On the Insecurity of Microsoft's Identity Metasystem CardSpace
Sebastian Gajek, Jörg Schwenk and Xuan Chen. 
Technical report HGI TR-2008-003
Horst Görtz Institute for IT Security
Ruhr-Universität Bochum
17 pp.
9 June 2008

Abstract:


Microsoft has desgined a user-centric identity metasystem encompassing a suite of various pro-
tocols for identity management. CardSpace is based on open standards, so that various applications
can make use of the identity metasystem, including, for example, Microsoft Internet Explorer 7 or
Firefox 2 (with some add-on). We therefore expect Microsoft's identity metasystem to become widely
deployed on the Internet and a popular target to attack. We study the security of CardSpace and
show that the browser-based protocol is vulnerable to attacks, where the adversary steals the secu-
rity token. Consequently, we prove evidence that users can be impersonated and are hence potential
victims of identity theft. We demonstrate the practicability of the attack by presenting a proof of
concept implementation building on dynamic pharming [Karlof et al., CCS'07]. Finally, we discuss
countermeasures addressing both the CardSpace identity metasystem and the protocol.