardsSupported, 281-282 client authentication See authentication commenting on blogging sites, 329 Completely Automated Public Turing Test to Tell Computers and Humans Apart (CAPTCHA), 273 consent assuming, 324-325 user control and consent, 94-96 consistent experience across contexts CardSpace, 177-181 law of identity, 108-110, 129-130 consumers See RPs (relying parties) contexts, consistent experience across (law of identity), 108-110, 119, 129-130 345 control, user control and consent, 94-96 corporate smartcards, 60-62 crackers goals of, overview, script kiddies, CRAs (credit-reporting agencies), 313, 317, 332 creating accounts, 288-291 credentials blind credentials, 10, 31 transporting, 79-84 credit cards, 293-294, 311 credit histories, 28-29, 317 credit-reporting agencies (CRAs), 313, 317, 332 crime See cybercrime crossing trust boundaries, 324-325 cryptography ciphertext, 39 definition, 36 digital signatures, 42-44 encryption definition, 36 public key encryption, 39-41 symmetric encryption, 38-39 HTTP (HyperText Transfer Protocol), 47-49 HTTPS authentication and digital identity, 52-57 overview, 49-52 identity propagation, 37 keys asymmetric key algorithms, 39-41 definition, 36 private keys, 41 PKI (Public Key Infrastructure), 44-45 public keys, 41 overview, 36-38, 271 plaintext, 39 public key cryptography, 39-41 346 Index server authentication, 38 symmetrical key cryptography, 38-39 CSC (Card Security Code), 293 CSS (Cascading Style Sheets), 281-282 cybercrime brute-force attacks, 39 crackers, 5-6 identity crime, 16 identity theft credit histories, 28-29 definition, 16 dumpster divers, 29 The Identity Theft Protection Guide, 29 information-entering phase, 17-20 information-processing phase, 24-26 information-storing phase, 24-26, 131 information-transfer phase, 21-24 man-in-the-middle attacks, 22-24 Social Security Numbers, 28 law enforcement, malware, 16-17 overview, 4-5 phishing definition, 18 growth of, 19-20 step-by-step process, 18-19 targeted phishing, 19 piracy, script kiddies, spam, 14 SQL injection, 26 Trojan horses, value of information available online, 10-16 viruses, 7-9 worms definition, ILOVEYOU, 7-8 importance of, motivation behind worm creation, D databases, modifying to support Information Cards, 276-277, 335-336 decoupling, 113 decrypting tokens WCF (Windows Communication Foundation), 258-259 in websites, 238 department of motor vehicles (DMV), 313 deployment scenarios (CardSpace) federation, 248-251 multiplayer games getting browser tokens from CardSpace, 267 getting CardSpace tokens, 264-267 importing CardSpace files, 264 opening CardSpace, 264 overview, 262-263 WCF (Windows Communication Foundation) adding CardSpace to, 255-256 calling CardSpace from, 256-258 claims processing, 260-261 overview, 252-255 policy options, 261-262 token decryption, 258-259 token verification, 260 websites auditing and nonauditing IPs, 246-247 dynamically setting site requirements, 232 Information Card browser extension, 224-231 logon process, 224 Managed Cards, accepting, 244-246 Personal Cards, accepting, 243-244 scripts, 232-243 digital certificates certificate-based client authentication corporate smartcards and intranet certificates, 60-62 eIDs (electronic IDs), 65-69 overview, 60 SSL (secure sockets layer), 62-65 definition, 45 EV (Extended Validation) certificate, 209, 271, 276, 341 intranet certificates, 60-62 migration issues, 320 root certificates, 45 soft certificates, 62 X.509 certificates, 45, 192, 197 digital crime See cybercrime digital identity, 114-115 digital signatures, 42-44 DigitalMe Identity Selector, 178 directed identity (law of identity), 102-104 Disable CardSpace option (CardSpace), 204-207 disabling CardSpace, 206-207 disclosure, minimal disclosure for constrained use, 96-98 display credential hint (Managed Cards), 201 display tokens, 338 DMV (department of motor vehicles), 313 Don’t Have Your Card? link, 283 dotcom bubble, 12 driver’s license cards, 310 dumpster divers, 29 dynamically setting site requirements, 232 E e-commerce, 12, 333 early adopters, 270-271 early majority consumers, 270 editing Personal Cards, 212, 214 eGovernment, 90 eIDs (electronic IDs), 65-69 Index email increasing prevalence of, 12 phishing definition, 18 growth of, 19-20 overview, 18 step-by-step process, 18-19 targeted phishing, 19 spam, 14 encapsulating protocol (Identity Metasystem), 126, 158 encryption See cryptography EncryptionAlgorithm policy option, 262 encryptWith policy option, 262 endpoint reference (Managed Cards), 200-201 error handling Access Denied error, 236 Argument Error, 236 Identity Validation error, 235 Not Installed error, 235 overview, 233-234 Policy Error, 236 Service Busy error, 235 Service Failure error, 235 Trust Exchange error, 236 Unsupported Error, 237 Untrusted Recipient error, 236 User Cancelled error, 235 EV (Extended Validation) SSL certificates, 209, 271, 276, 341 Event Viewer, 237 extended authentication, 272 Extensible Markup Language (XML), 141-142 F federations ADFS (Active Directory Federation Services), 327 airlines, 311 deployments, 248-251 overview, 273 user-centric federation, 328 WS-Federation, 154-156, 162 Firefox, 177 forms, 227-228, 272 four tenets of service orientation, 94 freeing hostage identity, 121-122 functions See specific functions G games, deploying CardSpace in getting browser tokens from CardSpace, 267 getting CardSpace tokens, 264-267 importing CardSpace files, 264 opening CardSpace, 264 overview, 262-263 GetBrowserToken() method, 177, 267 GetToken() method, 264-267 government-issued ID cards, 310 grocery stores, 314 H handling unknown cards, 286-287 handshake (SSL), 62-63 hard tokens, 65-69 hostage identity, 121-122 HTML Information Card browser extension, 226 HTTP (HyperText Transfer Protocol), 89 cryptography, 47-49 HTTPS authentication and digital identity, 52-57 CardSpace login page, 173 overview, 49-52 human integration (law of identity), 105-107 hybrid authentication, 275 HyperText Transfer Protocol See HTTP I IBalance interface, 253 identity claim-based identities, 124, 157 digital identity, 114-115 hostage identity, 121-122 347 metasystem See Identity Metasystem omnidirectional identity, 102 seven laws of identity consistent experience across contexts, 108-110, 129-130 directed identity, 102-104 human integration, 105-107 justifiable parties, 98-101 minimal disclosure for constrained use, 96-98 overview, 92-93 pluralism of operators and technologies, 104-105 similarity to four tenets of service orientation, 94 user control and consent, 94-96 unidirectional identity, 102 identity consumers See also RPs (relying parties) definition, 271 early adopters, 270-271 early majority consumers, 270 innovators, 270-271 laggards, 271 late majority consumers, 271 identity contexts, 119 identity crime, 16 identity federations See federations Identity Metasystem authentication scenarios brokered trust, 134-136, 161 canonical scenario, 132-134, 159-161 claims, 114 components claim transformers, 126-129, 158 claim-based identities, 124, 157 consistent user experience, 129-130 encapsulating protocol, 126, 158 348 Index negotiation, 124-126, 157-158 overview, 122-123 as WS-* features, 156-157 decoupling, 113 digital identity, 114-115 identity contexts, 119 overview, 110-114 roles IPs (identity providers), 118-121 overview, 116-117 RPs (relying parties), 117 subjects, 117-118 trust, 115-116 WS-* implementation brokered trust, 161 canonical scenario, 159-161 identity propagation, 37 identity providers See IPs identity theft attacks in information-entering phase, 17-20 attacks in informationprocessing phase, 24-26 attacks in information-storing phase, 24-26, 131 attacks in information-transfer phase, 21-24 credit histories, 28-29 definition, 16 dumpster divers, 29 The Identity Theft Protection Guide, 29 man-in-the-middle attacks, 22-24 phishing definition, 18 growth of, 19-20 step-by-step process, 18-19 targeted phishing, 19 Social Security Numbers, 28 SQL injection, 26 The Identity Theft Protection Guide, 29 Identity Validation errors, 235 identityblog.com, 92 IDs IssuerIDs, 277 PPIDs (private personal identifiers), 190-194, 277 SSIDs (site-specific IDs), 195, 298-299 UniqueIDs, 277 UserIDs, 277 ILOVEYOU worm, 7-8 implementations See deployment scenarios (CardSpace) ImportInformationCard() function, 264 importing CardSpace files, 264 Information Cards advantages, 178-181 associating with accounts, 288 browser extension HTML syntax, 226 issuer property, 228-229 IssuerPolicy property, 229 OptionalClaims property, 230 overview, 224-225 PrivacyUrl property, 231 PrivacyVersion property, 231 RequiredClaims property, 229-230 TokenType property, 230-231 within Web forms, 227-228 XHTML syntax, 227 contents, 185-187 definition, 184 Managed Cards accepting at websites, 244-246 airline mileage cards, 311 authentication, 197-198 auto club cards, 310 branded Managed Cards, 341 card ID, 199 card image, 200 card name, 200 claims, 202-203 credit cards, 311 definition, 188, 196 driver’s license or government-issued ID cards, 310 endpoint reference, 200-201 issuer, 200 obtaining, 196 payment cards, 312 privacy policy, 200 supported claim type list, 202 supported token type list, 202 time expires, 200 time issued, 200 user credential element, 201-202, 333 username and password authentication, 198 version, 199 when to use, 203 wholesale club cards, 309 metadata, 185, 187 moving between computers, 214-215, 218 multifactor authentication, 334 NET Framework 3.5, 218-220 number of, 308 object tag, 174 Personal Cards accepting at websites, 243-244 advantages, 189-190 claims supported by, 188-190 creating and editing, 212-214 definition, 187 PPIDs (private personal identifiers), 190-194, 337 when to use, 194 prompting users for, 294-295 roaming with, 340-341 selecting, 186 site-specific card IDs, 195 supporting multiple platforms/technologies, 270 Index supporting with CardSpace See CardSpace implementation unknown cards, handling, 286-287 website logon process, 224 information-entering phase, 17-20 information-processing phase, 24-26 information-storing phase, 24-26, 131 information-transfer phase, 21-24 innovators, 270-271 integrity of digital signatures, 44 integrity check (tokens), 238, 241 interfaces, IBalance, 253 Internet commerce, 333 lack of center, 91 lack of identity layer, 90-91 overview, 89-90 user acceptance of online services, 91 value of information available online, 10-16 intranet certificates, 60-62 IPs (identity providers), 305 auditing IPs, 246-247 authentication levels, 314-315 benefits of using, 316-317 branded Managed Cards, 341 business reasons for becoming IPs Internet commerce, 333 managing identities for your organization, 325-327 managing identities used by other organizations, 327-331 providing claims-based services, 331-332 providing strong authentication to RPs, 333 databases, 335-336 definition, 118-119 display tokens, 338 Extended Validation (EV) SSL certificates, 209, 271, 276, 341 migration issues, 320-321 misconceptions about becoming an IP, 306-308 negotiating agreements with, 318-320 nonauditing IPs, 246-247 overview, 119-121, 323-324 qualifications CRAs (credit-reporting agencies), 313 DMV (department of motor vehicles), 313 grocery stores, 314 overview, 312 reliability, 338 relying on, 315 reputations, 336-339 responsibility to protect privacy, 336, 339 selection criteria airline mileage cards, 311 auto club cards, 310 credit cards, 311 driver’s license or government-issued ID cards, 310 overview, 309 payment cards, 312 wholesale club cards, 309 issued token-based authentication definition, 70 Kerberos, 72-76 authentication process, 72-74 principals, 72 TGS (ticket granting service), 73-74 tickets, 72 overview, 69-71 SAML (Security Assertion Markup Language), 76-79 issuer property (Information Card browser extension), 228-229 349 IssuerIDs, 277 IssuerPolicy property (Information Card browser extension), 229 J-K justifiable parties (law of identity), 98-101 Kerberos, 72-76, 197 authentication process, 72-74 principals, 72 TGS (ticket granting service), 73-74 tickets, 72 V5 credential (Managed Cards), 201 keyloggers, 17 keys asymmetric key algorithms, 39-41 definition, 36 PKI (Public Key Infrastructure) CAs (certification authorities), 44 definition, 44 digital certificates, 45 private keys, 41 public key cryptography, 39-41 public keys, 41 keySize policy option, 262 keystrokes, recording, 17 KeyType policy option, 262 L laggards, 271 late majority consumers, 271 law enforcement, laws of identity consistent experience across contexts, 108-110, 129-130 directed identity, 102-104 human integration, 105-107 justifiable parties, 98-101 minimal disclosure for constrained use, 96-98 overview, 92-93 350 Index pluralism of operators and technologies, 104-105 similarity to four tenets of service orientation, 94 user control and consent, 94-96 liability for PII (personally identifiable information), 301-302 login page (CardSpace), 173 logon process (websites), 224 LOVE-LETTER-FORYOU.TXT.vbs email attachment, Luhn formula, 293 M maintaining accounts, 297 malware definition, 16-17 keyloggers, 17 man-in-the-middle attacks, 22-24 Manage() function, 264 ManageCardSpace() function, 264 Managed Card Import page (CardSpace), 204, 208-209 Managed Cards accepting at websites, 244-246 airline mileage cards, 311 authentication, 197-198 auto club cards, 310 branded Managed Cards, 341 card ID, 199 card image, 200 card name, 200 claims, 202-203 credit cards, 311 definition, 188, 196 driver’s license or government-issued ID cards, 310 endpoint reference, 200-201 issuer, 200 obtaining, 196 payment cards, 312 privacy policy, 200 supported claim type list, 202 supported token type list, 202 time expires, 200 time issued, 200 user credential element, 201-202, 333 username and password authentication, 198 version, 199 when to use, 203 wholesale club cards, 309 managed-code applications, 175 Management mode option (CardSpace), 211 management tasks (CardSpace) creating and editing Personal Cards, 212-214 Management mode, 211 moving cards between computers, 214-215, 218 overview, 210 managing identities for your organization, 325-327 identities used by other organizations, 327-331 metadata Information Cards, 185-187 WS-MetadataExchange, 154 metasystem See Identity Metasystem methods See specific methods MEX addresses, 201 Microsoft Passport, 328 migration issues, 320-321 minimal disclosure for constrained use (law of identity), 96-98 moving cards between computers, 214-215, 218 multifactor authentication, 334 multiplayer games, deploying CardSpace in getting browsers tokens from CardSpace, 267 getting CardSpace tokens, 264-267 importing CardSpace files, 264 opening CardSpace, 264 overview, 262-263 N native-code applications, 175 natural gas market, 330 negotiation definition, 124-126 IP agreements, 318-320 WS-* specifications, 157-158 NET Framework 3.5, 218-220 nonauditing IPs, 246-247 nonauditing STS (Security Token Service), 340 nonrepudiation, 43 Not Installed errors, 235 O OASIS token profiles, 148 object tag, 174 objects, AuthenticationContext, 260 obscurity, security by, 38 OLSC (Organization, Location, State, and Country) fields, 341 omnidirectional identity, 102 Open-Source Identity System (OSIS) site, 178 opening CardSpace, 264 operators, pluralism of (law of identity), 104-105 Opinity, 102 OptionalClaims property (Information Card browser extension), 230 Organization, Location, State, and Country (OLSC) fields, 341 OSIS (Open-Source Identity System) site, 178 P parties, justifiable (law of identity), 98-101 passive requestor case, 155 passive user notification, 296-297 Passport (Microsoft), 328 passwords, 289 advantages, 29-33 disadvantages, 33-36 Managed Cards, 198 Index overview, 29 password authentication, 31 password authorization, 31 password fatigue, 34 remembering, 32 reuse of, 34 payment cards, 312 Personal Cards accepting at websites, 243-244 advantages, 189-190 claims supported by, 188-190 creating and editing, 212-214 definition, 187 moving between computers, 214-215, 218 NET Framework 3.5, 218-220 number of, 308 PPIDs (private personal identifiers), 190-194, 337 when to use, 194 personally identifiable information See PII phishing CardSpace and, 180 definition, 18 growth of, 19-20 overview, 18 step-by-step process, 18-19 targeted phishing, 19 PII (personally identifiable information) definition, 299-300 reducing liability for, 301-302 piracy, PKI (Public Key Infrastructure) CAs (certification authorities), 44 definition, 44 digital certificates, 45 plaintext, 39 pluralism of operators and technologies (law of identity), 104-105 policies Policy Error, 236 WCF (Windows Communication Foundation), 261-262 WS-Policy, 144-145 PPIDs (private personal identifiers), 190-194, 277, 337 preparing for CardSpace implementation, 275-276 principals (Kerberos), 72 principles of identity See laws of identity privacy awareness of, 272 PII (personally identifiable information) definition, 299-300 reducing liability for, 301-302 responsibility of IPs to protect, 336, 339 PrivacyUrl property (Information Card browser extension), 231 PrivacyVersion property (Information Card browser extension), 231 private desktop (CardSpace), 204-206 private keys, 41 private personal identifiers (PPIDs), 190-194, 277, 337 processing claims (WCF), 260-261 processing tokens decryption, 2380240 integrity check, 238, 241 retrieval of claim values, 238, 242-243 validation, 238, 241-242 profiles migration issues, 320 token profiles, 148 prompting users for Information Cards, 294-295 properties of Information Card browser extension issuer, 228-229 IssuerPolicy, 229 OptionalClaims, 230 PrivacyUrl, 231 PrivacyVersion, 231 RequiredClaims, 229-230 TokenType, 230-231 351 protocols HTTP (HyperText Transfer Protocol), 47-49, 89 HTTPS authentication and digital identity, 52-57 CardSpace login page, 173 overview, 49-52 Identity Metasystem encapsulating protocol, 126, 158 Kerberos, 72-76 authentication process, 72-74 principals, 72 TGS (ticket granting service), 73-74 tickets, 72 SAML (Security Assertion Markup Language), 76-79, 95, 153 SOAP (Simple Object Access Protocol), 142-143 SSL (secure sockets layer), 62-65 TCP/IP, 113 Wi-Fi, 113 WSDL (Web Services Description Language), 144 providing claims-based services, 331-332 public key cryptography, 39-41 Public Key Infrastructure See PKI public keys, 41 R R-STS (Resource STS), 249-251 reasonable, definition of, 106 recording keystrokes, 17 recovering accounts, 291-293 reliability (IPs), 338 relying on IPs (identity providers), 315 benefits of using IPs, 316-317 migration issues, 320-321 negotiating agreements, 318-320 relying parties See RPs 352 Index Relying Party Identification page (CardSpace), 204, 207-208 Remember Me Next Time check box, 283 remembering passwords, 32 reputations of IPs (identity providers), 336-339 Request for Security Token (RST), 150 RequiredClaims property (Information Card browser extension), 229-230 Resource STS (R-STS), 249, 251 responsibility of IPs (identity providers) to protect privacy, 336, 339 retirement portfolio managers, connecting to, 330 retrieval of claim values (tokens), 238, 242-243 reuse of passwords, 34 rich applications, 175 roaming with Information Cards, 340-341 root certificates, 45 RPs (relying parties) advantages of becoming, 270-273 definition, 117 misconceptions about becoming an IP (identity provider), 306-308 overview, 269, 305 relying on IPs (identity providers), 315 benefits of using IPs, 316-317 migration issues, 320-321 negotiating agreements, 318-320 selection of IPs (identity providers) airline mileage cards, 311 authentication levels, 314-315 auto club cards, 310 credit cards, 311 driver’s license or government-issued ID cards, 310 grocery stores, 314 IP qualifications, 312-313 overview, 309 payment cards, 312 wholesale club cards, 309 RST (Request for Security Token), 150 S SAML (Security Assertion Markup Language), 76-79, 95, 153 script kiddies, scripting CardSpace error handling Access Denied error, 236 Argument Error, 236 Identity Validation error, 235 Not Installed error, 235 overview, 233-234 Policy Error, 236 Service Busy error, 235 Service Failure error, 235 Trust Exchange error, 236 Unsupported Error, 237 Untrusted Recipient error, 236 User Cancelled error, 235 retrieval of claim values, 238, 242-243 sample script, 232 token decryption, 238, 240 token integrity check, 238, 241 token validation, 238, 241-242 secure sockets layer See SSL Security Assertion Markup Language (SAML), 76-79, 95, 153 security by obscurity, 38 Security Token Service (STS), 324 benefits, 325-327 nonauditing STS, 340 selection of IPs (identity providers) airline mileage cards, 311 authentication levels, 314-315 auto club cards, 310 credit cards, 311 driver’s license or governmentissued ID cards, 310 IP qualifications CRAs (credit-reporting agencies), 313 DMV (department of motor vehicles), 313 grocery stores, 314 overview, 312 overview, 309 payment cards, 312 wholesale club cards, 309 self-issued credential (Managed Cards), 202 Serack, Garrett, biographical information, xxvii server authentication challenges, 35-36 overview, 38 servers, synchronizing, 275 service behaviors, 259 Service Busy errors, 235 Service Failure errors, 235 service orientation, four tenets of, 94 services, web See web services seven laws of identity consistent experience across contexts, 108-110, 129-130 directed identity, 102-104 human integration, 105-107 justifiable parties, 98-101 minimal disclosure for constrained use, 96-98 overview, 92-93 pluralism of operators and technologies, 104-105 similarity to four tenets of service orientation, 94 user control and consent, 94-96 Sign In with Your Information Card button, 283 sign-in process (CardSpace), 285-286 signatures, digital, 42-44 signWith policy option, 262 simple authentication, 272 Simple Object Access Protocol (SOAP), 142-143 Index single sign on (SSO), 77-78 site-specific IDs (SSIDs), 195, 298-299 smartcards, 60-62 sniffers, 23 SOAP (Simple Object Access Protocol), 142-143 social-networking sites, 332 Social Security Numbers (SSNs), 28, 98, 317-318 soft certificates, 62 spam, 14 See also phishing SQL injection, 26 SSIDs (site-specific IDs), 195, 298-299 SSL (secure sockets layer) client authentication, 62-65 EV (Extended Validation) SSL certificates, 209, 271, 276, 341 SSNs (Social Security Numbers), 28, 98, 317-318 SSO (single sign on), 77-78 STS (Security Token Service), 324 benefits, 325-327 nonauditing STS, 340 style sheets, 281-282 subjects, 117-118 supported claim type list (Managed Cards), 202 supported token type list (Managed Cards), 202 symmetrical key cryptography, 38-39 synchronizing servers, 275 system requirements (CardSpace), 176 T tags, 174 TCP/IP, 113 TGS (ticket granting service), 73-74 thumbprints, 43 ticket granting service (TGS), 73-74 tickets (Kerberos), 72 time expires (Managed Cards), 200 time issued (Managed Cards), 200 TokenProcessor page (CardSpace), 174-175 tokens browser tokens, getting from CardSpace, 267 CardSpace Token Processor page, 174-175 decryption, 240 WCF (Windows Communication Foundation), 258-259 in websites, 238 display tokens, 338 hard tokens, 65-69 integrity check, 238, 241 issued token-based authentication definition, 70 Kerberos, 72-76 overview, 69-71 SAML (Security Assertion Markup Language), 76-79 migration issues, 320 requesting in multiplayer games, 264-267 retrieval of claim values, 238, 242-243 RST (Request for Security Token), 150 token profiles, 148 validation WCF (Windows Communication Foundation), 260 in websites, 238, 241-242 TokenType property (Information Card browser extension), 230-231 training users to look for Information Card sign-in, 285 transporting credentials, 79-84 Trojan horses, trust brokered trust, 134-136, 161 overview, 38, 115-116 trust boundaries, crossing, 324-325 353 Trust Exchange errors, 236 trusted interactions, 181-184 WS-Trust, 149-153 U unidirectional identity, 102 UniqueIDs, 277 unknown cards, handling, 286-287 Unsupported Error, 237 Untrusted Recipient errors, 236 user acceptance of online services, 91 user authentication See authentication User Cancelled errors, 235 user control and consent (law of identity), 94-96 user credential element (Managed Cards), 201-202, 333 user-centric federation, 328 UserIDs, 277 usernames, 198 users acceptance of online services, 91 CardSpace walkthrough from user’s perspective, 170, 172 consistent user experience, 129-130, 177-181 passive user notification, 296-297 prompting for Information Cards, 294-295 training to look for Information Card sign-in, 285 user control and consent, 94-96 V validated-claim services, 332 validating tokens WCF (Windows Communication Foundation), 260 in websites, 238, 241-242 Victoria’s Secret, 98 virtualization of assets, 10-16 354 Index viruses definition, importance of, motivation behind worm creation, W WCF (Windows Communication Foundation) adding CardSpace to, 255-256 calling CardSpace from, 256-258 claims processing, 260-261 overview, 252-255 policy options, 261-262 token decryption, 258-259 token verification, 260 web browsers, 162 web developers, CardSpace walkthrough from web developer’s perspective HTTPS login page, 173 Information Card object tag, 174 TokenProcessor page, 174-175 Web pages, 175 web services definition, 137 overview, 137-138 SOAP (Simple Object Access Protocol), 142 web browsers, 162 WS-* specifications history and development, 138-141 Identity Metasystem components as WS-* features, 156-157 Identity Metasystem implementation, 159-161 token profiles, 148 WS-Addressing, 144 WS-Federation, 154-156, 162 WS-MetadataExchange, 154 WS-Policy, 144-145 WS-Security, 145-148 WS-SecurityPolicy, 154 WS-Trust, 149-153 WSDL (Web Services Description Language), 144 XML (Extensible Markup Language), 141-142 Web Services Description Language (WSDL), 144 websites, deploying CardSpace in auditing and nonauditing IPs, 246-247 dynamically setting site requirements, 232 Information Card browser extension HTML syntax, 226 issuer property, 228-229 IssuerPolicy property, 229 OptionalClaims property, 230 overview, 224-225 PrivacyUrl property, 231 PrivacyVersion property, 231 RequiredClaims property, 229-230 TokenType property, 230-231 within Web forms, 227-228 XHTML syntax, 227 logon process, 224 Managed Cards, accepting, 244-246 Personal Cards, accepting, 243-244 scripts error handling, 233-237 example, 232 retrieval of claim values, 238, 242-243 token decryption, 238-240 token integrity check, 238, 241 token validation, 238, 241-242 Welsh, Amanda, 29 What Is This? link, 283 wholesale club cards, 309 Wi-Fi, 113 Windows Event Viewer, 237 Windows CardSpace See CardSpace implementation Windows Communication Foundation Unleashed, 252 Windows Communication Foundation See WCF Windows Server 2003, 176 Windows Vista, 176 Windows XP SP2, 176 worms definition, ILOVEYOU, 7-8 importance of, motivation behind worm creation, WS-* specifications, 271 history and development, 138-141 Identity Metasystem components as WS-* features, 156-157 Identity Metasystem implementation brokered trust, 161 canonical scenario, 159-161 overview, 136-138 token profiles, 148 WS-Addressing, 144 WS-Federation, 154-156, 162 WS-MetadataExchange, 154 WS-Policy, 144-145 WS-Security, 145-148 WS-SecurityPolicy, 154 WS-Trust, 149-153 WSDL (Web Services Description Language), 144 wsFederationHttpBinding binding type, 257 wsHttpBinding binding type, 256 X-Y-Z X.509, 45 certificates, 192, 197 V3 credential (Managed Cards), 201 XHTML Information Card browser extension, 227 XML (Extensible Markup Language), 141-142 ... wife Brandie and their two children Téa and Indyanna, for the time, encouragement, and understanding to work on the book He would also like to thank Vittorio, Caleb, and Joan, for their endless... CONTEXT THE PROBLEM The Advent of Profitable Digital Crime The Dawn of Cracking The Vandalism and Bravado Era: Viruses and Worms The Rush to Web 2.0 and Asset Virtualization 10 Malware and Identity Theft... support, understanding, and an endless supply of baked beets as he hid out in the of ce on the weekends to work on the book Also he thanks his parents, sister, and brother (Tom, Linda, Vicki, and