Abstract
Microsoft has designed a user-centric identity metasystem encompassing a suite of various protocols for identity management. CardSpace is based on open standards, so that various applications can make use of the identity metasystem, including, for example, Microsoft Internet Explorer or Firefox (with some add-on). We therefore expect Microsoft's identity metasystem to become widely deployed on the Internet and a popular target to attack. We examine the security of CardSpace against today's Internet threats and identify risks and attacks. The browser-based CardSpace protocol does not prevent against replay of security tokens. Users can be impersonated and are potential victims of identity theft. We demonstrate the practicability of the flaw by presenting a proof of concept attack. Finally, we suggest several areas of improvement. © 2009 Springer Berlin Heidelberg.
Author supplied keywords
Cite
CITATION STYLE
Gajek, S., Schwenk, J., Steiner, M., & Xuan, C. (2009). Risks of the cardspace protocol. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 5735 LNCS, pp. 278–293). https://doi.org/10.1007/978-3-642-04474-8_23
Register to see more suggestions
Mendeley helps you to discover research relevant for your work.
