In .NET 3.0, there are 4 new technologies. One of them is Windows CardSpace.
Windows CardSpace is a Microsoft .NET Framework version 3.0 (WinFX) component that provides the consistent user experience required by the identity metasystem. Specially Windows CardSpace works to protect the user identity. Windows CardSpace provides the security to our ASP.NET application.
Windows CardSpace basically a digital identity. In networked world-identity is currently a much more muddled thing.
The Windows CardSpace Provides four aspects :
- It support any digital identity system
- Consistent user control of digital identity
- Replacement of password-based Web login
- On remote application it improves the user confidence
Windows CardSpace Support any digital Identity
Here there can be multiple identity, comes from different sources. In an identity there can be three parts. A Window CardSpace will support any digital identity. The three parts of an identity can be:
- User
- A provider which provides the Identity
- Relying Party
A user is a person, who will be identified. User will hold the identity. This identity will provided by an identity provider. Relying parties are entities relying on digital identities for, say, authentication such as a web site or an online service.
Consistent user control of digital identity
To identify a user all application built to use CardSpace will use the exact same mechanism for working with digital identities, presenting them to users through the exact same interface. Because user have a consistent way to use their digital identities. If user does not use this consistent way, then there may be error. If user wants more security for his individual information then he can use personal identification numbers (PINs). It's worth pointing out that providing a consistent mechanism for users to select which digital identity to use is an intrinsic part of the identity metasystem. To achieve this, CardSpace implements an intuitive user interface for working with digital identities.
Replacement of password-based Web login
To identify the authorized user today on internet there is most useable way to provide a username. There is a password associated with every username. The user identifies by entering right username and password. Which site you are going to access, sometime they provide the username and password to you. Because sites that do this typically use SSL for communicating with your browser, this approach has been seen as reasonably secure. SSL ensures that the entire communication is encrypted, and therefore attackers can't steal your password by listening in on the communication. To improve the security of Web login in general, CardSpace allows replacing password-based Web login with a stronger mechanism. CardSpace includes a self-issued identity provider. Information cards created by the self-issued identity provider can contain only basic information, such as the user's name, postal address, e-mail address, and phone number. When a user chooses to submit one of these cards to a relying party, the self-issued identity provider on that user's system generates a SAML token containing the information the user has placed in this card.
The self-issued identity provider also generates a public/private key pair, signing the security token with the private key. This security token contains a timestamp to prevent the phisher from reusing or copying it. After this the application sends the signed token with its associated public key, to the relying party. The relying party can use the public key to validate the security token's digital signature. To make it impossible for relying parties to get together and track a user's activities by comparing that user's public key, the self-issued identity provider creates a different key pair for every relying party that's accessed with this card.
It Improves user confidence in the identity of remote applications
By providing login control on site, user can feel some secure from phishing. But this is not 100% secure. From here the phisher can't see the user password, but the phisher can know other information. A phisher can make the site with their same logo and information like as in other site. Then here how users can sure that which site he is going to use is secure or not.
For handling with this problem requires two things:
- A higher-assurance way for a website to prove its identity to users.
- A consistent way for those users to learn what level of assurance a site is offering as proof of its identity, and then to make an explicit decision about whether to trust that site.
What Information Cards Contain
In choosing digital identity the contents of information card helps the user.They also allow CardSpace to match a card to a relying party's requirements, and to acquire an appropriate security token from the identity provider that issued this card. To accomplish these two goals, every information card contains the following:
- A file of JPEG or GIF with the image of the card that the user sees on his or her screen, along with the name of the card that's displayed to him or her.
- A globally unique identifier (specified as a URI) created by the IdP.
- A URL for one or more endpoints at this identity provider that can be accessed to request a security token.
- A URL identifying an endpoint at the identity provider from which its policy can be obtained. As described in the next section, this information also tells CardSpace how requests to the identity provider should be authenticated.
- The date and time the information card was created.
- In a card the most important thing to note that is there any information missing which is most required. Like as in a credit card, if we use it then there should we credit card number.