Risks of the cardspace protocol

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

Volumn 5735 LNCS, Issue , 2009, Pages 278-293

  Gajek, Sebastian ^a   Schwenk, Jörg ^a   Steiner, Michael ^b   Xuan, Chen ^a  

^a RUHR UNIVERSITY BOCHUM   (Germany)

^b IBM T J WATSON RESEARCH CENTER   (United States)

Author keywords

Analysis; CardSpace; Identity management

Indexed keywords

ANALYSIS; CARDSPACE; FIREFOX; IDENTITY MANAGEMENT; IDENTITY THEFT; INTERNET EXPLORERS; METASYSTEM; MICROSOFT; OPEN STANDARDS; PROOF OF CONCEPT; SECURITY TOKENS; USER-CENTRIC IDENTITY;

INTERNET; INTERNET PROTOCOLS; NETWORK PROTOCOLS; WEB BROWSERS;

NETWORK SECURITY;

EID: 70350406505     PISSN: 03029743     EISSN: 16113349     Source Type: Book Series    
DOI: 10.1007/978-3-642-04474-8_23     Document Type: Conference Paper

References (30)

1. Nanda, A.: A technical reference for the information card profile v1.0 (2006)
2. Liberty Alliance Project: Liberty Phase 2 final specifications (2003)
3. Kaler, C. (ed.): A.N.: Web Services Federation Language (WS-Federation), Version 1.0, BEA and IBM and Microsoft and RSA Security and VeriSign (2003)
4. OASIS Standard: Security assertion markup language, SAML (2002), http://www.oasis-open.org/committees/security/docs/
5. Cantor, S., Erdos, M.: Shibboleth-architecture draft vO5 (2002)
6. Microsoft Corporation: .NET Passport documentation, in particular Technical Overview, and SDK 2.1 Documentation (started 1999) (2001)
7. Kormann, D., Rubin, A.: Risks of the passport single signon protocol. Computer Networks 33(1-6), 51-58 (2000)
8. Groß, T.: Security analysis of the SAML single sign-on browser/artifact profile. In: ACSAC 2003. IEEE Computer Society, Los Alamitos (2003)
9. Groß, T., Pfitzmann, B.: SAML artifact information flow revisited. In: Workshop on Web Services Security. IEEE Computer Society, Los Alamitos (2006)
10. Pfitzmann, B., Waidner, M.: Analysis of liberty single-sign-on with enabled clients. IEEE Internet Computing 7(6), 38-44 (2003)
11. Bertocci, V., Garrett Serack, C.B.: Understanding windows cardspace, pp. 224-247. Addison-Wesley, Reading (2007)
12. Personal communication with participants of dagstuhl seminar 09141 on web application security (March 2009)
13. Kaminsky, D.: It's the end of the cache as we know it (2008), http://www.doxpara.com/DHK-B02K8.ppt
14. Zuchlinski, G.: The anatomy of cross site scripting (2003)
15. Jovanovic, N., Kirda, E., Kruegel, C.: Preventing cross site request forgery attacks. In: Securecomm and Workshops, pp. 1-10 (2006)
16. Kirda, E., Krügel, C., Vigna, G., Jovanovic, N.: Noxes: a client-side solution for mitigating cross-site scripting attacks, pp. 330-337. ACM, New York (2006)
17. Stamm, S., Ramzan, Z., Jakobsson, M.: Drive-by pharming. In: Qing, S., Imai, H., Wang, G. (eds.) ICICS 2007. LNCS, vol. 4861, pp. 495-506. Springer, Heidelberg (2007)
18. Jackson, C., Barth, A., Bortz, A., Shao, W., Boneh, D.: Protecting browsers from dns rebinding attacks. In: CCS 2007, pp. 421-431. ACM, New York (2007)
19. Karlof, C., Shankar, U., Tygar, J.D., Wagner, D.: Dynamic pharming attacks and locked same-origin policies for web browsers. In: CCS 2007, pp. 58-71. ACM, New York (2007)
20. Akritidis, P., Chin, W.Y., Lam, V.T., Sidiroglou, S., Anagnostakis, K.G.: Proximity breeds danger: emerging threats in metro-area wireless networks. In: SS 2007, pp. 1-16. USENIX Association (2007)
21. Gajek, S., Manulis, M., Pereira, O., Sadeghi, A.R., Schwenk, J.: Universally composable security analysis of TLS. In: Baek, J., Bao, F., Chen, K., Lai, X. (eds.) ProvSec 2008. LNCS, vol. 5324, pp. 313-327. Springer, Heidelberg (2008)
22. Stevens, M., Sotirov, A., Appelbaum, J., Lenstra, A., Molnar, D., Osvik, D.A., de Weger, B.: Short chosen-prefix collisions for md5 and the creation of a rogue ca certificate. In: Crypto 2009. Springer, Heidelberg (to appear, 2009)
23. Dhamija, R., Tygar, J.D., Hearst, M.A.: Why phishing works. In: CHI, pp. 581-590. ACM, New York (2006)
24. Schechter, S., Dhamija, R., Ozment, A., Fischer, I.: The emperor's new security indicators. In: Symposium on Security and Privacy, pp. 51-65. IEEE Computer Society, Los Alamitos (2007)
25. Herzberg, A.: Why Johnny can't surf (safely)? attacks and defenses for web users. Elsevier Computers & Security 28(1-2), 63-71 (2009)
26. Jackson, C., Simon, D.R., Tan, D.S., Barth, A.: An evaluation of extended validation and picture-in-picture phishing attacks. In: Dietrich, S., Dhamija, R. (eds.) FC 2007 and USEC 2007. LNCS, vol. 4886, pp. 281-293. Springer, Heidelberg (2007)
27. Jackson, C., Barth, A.: Beware of finer-grained origins. In: W2SP 2008 (2008)
28. Oppliger, R., Hauser, R., Basin, D.: Ssl/tls session-aware user authentication. Computer 41(3), 59-65 (2008)
29. Rescorla, E.: Keying material extractors for transport layer security (tls). IEFT Internet-Draft (2008)
30. Dierks, T., Allen, C.: RFC2246, The tls protocol version 1.0 (1999)