Steffo's Echolot


Only technical stuff here.
« Vaau, Roles and... | Main | The easiest OpenSSO... »
Wednesday May 28, 2008

Cardspace compromised?

My colleague Jörg was listening to the radio when they broadcasted that a weakness in Microsoft's
Cardspace identity metasystem has been found. Here's the link http://demo.nds.rub.de/cardspace/.

From a quick look, the attack is rather an application to dynamic pharming (DNS pinning) and general
browser/user security than an attack on the CardSpace protocol itself. The only thing which is CardSpace related is the fact that a security token can be replayed and that CardSpace doesn't require an undeniable token: whoever possesses the token has access to the service provider. Sun Access Manager has a (weak) approach to undeniable tokens by tying them to an IP address. However, this might lead to problems as in many setups HTTP proxies are used.

The "CardSpace" attack again shows that two or three security issues can easily add up to a bigger problem.

Posted at 02:14PM May 28, 2008 by steffo in Identity Systems  |  Comments[0]

Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
Archives
« November 2009
SunMonTueWedThuFriSat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
     
       
Today


Links



Referrers

Today's Page Hits: 4