Decrypting Windows CardSpace (formerly InfoCards)
What is Windows CardSpace
Windows CardSpace is an industry-standard solution for managing user's identity in the Internet. In other words, Windows CardSpace is a simple and secure way to identify users, not requiring them to enter their user names and passwords again and again, while they travel between Web resources. The identification meta-system, adopted by major software vendors, may become a crucial step forward. Taking into account the actuality of security concerns, Microsoft makes significant efforts to propagate its popularity. Unlike the earlier unified identification technologies (e.g., Microsoft Passport) Windows CardSpace manages directly the users and applications that are to be contacted. In other words, diverse schemes and levels of difficulty can be used for the access identification; e.g., when registering with Web forums or for online banking.
Windows CardSpace support is implemented in .Net Framework 3.0. Microsoft employees have also set out their plans in regards to the development of their identification technologies. After the release of their Longhorn Server, which is scheduled for the end of 2007, the corporation is planning to release the Security Token Service technology, intended for the integration to Active Directory. Security Token Service is a little resource consuming gateway, running under the WS-Trust specification for servers and clients, which functions as a mediator when exchanging security markers like Kerberos, SAML, etc. According to Microsoft, the foundations for their identification platform - Identity Metasystem - are Active Directory and Microsoft Identity Integration Server (the latter one is to be built into Windows). With time, in these two products the corporation is going to implement the support of strong credential data (such as smartcards), access management, single point of entry, unified identification, protection of information rights, process audit and automation.
On the application level, Windows CardSpace is a pane of identification cards that can be used for authenticating user on diverse online resources. The selector points at the type of credentials necessary for accessing to each of the resources.
Windows CardSpace gives user the access to creating and managing his Information Cards (or simply InfoCards). Just like one's personal information certified, for example, by the person's driver's license, passport or credit card, InfoCards is a data set certified by the publisher's digital signature.
Find more information on Windows CardSpace at Wikipedia site.
Personal Information Card
Personal Information Card is a type of InfoCard, which user creates on his own and where he records his personal data. That's why Personal Information Card is often called a 'Self-issued Card'. Unlike a Managed Card, a Personal Information Card, along with its data, is stored locally, in a special encrypted storage. Personal Information Card contains a permanent set of personal data, which cannot be expanded. Along with the set of private data, Personal Information Card includes general information (version of InfoCard, date issued and updated, current state and status, etc.), Uniform Identifier and Master Key for encrypting private data and generating cryptographic keys. Please note that user can set additional protection with a PIN - the InfoCard password.
Personal Information Card data encryption and storage methods deserve a closer look, mainly due to the great number of tricks used for protecting the data.
To begin, InfoCard storage is a locked folder inside user's profile, the access to which is denied for everyone, (including the Administrator), except for the system itself. Path to Vista CardSpace normally looks like this: C:\Users\%USERNAME%\AppData\Roaming\ Microsoft\CardSpace. This folder contains two files:
CardSpace.db - primary storage for all user's cards.
CardSpace.db.shadow - reserve storage used during card addition, removal operations, etc.
Windows CardSpace encryption
Windows CardSpace encryption is carried out according to the Master Key principle. In other words, to decrypt Windows CardSpace, one will have to decrypt its (Master) key first, which will be used as the primary material for decrypting the cards later on. Windows CardSpace Master Key's intriguing feature is that decrypting it takes two steps: using current user's DPAPI first, then using the system's DPAPI. Thus, Windows CardSpace is bound not only to current user but also to the operating system.
Windows CardSpace Master Key, in its turn, participates in the decryption of all cards. Each card stored inside Windows CardSpace consists of three objects:
- InfoCard public data, which stores the card's system data; e.g., card version, its name and creation/installation/modification date, uniform identifier, logo, etc.
- InfoCard private data. This object, just like a phone book, stores most frequently used claims. In Personal InfoCard, this set is also permanent. It doesn't contain passwords, account information or credit card numbers, thus minimizing the risk of disclosing user's confidential data. All InfoCard private data encrypted with InfoCard PIN.
- InfoCard Master Key. InfoCard Master Key (set of random data) used for generating public/private key-pair used for signing and for encrypting InfoCard private data, if the card is pin-locked.
InfoCard private data encrypted with user password (InfoCard PIN). But what happens if the PIN is lost or forgotten? Fortunately, there is a solution for recovering InfoCard PIN. The bad news is it's extremely hard, if at all possible, to recover it in the most difficult cases (long or tricky PIN). Nevertheless, let's take a look at this process in the Network Password Recovery Wizard.
The linear scheme of decrypting InfoCard private data with an unknown PIN can be split into 7 major stages of the Wizard:
- Select data source - CardSpace vs CardSpace Backup
- Read and decrypt system credentials
- Decrypt system's Master Key
- Decrypt user's (data owner) Master Key
- Decrypt InfoCard public data. Select the card
- Recover InfoCard PIN
- Decrypt InfoCard private data if the previous step was a success
* Steps 2-4 of the application's Wizard are not available in the automatic mode.