APR-JUN 2007 Vol 3 Issue13

Technova                                                 

 

Digital Identities for Better Online Security

by Tanmay
Software Trainee, Tata Consultancy Services

If there’s one thing that really gets one’s got about the internet, it probably has to do with security. Sure, enhanced security is for our own benefit. The most common kind of security token on the Internet today is just a username. The most common way to prove that a username is really yours is by providing the password associated with it. Because sites that do this typically use SSL for communicating with your browser, this approach has been seen as reasonably secure. SSL ensures that the entire communication is encrypted, and therefore attackers can't steal your password by listening in on the communication. Yet password-based schemes like this are vulnerable to another kind of attack: phishing (tricked into providing sensitive information over the internet to unverified sources). By sending deceptive e-mail messages, attackers attempt to trick users into logging in to spurious copies of real sites, revealing their passwords and perhaps other personal information. Rather than authenticating users with passwords, a relying party such as a website might instead authenticate users with security tokens. This approach minimizes the use of passwords, but it's applicable only for a specific set of sites, since there's no single identity provider that all websites would accept in order to issue security tokens. In a nutshell, the problem is this: a relying party would like to accept security tokens created by an identity provider, since doing so would allow replacing password-based logins that can be phished. In most cases, however, there's no widely accepted third-party identity provider to create these tokens.

Cardspace

This brings us to the concept of digital identity and Cardspace-what Microsoft has begun gunning for with Vista and the .net framework version3.0. Windows Cardspace aims to help you create and manage digital identities that can be used over the internet to register and log into websites, or basically conduct any sort of transaction just like business cards, credit cards and membership cards that we use in physical world.

Windows CardSpace, formerly codenamed ‘InfoCard’, is a piece of client software that enables users to provide their digital identity to online services in a simple, secure and trusted way. Such identity cards can either be self-issued-meaning you can create your own or be given to the user by an identity provider such as their bank, employer or government. The CardSpace user interface enables users to create Personal cards and associate a limited set of identity data. When the user chooses a card, a request in the form of a web service call goes to the relevant provider, and a signed and encrypted security token is returned containing the required information (e.g. credit limit, employer’s name and address, or perhaps a social security number). The user, in control of the flow of information at all times and then decides whether to release this information to the requesting online service. If the user approves then the token is sent on to this relying party where the token is processed and the user is authenticated. To prevent an attacker from reusing it, this token contains a timestamp and other information as well, making it useless to anyone except its original user.

How Information Cards Are Acquired

Know the question arises how information cards are acquired? The solution to this problem is that cards are created by identity providers. If the user is a self-issued identity then we have graphical tools like windows CardSpace. For other users, appropriate cards should be acquired through provider’s website or e-mail sent by the provider. After creation of each card it is to be digitally signed by the identity provider. Signature is used for verification purpose.

Advantages

To begin with, it reduces the risk of being ‘Phished’ or ‘Key Logged’ (where a program runs in the background and picks up any usernames and passwords that you enter). Since the information card is stored in an encrypted format on your computer, no other user from any other location can login under your alias. To use your digital identity from any other PC, you will have to create a password – protected backup from the original computer. You can carry the backup in a USB stick.

Conclusion

Standardization of digital identities can make the networked world as easy and as safe as physical world. Usages of such identities reduce the need of logins that are password based and increase the faith of users towards that particular website. Simultaneously it also reduces phishing attacks. While support for Cardspace is currently low, you can expect it to pick up as more users migrate to Vista. Once that’s done though, you won’t have to pull out your credit card and manually key in the details ever again.

Disclaimer : The views expressed in the articles are author’s own views B’Cognizance or IIITA is not liable for any objections arising out of the same. The matter here is solely for academic use only.

Google
WWW www.mba.iiita.ac.in