A group including Equifax, Google, Microsoft, Novell, Oracle, and PayPal, plus nine leaders in the technology community announced on Monday the creation of the Information Card Foundation (ICF) with the goal of increasing awareness of the use of electronic ID cards on the Internet, and encouraging interoperability in business around new standards.
"We need to come together in a neutral body to continue to promote the adoption of this technology," said Paul Trevithick, CEO of Parity and chairman of the ICF.
Information cards are online equivalents of physical ID cards, such as a driver's license. The basic idea is that customers would have an electronic wallet with various information cards. This would allow customers to bypass typing in user names and passwords. One example for how it could work is a student accessing a university network would simply present his or her electronic student information card.
That basic concept isn't new. Various vendors have introduced variations on this before. Microsoft recently introduced its own CardSpace concept with the Windows Vista operating system.
However, there are "still too many user names, too many passwords," said Kim Cameron, an architect of Identity and Access at Microsoft. "There's this endless digital baptism of filling in forms and logging in everywhere, and it creates a wonderful environment for the criminal element through phishing attacks and what have you because on the Internet no one does know you are a dog."
What ICF hopes to introduce instead is a tripartite system. In real time, a user would sync via encrypted connection with an ID provider (say a bank or credit card issuer), and also with a reliant party (a university network, a financial site, or an e-commerce site). Unlike having a credit card number, which anyone on the Internet can use anytime, the ID card model proposed by the ICF requires that all three players (user, provider, reliant party) be synced in real time before the transaction could proceed. The addition of a trusted third party in real time should make the new proposal more secure.
Trevithick said that nearly 50 companies participated in discussions at the RSA 2008 conference in February. Additional discussions are planned for upcoming security conferences through the end of 2008. The idea is to bring together as many players in the identification card space as possible. Currently, the ICF steering currently includes Trevithick, Cameron, Drummond Reed (VP of infrastructure at Parity), Mary Ruddy (founder of Meristic), Axel Nennker (consultant at T-Systems Enterprise Services), Pamela Dingle (consultant for Nulli Secundus), Ben Laurie (of OpenSSL and The Bunker), Andrew Hodgkinson (embedded software engineering consultant and contractor), and Patrick Harding (CTO at Ping Identity).
The foundation's site with more information will be live on Tuesday.
Using attacks similar to those used to break .Net PassPort, a group of students at the Ruhr Universitat Bochum in Germany claim to have stolen CardSpace's security tokens from a compromised machine. But Microsoft dismisses the attack, saying an attacker would need a user's help.
CardSpace is included within .NET Framework 3.0 and allows users to create personal information cards that are shared with participating Web sites for authentication. A user creates a CardSpace card for a site and the .NET software then obtains a digitally signed XML token from the site issuer. What the students in Germany say they've done is taken one of the security tokens from an Internet Explorer 7 browser.
The students, Sebastian Gajek, Jörg Schwenk, and Xuan Chen say they modeled their CardSpace attack after Kormann and Rubin's 2000 attack on CardSpace's predecessor, .Net PassPort. The students write "our proof-of-concept attack builds upon identical adversarial assumptions. In fact, the potential difference between the .NET passport and CardSpace protocol lies in the browser's handling of security tokens."
The students cite a potential for a drive-by Pharming attack, where a user visits a malicious Web site that changes the DNS server on the computer. Once changed, the students demonstrate that it is possible to steal the security token that is at the heart of CardSpace.
Microsoft did not respond directly to the claims made by the students but a company spokesperson directed CNET to Kim Cameron's blog entry from last Friday analyzing this attack. Cameron is the chief architect of identity in the Connected Systems Division at Microsoft and he faults the student's work on two counts:One, he says, Windows Vista makes it hard for a silent attack to change the DNS server without the user knowing. And two, he says once that rogue DNS server is added, it's hard for Windows Vista to accept it as a trusted authority without the user knowing. Cameron has produced a video video to demonstrate these points.
However, the students did not use Windows Vista; they stole a security token from an Internet Explorer 7.0.5730.13 browser running under Windows XP SP2.
- prev
- 1
- next
