Microsoft: CardSpace attack works but was too rigged

Microsoft is disputing that its CardSpace authentication management technology can be hacked despite a research paper that outlines a proof-of-concept attack.

CardSpace manages personal information that might be needed to access certain Web sites or conduct e-commerce transactions. CardSpace, which ships in the Windows Vista OS, keeps personal information in virtual cards stored on the computer.

Also, that information can be held by a trusted organization that acts as an identity provider. That provider can then tell another Web site the information is valid. An encrypted token is sent to the Web site, which reduces the chance of identity theft.

View Full Article: InfoWorld

Researchers breach Microsoft’s CardSpace ID technology

A trio of computer security researchers say they’ve successfully compromised Microsoft’s CardSpace, a technology intended to strengthen the security of personal information on the Internet.

CardSpace ships with the Windows Vista operating system. It works in concert with a browser when someone uses a Web site that asks for information such as an address or a credit card number. That personal information can be stored on the user’s computer or with a third-party identity provider.

CardSpace keeps a set of virtual ID cards on the user’s computer. When a Web site asks for information, the user picks one of the cards. “Self-issued” cards store identity information on a user’s PC, while “managed” cards are stored by an identity provider.

View Full Article: InfoWorld