Defense in Depth

Read all 'CardSpace' posts in Defense in Depth
June 2, 2008 12:48 PM PDT

Researchers say Microsoft's CardSpace vulnerable

by Robert Vamosi
  • 2 comments

Using attacks similar to those used to break .Net PassPort, a group of students at the Ruhr Universitat Bochum in Germany claim to have stolen CardSpace's security tokens from a compromised machine. But Microsoft dismisses the attack, saying an attacker would need a user's help.

CardSpace is included within .NET Framework 3.0 and allows users to create personal information cards that are shared with participating Web sites for authentication. A user creates a CardSpace card for a site and the .NET software then obtains a digitally signed XML token from the site issuer. What the students in Germany say they've done is taken one of the security tokens from an Internet Explorer 7 browser.

The students, Sebastian Gajek, Jörg Schwenk, and Xuan Chen say they modeled their CardSpace attack after Kormann and Rubin's 2000 attack on CardSpace's predecessor, .Net PassPort. The students write "our proof-of-concept attack builds upon identical adversarial assumptions. In fact, the potential difference between the .NET passport and CardSpace protocol lies in the browser's handling of security tokens."

The students cite a potential for a drive-by Pharming attack, where a user visits a malicious Web site that changes the DNS server on the computer. Once changed, the students demonstrate that it is possible to steal the security token that is at the heart of CardSpace.

Microsoft did not respond directly to the claims made by the students but a company spokesperson directed CNET to Kim Cameron's blog entry from last Friday analyzing this attack. Cameron is the chief architect of identity in the Connected Systems Division at Microsoft and he faults the student's work on two counts:One, he says, Windows Vista makes it hard for a silent attack to change the DNS server without the user knowing. And two, he says once that rogue DNS server is added, it's hard for Windows Vista to accept it as a trusted authority without the user knowing. Cameron has produced a video video to demonstrate these points.

However, the students did not use Windows Vista; they stole a security token from an Internet Explorer 7.0.5730.13 browser running under Windows XP SP2.

Topics:
Security
Tags:
security,
Microsoft,
CardSpace,
.Net Framework,
Sebastian Gajek,
Jörg Schwenk,
Xuan Chen,
Kim Cameron,
.net PassPort
Share:
Digg
Del.icio.us
Reddit
  • prev
  • 1
  • next
advertisement

15 sites that went kaput in 2009

Web sites launch all the time, but they also shut their doors. We highlight 15 that bit the dust this year.

Top 10 news stories of the decade

Let the debate begin: Was the iPhone more important than iTunes? Was anything bigger than Google finding a great business model? CNET offers its list of the 10 most important stories of the '00s.

About Defense in Depth

Covering computer viruses and computer crime, Robert Vamosi goes beyond the hype to provide you with expert interviews of the top security researchers, as well as offering the hands-on, nontechnical advice you'll need to stay safe online.

Add this feed to your online news reader

Defense in Depth topics

Most Discussed



advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
CES 2010
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET