Haitham S. Al-Sinani
Chris J. Mitchell
ABSTRACT
The recently-proposed PassCard scheme enables CardSpace to be used as a password manager, thereby both improving the usability and security of passwords as well as encouraging CardSpace adoption. However, this scheme does not work with sites using HTTPS, seriously limiting its practicality. In this paper we extend PassCard to support sites using both HTTP and HTTPS. Usernames and passwords are stored in CardSpace personal cards, and these cards can be used to sign on transparently to corresponding websites. PassCard does not require any changes to login servers, default browser security settings or to the CardSpace identity selector; in particular, it does not require websites to support CardSpace. PassCard operates with both the CardSpace and the Higgins identity selectors without any modification. We describe how this new version of PassCard operates, and give security and usability analyses.
- H. S. Al-Sinani and C. J. Mitchell. Implementing PassCard -- a CardSpace-based Password Manager. Technical Report: RHUL--MA--2010--15 (Department of Mathematics, Royal Holloway, University of London), 2010. http://www.ma.rhul.ac.uk/static/techrep/2010/RHUL-MA-2010--15.pdf.Google Scholar
- H. S. Al-Sinani and C. J. Mitchell. Using CardSpace as a password manager. In E. de Leeuw, S. Fischer-Hübner, and L. Fritsch, editors, Proceedings of IFIP IDMAN'10, volume 343 of IFIP Advances in Information and Communication Technology, pages 18--30. Springer, Boston, 2010.Google Scholar
- H. S. Al-Sinani and C. J. Mitchell. Client-based CardSpace-OpenID interoperation. In Proceedings of ISCIS'11. Springer {LNEE}, (to appear), 2011.Google ScholarCross Ref
- H. S. Al-Sinani and C. J. Mitchell. Enhancing CardSpace authentication using a mobile device. In Y. Li, editor, Proceedings of DBSEC'11, volume 6818, pages 201--216. Springer (LNCS), 2011. Google ScholarDigital Library
- C. Herley, P. C. van Oorschot, and A. S. Patrick. Passwords: If we're so smart, why are we still using them? In R. Dingledine and P. Golle, editors, Financial Cryptography and Data Security, volume 5628, Springer-Verlag (LNCS), 230--237, 2009. Google ScholarDigital Library
- M. B. Jones and M. McIntosh (editors). Identity Metasystem Interoperability Version 1.0. OASIS, 2009.Google Scholar
- M. Mercuri. Beginning Information Cards and CardSpace: From Novice to Professional. Apress, New York, 2007. Google ScholarDigital Library
Index Terms
- Extending the Scope of cardspace
Recommendations
CardSpace-liberty integration for CardSpace users
IDTRUST '10: Proceedings of the 9th Symposium on Identity and Trust on the InternetWhilst the growing number of identity management systems have the potential to reduce the threat of identity attacks, major deployment problems remain because of the lack of interoperability between such systems. In this paper we propose a novel scheme ...
Risks of the CardSpace Protocol
ISC '09: Proceedings of the 12th International Conference on Information SecurityMicrosoft has designed a user-centric identity metasystem encompassing a suite of various protocols for identity management. CardSpace is based on open standards, so that various applications can make use of the identity metasystem, including, for ...
The Venn of Identity: Options and Issues in Federated Identity Management
Digital identities can be associated with everything from people to software applications to entire companies, but human digital identities prove the most interesting and challenging. Human digital identities can simplify network usage and enable new ...
Comments