Haitham S. Al-Sinani

CardSpace-liberty integration for CardSpace users

Whilst the growing number of identity management systems have the potential to reduce the threat of identity attacks, major deployment problems remain because of the lack of interoperability between such systems. In this paper we propose a novel scheme to provide interoperability between two of the most widely discussed identity management systems, namely Microsoft CardSpace and Liberty. In this scheme, CardSpace users are able to obtain an assertion token from a Liberty-enabled identity provider that will satisfy the security requirements of a CardSpace-enabled relying party. We specify the operation of the integration scheme and also describe an implementation of a proof-of-concept prototype. Additionally, security and operational analyses are provided.

Using CardSpace as a Password Manager

In this paper we propose a novel scheme that allows Windows CardSpace to be used as a password manager, thereby improving the usability and security of password use as well as potentially encouraging CardSpace adoption. Usernames and passwords are stored in personal cards, and these cards can be used to sign on transparently to corresponding websites. The scheme does not require any changes to login servers or to the CardSpace identity selector and, in particular, it does not require websites to support CardSpace. We describe how the scheme operates, and give details of a proof-of-concept prototype. Security and usability analyses are also provided.

Client-Based CardSpace-OpenID Interoperation

We propose a novel scheme to provide interoperability between two of the most widely discussed identity management systems, namely CardSpace and OpenID. In this scheme, CardSpace users are able to obtain an assertion token from an OpenID-enabled identity provider, the contents of which can be processed by a CardSpace-enabled relying party. The scheme, based on a browser extension, is transparent to OpenID providers and to the CardSpace identity selector, and only requires minor changes to the operation of the CardSpace relying party.

A universal client-based identity management tool

A wide variety of identity management systems have been introduced to improve the security and usability of user authentication; however, password-based authentication remains the dominant technology despite its well known shortcomings. In this paper we describe a client-based identity management tool we call IDSpace, designed to address this problem by providing a single user interface and user experience for user authentication, whilst supporting a range of existing identity management technologies. The goal is to simplify the use of the wide range of existing technologies, helping to encourage their use, whilst imposing no additional burden on existing service providers and identity providers. Operation of IDSpace with certain existing systems is described.

Integrating OAuth with Information card systems

We propose a novel scheme to provide client-based interoperation between OAuth and an Information Card system such as CardSpace or Higgins. In this scheme, Information Card users are able to obtain a security token from an OAuth-enabled system, the contents of which can be processed by an Information Card-enabled relying party. The scheme, based on a browser extension, is transparent to OAuth providers and to identity selectors, and only requires minor changes to the operation of an Information Card-enabled relying party. We specify its operation and describe an implementation of a proof-of-concept prototype. Security and operational analyses are also provided.

Enhancing cardspace authentication using a mobile device

In this paper we propose a simple, novel scheme for using a mobile device to enhance CardSpace authentication. During the process of user authentication on a PC using CardSpace, a random and shortlived one-time password is sent to the users mobile device; this must then be entered into the PC by the user when prompted. The scheme does not require any changes to login servers, the CardSpace identity selector, or to the mobile device itself. We specify the scheme and give details of a proof-of-concept prototype. Security and operational analyses are also provided.

Enabling interoperation between Shibboleth and Information Card systems

Whilst the growing number of identity management systems have the potential to reduce the threat of identity attacks, major deployment problems remain because of the lack of interoperability between such systems. In this paper, we propose a scheme to provide interoperability between two widely discussed identity systems, namely Shibboleth and Information Card systems such as CardSpace or Higgins. When using this scheme, Information Card users are able to obtain an assertion token from a Shibboleth-enabled identity provider that can be processed by an Information Card-enabled relying party. The scheme is based on a browser extension and operates with both the CardSpace and the Higgins identity selectors without any modification. We specify the operation of the scheme and also describe an implementation of a proof-of-concept prototype. Additionally, security and operational analyses are provided. Copyright

Two Proposals for Improving the Image-Based Authentication System: H-IBAS-H

The paper describes a flexible image-based authentication system developed at the University of Portsmouth and proposes two possible additions to the existing system – an additional knowledge-based (KB) authentication stage and an intrusion detection (ID) feature. The knowledge-based part of the authentication procedure will include a realtime question and answer session before the users are allowed to proceed to the second stage and identify the correct images from a number of challenge-sets presented to them. The proposed ID algorithm will employ a statistical data classification technique based on the real-time tracking of the user behavior. Two statistical algorithms are proposed for the implementation of these additional features of the system. Importance sampling technique will be employed to select the attributes for the knowledge-based authentication stage while the expectation maximization (EM) algorithm will form the basis of the intrusion detection part of the system. The paper outlines some issues that need to be resolved before proceeding with the implementation of the additional system features and lists some contributions and insights that might be gained from this work. The paper also reports on a recent pilot experiment conducted in relevance with the work.