thoughts and observations of a privacy, security and internet researcher, activist, and policy advisor

Wednesday, May 28, 2008

German Students Break CardSpace Security

Three students from the Ruhr-University Bochum in Germany were able to intercept the security token and, based on that, read the plain text of the cards' content, e.g. name, credit card number and other things impersonate the legitimate user during the lifetime of the security token. They basically did this by means of an extended man-in-the-middle attack through DNS manipulation:
We study the security of Cardspace and show that the browser-based protocol is susceptible to attacks, where the adversary steals the security token. Consequently, we prove evidence that users are impersonatable and the one who potentially suffer from identity theft. We confirm the practicability of the attack by presenting a proof of concept implementation. Finally, we discuss countermeasures, addressing both the CardSpace identity metasystem and the protocol.
See the short description and the full report (pdf).

Heise Security tried to reproduce the attack without success, though. Microsoft is already working on a solution.

3 Comments:

Anonymous Anonymous said...

Ralf, besides the other issues with the attack, which I will address later, please note that there is NO claim that the attacker was able to decrypt and read the contents of the token. Could you please make this clear?

29/5/08 07:42

 
Blogger Ralf Bendrath said...

Thanks, corrected it.
(I did not have time to read the full paper. This mis-interpretation was reported by Heise security, so I relied on that.)

29/5/08 12:33

 
Blogger Unknown said...

Microsoft is not working on a solution because there is no CardSpace problem. Please see here http://www.identityblog.com/?p=987 and here http://www.identityblog.com/?p=988. The magazine c't screwed up on this. The punch line was more important than thinking. Too many people write about this who don't have time to understand the alleged "attack". Some even don't have time to read the full paper.

3/6/08 09:35

 

Post a Comment

<< Home