How Cardspace secure RST message? RRS feed

  • Question

  • Hi all,

    In fact, this thread contains a bundle of questions related to Cardspace, not only about RTS message.

    1. Authentication of user to Identity Provider (I call IdP STS)

    I have read the writing of Vittorio about the format of .CRD file

    I'm not sure that I understood well his explanation. In my opinion, Before giving to IdP STS the RST message, user must authenticate to IdP STS using the method indicated in the CRD file. We are 5 types of authentication methods
    - none
    - username/password
    - Kerberos
    - X509
    - SAML token

    For the first two methods, it's clair but for the rest, I do not understand.
    - Kerberos: Where does the card selector get the Kerberos ticket?
    - X509: Using PKI available?
    - SAML token: Card Selector construct a SAML token and send it to IdP STS to verify? If it is, how IdP STS can verify this token?

    2. Securing RST message?

    As far as I know, the card selector must sign the RST message using user's private key certified by a certificate (that IdP STS easily retrieve to verify user's signature). The question is:
    - Where is the private key stored?
    - How does IdP STS know about encryption method used to encrypt the RST?
    - In the case that InfoCard is associated with a smartcard (where the private key is stored), the process of signing the RST message is carried out on the PC of user or on smartcard?

    Thank you all for reading and all if relying for spending time to answer these questions.
    I'm really new to this kind of stuff.

    Look forward to hearing from you.
    Best regards,
    Wednesday, July 23, 2008 6:54 PM

All replies

  • Well I'm not sure there's a none option Smile

    For kerberos it comes from the network kerberos server.
    For X509 the public part of the certificate gets sent, the STS can then check it's one it knows.
    For SAML the selector checks for the PPID of the self issued card the managed card is locked to; and the PPID and signing certificate is sent as part of the RSTR

    An RST is signed, not encrypted. The private key for this varies; it's stored in the card database I believe.
    Wednesday, July 23, 2008 10:29 PM
  • As blowdart mentioned, there is no "none" option for managed card.

    You mentioned "In my opinion, Before giving to IdP STS the RST message, user must authenticate to IdP STS using the method indicated in the CRD file". Actually, the authentication data is sent as part of RST. It is not a separate step.


    The actual securing of the RST depends upon the binding being used. Extensive details available in the Identity Selector Intreop profile (with sample message exchanges) at http://www.microsoft.com/downloads/details.aspx?DisplayLang=en&FamilyID=b94817fc-3991-4dd0-8e85-b73e626f6764


    If pure message security is used, the RST is generally encrypted (the symmetric encryption key is encrypted using the STS's public key from cert). If mixed-mode security is used (over HTTPS), then SSL channel is relied upon for securing the message and no encryption happens inside the RST message.


    For smartcard, CardSpace uses standard OS Crypto API to gain access to the smartcard certificate and use it. All this is routed via the CSP.

    Friday, July 25, 2008 4:38 PM