Friday Jan 18, 2008

JavaCard Reader Drivers

In my effort to have a non vendor specific JavaCard reader application/applet. Here's something else I discovered. Well, this may sound silly The SmartCard/JavaCard reader neds to either be built into your desktops/laptops or you may need to use a external reader. You are free to buy a reader from any vendor and in the process of doing so, you would also receive the necessary PC/SC drivers from the vendor.

but to make life simpler, here's a small list of vendors that you may procure your smartcard reader from.

  1. Schlumberger
  2. Gemplus
  3. SCM Microsystems
  4. Towitoko
  5. Omnikey
  6. Advanced Card Systems
  7. Athena Smartcard Systems
  8. Intertex IX
  9. Ankari (American Biometrics)
  10. Orga

There may be some of you who may not want to go through he process of buying a reader and a smartcard but would still be interedted in testing the applet/application without shelling out any moolah. Well, I have something for those folks too. I suggest you use the Smart Card Simulator. TSCS is a program for Windows 32 simulating a terminal and a smart card. Neither a smart card nor a smart card terminal is necessary. Just install the software on your PC and start working with smart cards. With this software you can see ¨into¨ the smart card, create files, send commands and receive the response from the smart card.

The Smart Card Simulator offers you a wide variety of possibilities to learn and work with a smart card. It can be used to understand and to learn the principles of a smart card, design and test a smart card application, calculate typical execution times etc.


Thursday Jan 17, 2008

DE-Federated Identity Access (DEAF)

Identity Management, and Identity Federation has been the buzzword in this space for a while now. According to the definition of "Federated Identity" on wikipedia, it has two general meanings:
  • The virtual reunion, or assembled identity of a person's user information (or principal), stored across multiple distinct identity management systems. Data is joined together by use of the common token, usually the user name.
  • The process of a user's authentication across multiple IT systems or even organisations.
now, this is great when the Legal Entity has a unique "identity" on each of the disparate systems. But when the Legal Entity who has a identity on a system is provided access to a partner site or system, there is absolutely no "Federation" possible if the Legal Entity has no identity on the partner site or system. I was involved in a brainstorming session related to shibboleth with a few technical folks from a university. What came up was the need to allow students from one university to access resources from another university. The folks I was interacting with were "sold" on the idea of federation, but lacked complete understanding of how federation really worked. Here were my concerns:
  • The user needed to have a unique identity on either systems.
  • The user needs to explicitly "federate" his identity. (If he does have a unique identity on each system)
  • If the users identity gets stolen, well, we have a much bigger issue.
(I thought) What the university really needed was implicit Federation. Whereby when a user who has authenticated himself at one university, when provided access to resources in another, should be granted access even thought the user does not have a unique identity at the other. Here's an example:
  1. University1 and University2 belong to a "defined" Circle of Trust.
  2. Student at University1 authenticates at University1.
  3. Student tries to access resources at University2.
  4. University2 Requests University1 to assert the validity of the user session.
  5. University1 Asserts that the user is "A" authenticated user, but does not actually reveal the users "handle" or "identity" in any form
  6. University2 grants the user access by just knowing that the user is a "authenticated" user at University1, without even knowing who the user actually is. (University2 provides just generic content to the user)
  7. User tries to personalize his "content" or University2 needs to provide the User "specific" content based on role the student has at University1
    • University2 would need to prompt the user for "permissions" to derive his "role" from UnIversity1
    • User grants permissions by using a digital signature of some sort.
    • University2 uses that digital signature to request University1 for the Users roles
    • University1 verifies that the digital signature matches that of the Authenticated User and grants University2 the users roles and/or "identity/alias".
    • University2 provisions a local "identity/alias" and associates it with the "role" as asserted by University1
  8. University2 can now allow the user to "personalize "content" or provide the user "content" as necessary.
I believe that with this aproach, even though a student has no "identity" on one system or university (University2 in the example I used) he/She still gets to experience the "magic" of "federation". On second thoughts, If I apply this to the examples widely used in "federation", where a airliner and a car rental company are in a circle of trust, well, I am sure that the car rental company would love to receive a new unidentified user from a "partner airline" and dynamically provision the user and sell him a product !!! it's all about making money in the bargain right ? or is it just making the user experience more enjoyable and easy ? I believe that we'd be kidding ourselves if we say that it's ONLY about "user experience" Now: The user providing his/her "digital signature" to the car rental company is another story altogether.. ;-) Comment Away Please... (Comments are active for only 30 days from the date of this posting) UPDATE : Please Read Pat Patterson's response by Clicking Here or by following the link in the 1st Comment/Trackback below.

Monday Apr 10, 2006

Yet Another Infocard Java Based Infocard RP

AH!!! Hellooo world. Java based infocards are taking over... Here's Yet another Java Based Infocard Relying Party Demo. This time It's Ashish Jain's implementation of it. Ashish works for PingIdentity and is also the co-author of J2EE 1.4 Bible & Enterprise SOA (I bet you didnt need that introduction, as you would have known that already.).

His demo is available at pingidentity's Jetty Based demo server. His implementaion however does not use bouncycastle or XOM but is again a Java based RP developed from scratch using XMLBeans and XMLSEC.

It sure is a chweeth Object Oriented world aint it ??

UPDATE : There's one thing for sure that infocard and WS-\* is helping me with. IE: Making new connections and a LOT of new friends.

Monday Apr 03, 2006

User-Controlled Identity and Changes In My Perception Of it.

Well, I do not wanna say that I buy the concept of User Controlled Identities in it's "entirety" But however I'd like to say that I am trying pretty hard to buy into the "concept". Amartya Sen, The co-author of "Identity and Violence" says that the "freedom to choose one's identity affiliations is the antidote to divisive extremism"

Well. I'd not hesitate to do my part in playing a role to eliminate divisive extremism. And just to add to that I'm buying Kim's concept.. slowly.. very very very very slowly... ;-)

However while on the "identity" subject, like the "rest of the world"... I too have a question for Kim. Whats with this symmetric proof key in the SAML assertion? Like me, I bet there are several-several folks out there who are awaiting an answer... Kim Please... Could you ? PLEASE...

Infocard Invoker with Self Signed Server Certificates

A few folks have been having issues using self signed server certificates to invoke the Identity Selector WinFX Component. Here's a short walkthorough on how to use a self signed certificate and save a few $$$'s from having to but a Certificate from a Trusted Authority.

The key is to use the sha1rsa Signature Algorithm instead of using the default md5rsa Signature Algorithm.

openssl genrsa -des3 -out pass.key 1024
openssl rsa -in pass.key -out server.key
openssl req -new -x509 -days 365 -sha1 -newkey rsa:1024 -nodes -keyout server.key -out server.crt

Then copy the server.key and server.crt to your webservers config directory.
cp server.key /etc/httpd/conf/ssl.key/
cp server.crt /etc/httpd/conf/ssl.crt/

Change file access permissions
chmod go-rwx /etc/httpd/conf/ssl.key/server.key

Made a test cert
make testcert

Create a server.pem file as by concatenating the server.key file and the server.crt file as follows:
cat /etc/httpd/conf/ssl.key/server.key /etc/httpd/conf/ssl.crt/server.crt > /etc/httpd/conf/server.pem

restart your webserver.

Your self signed certificate should now invoke the identity selector without any issues...

NOTE : Remember folks. If youre learning anything at all from all of us who are blogging our experiences and processes about getitng infocard to work in all these various platforms and scenarios to PLEASE "pay it forward".

use-er ecc-entric identity

A must read : via Pat's blog :

From fellow Libertyite, Paul Madsen, comes this amusing take on user-centric identity. Many a true word spoken in jest!
Give it a read. The time spent would be well worth it.

Happy Monday.

Saturday Apr 01, 2006

ie7 that works with infocards (Build 7.0.5296.0)

After several email, I thought that it would be best to point folks to a direct download of ie7 Build 7.0.5296.0 (The version that works). So folks. Please stop emailing me for this version. Simply download it from : If you send me emails, please do not be surprised when I reply with a link to this blog post.

As far as the WinFX components go, download whatever is available from Microsoft's website. It would work.

And as far as the PHP and Java Code release goes (for both the RP and the infocard creator)... Patience my dear Watson, Patience... We've all waited so long for the right folks to release their code.. So Bear with me/us and have a little more patience.

BTW: This infocard crypto stuff is just cool. The ciphers the methods to encrypt/decrypt the tokens are smooth... However Robin Wilton (racingsnake) had a very good question, and I'm awaiting Kim's response.. I hope he does.

OPEN infocard

Chuck Mortimore, has posted the exact steps required to "consume" infocards on his blog (xmldap). I'm not gonna steal the spotlight from him. He deserves more credit for this than anybody else. This is a cross post from Chuck's blog.

Chuck writes:

To get started, you need to get your hands on the XML Token. This should be pretty simple, as your web framework will generally hand back parameters already URL decoded.

Once you’ve got the token, you’ll need to decrypt the token. The token is transmitted as encrypted XML.

Head On Over to Chuck's Blog to see what the xmlToken would look like
OR look at my previous post on what it looks like. Chuck's Post is "complete". Mine's truncated..

Basically what you have here is an ephemeral symmetric encryption key, which has itself been encrypted with the Public Key of the SSL Cert for the website InfoCard is interacting with. As you can see from the metadata provided in the KeyInfo fragment, the key is encrypted using RSA with OAEP encoding and SHA1, using the certificate identified in the SecurityTokenReference with the provided fingerprint (the fingerprint is a SHA1 hash of the cert bytes)

Your first job is to decrypt that encryption key. Step one : remove the Base64 encoding. Step 2 : you need to write a function which takes the private key for the cert referenced by the fingerprint, along with the data as input, and decrypts in this manner RSA-OAEP

Once you’ve successfully decrypted the key ( it should be 256 bits), you can use it to decrypt the token. As you can see in the XML, you need to use AES with a ChainedBlockCipher. Decrypt the token (Don’t forget to strip the initialization vectors...thanks Gary).

Head On Over to Chuck's Blog to see what the decrypted token would look like

The next step would be to quickly check the validity period on this Assertion to make sure it’s still fresh. You might also want to check the AssertionID against a table of previously seen assertions to prevent replay...depends on your level of paranoia.

On to signature should follow the steps outlined in XML-DSIG, but to paraphrase, check the digest of the canonicalized assetion against the digest in the SignedInfo block, and then validate the signature of the canonicalized SignedInfo using a PublicKey constructed from the provided KeyInfo.

Now, what’s bugging me is the use for the Symmetric Proof key provided in the Subject of the Assertion. Super Pat and I discussed this for awhile, and since it’s not used immediately in this protocol exchange, our best guess is that it’s used in subsequent interactions with the service, although I must admit the InfoCard docs are a little fuzzy on this subject. If anyone can fill me in, I’d appreciate it!

Finally, if your signature validation worked, extract the claims, enforce any policy you’d like, create a session, set a cookie, etc...

Chuck has also reverse-engineered the infocard token creation and has published a tool that can create a token for you on his demo servers.

Now since "infocard walled garden" has been made not so mystical, Here's are my thoughts.

The OBJECT tag required to invoke the Identity Selector is a cool tool, But on the RP side, the RP is just a listener that received tokens "pushed" to it. One does not really need the use of a InformationCardSignInHelper (ie: icardie.dll for ie7)to invoke the Identity Selector (WinFX CTP). One can easily write a tool, that creates these tokens using random data and start pushing these tokens to RP's. I see this as an extremely simple way to set up a DoS attack.

  • So are infocards really "secure"?
  • Would they make the common man's life easier?
  • Would they make RP's more vulnerable to DoS attacks?

Like I said earlier, I am having a extremely hard time trying to digest the First Law from the "Laws Of Identity". For some reason I tend to lean strongly towards not being able to digest "user control". Hopefully over time, I shall grow out of it and be able to digest the theory.

SO: Higgins folks have a base to work off of for their open source version of "infocard-whatever" (not that they needed it). And I'd like to see if folks credit Chuck for HIS hard work.

Thursday Mar 30, 2006

infocard xmlToken

nothing special here. This is what the xmlToken that the Identity Selector send across to a Relying Party looks like.

more soon...

Wednesday Mar 29, 2006

Worlds FIRST Java Based infocard RP - LIVE

Chuck Mortimore has just deployed the world first Java Based Infocard Relying Party app. I'm following up soon with a PHP based Relying Party app... (Chuck beat me to it.. even though we've been constantly communicating and collaborating.. Guess Chuck's had the advantage of time... But However, We played tag-team and managed to get it to work !!!) Getting Java to work was easy.. PHP seems to be a bit harder with decoding and parsing encoded XML. I always thought that PHP was easier.. But was proven wrong this time... I'm trying to do exactly the same thing in PHP as the Java code and all I get is garbage. There must be something different in the urldecode / base64_decode functions in PHP and the way in which it handles "special characters".

HOWEVER: Chuck's the one who deserves 100% credit for deploying it first.

Kim, Please publish your code... not the relying party provider (RP) code, We got that already.. We would like to see the WinFx Identity Invoker Code... (please... please... please... please... please...)

For those who appreciate HARD WORK. Take a moment to toast Chuck. Infinite cheers Chuck !!! You ROCK !!!

Open Source rocks !!!..... Kim.. break down those walls. Let East Meet West. Let infocard be really "open". Please do not restrict us to work within those "infocard walled gardens"... please let us open up channels to securing the identity space. & ah !! in-ter-oh-por-ate !!

PS: When I say "us".. I mean "we the people", @the "open source community".... ;-)

Next Stop: How to Federate your "infocard" authentication token.

Tuesday Mar 28, 2006

John Doe's Infocard

LOL... had some time to kill..... and so I made a few images that you could use as your infocard image to help you identify the different infocards you create and distinguish between them instead of relying on the infocard super-imposed name.

And here's John Doe's Infocard. Use the password "password" to import the infocard.
This distribution of John Doe's infocard could probably make John Doe a "celebrity" again.

remember to save John Doe's infocard with the extention .crds

I know that most of the sites that would accept this card would also have a "confirm registration" email sent out. Well, I shall soon do something to address that too. The email address registered on this card is john.doe.infocard-AT-gmail-DOT-com. So, what I shall also do is setup gmail forward to forward all emails to, and then setup a blog to publish all those emails received. Well, then I could probably write a javascript or any utility to auto-click & confirm all url's in the posts, or to parse the contents of emails received and to a HTTPrequest.get() on all URL's that the blogpost contains. But since that would take some effort, and is not something I am too keen on doing anyway, and also since I currently do not have too much stale time on my hands, I shall do that only if I see the card being used... or I may also decide against it and keep this as "insider" info ;-)

Guess I would be wasting too much time on this. so the idea is now officially canned.

NOTE : This is in no way an attempt to initiate a world-wide attempt to present John Doe's infocard as a mechanism to break all web service's/application's that may someday accept infocard as it's auth medium. I received a few emails and phonecalls to clarify the intent here..
So Here's a public post of the intent. If you see that this can be used as a way in which tens of thousands of folks use a "common" credential (with User Control and Consent) to authenticate, and even deceive the "registration confirmation" system into accepting the credential, then I hope you see the big picture. These AuthN mediums are not for a person to person authentication system but for a "automated" system. I see this as a means in which hackers have a platform to authenticate into systems, initiate a new breed of DoS attacks, Hijack Identities, & misuse the system. Please see this not as an attempt to "attack" but as an attempt to show you that there can be several ways in which a system's stability can be compromised using extremely simple means. It does not require a rocket scientist to do such tasks. & mind you there are several folks "out there" who do this just for the kicks. So when you folks read about infocard and it's capabilities in all its basking glory, please remember not to tie yourselves down to a "infocard walled garden" and think outside of the BOX.
As "WE" work on securing the system/'s even more, the "outsiders" would always find innovative ways of breaking it. Therefore "WE" need to work as a "TEAM" and CO-LAB-OH-RATE!!
Please... Lets not work on "proprietorizing" IDENTITY. We got to have a solution that the industry sees as something that is SECURE, OPEN & more importantly INTER-OPERABLE. Remember it takes 2 to tango.

Monday Mar 27, 2006

Internet Explorer 7 Build 5299 5296

UPDATE : Build 5299 did not work. I'm now hunting for Build 5296. Because the Build that works on my desktop is Build 5296. If anybody has a downloaded copy of Build 5296. Please please let me have a copy.....
OK. OK..... I've tried and tried and the march 20th release of ie7 just does not work (Kim had pre warned me/us about it, But I just didnt heed his advise.). The ONLY ie7 release that works with infocards is BUILD 5299 (for now). Now I had a desktop with Build 5299 installed, but unfortunately I had not saved a copy of it. I just finished rebuilding my virtual infocard test environment and was having a extremely hard time trying to download ie7 Build 5299. I desperately wanted Build 5299 for testing purposes. I am aware of all the security flaws that come along with it, but I just dont care about them for now. All I wanted is a browser that worked with infocards. So after much effort, I did find a ie7 Build 5299 download on rapidshare. So in case you would like to use ie7 Build 5299, here are the download links.
  1. IE 7 build 5299 (link 1)
  2. IE 7 build 5299 (link 2)
  3. IE 7 build 5299 (link 3)
WARNING: USE AT YOUR OWN RISK Also read the whole list of ie7 security flaws & vulnerabilities prior to proceeding.

UPDATE : Build 5299 did not work. I'm now hunting for Build 5296. Because the Build that works on my desktop is Build 5296. If anybody has a downloaded copy of Build 5296. Please please let me have a copy.....

Sunday Mar 26, 2006

infocard: An Expensive Affair

This " - night - Graveyard-shift " infocard project of mine is working out to be an expensive affair for me, in the $$ terms. I travel around so much (every mon-fri) that in order to work on it at nights, I needed to have WinXP with SP2 and ie7 on it. There's no way I would risk putting my endeared Ferarri through the BSoD (Blue Screen of Death) trauma. Well There was no way for me to carry all my desktops around when I travel. So came VMware to the rescue.

My VMWare Workstation costs US$199, and then another WinXP Pro license was another US$299. And another CD$100 for bribing my wife with a L'Occitane gift pack to entice her to let me spend this money. Whew!!.

I hope this expense pays off in terms of learning. I believe that there can be no cost factor associated with learning. And hope & pray that this pays off in the long run.

Now I have a "infocard" ready system in addition to a development environment, and a webserver with me all the time. Hopefully in the coming weeks, (with my new set of ammunition), I should be able to blog more on my discoveries...

So stay tuned...

Friday Mar 24, 2006

User-Centric Identity Webcast

A FYI Reminer & a cross-post from superpatterns. The reason I'm crossposting this is because I believe that this is something important and something that everybody should participate in as the info that this webcast would provide you would prove extremely valuable.

There's a lot of buzz around 'user-centric identity' right now the notion of involving users in the management of their personal information and its use, rather than leaving it to some enterprise or other organization. The folks at the Liberty Alliance have written a whitepaper entitled 'Personal Identity' that shows how Liberty's Identity Federation Framework (ID-FF) and its successor SAML 2.0 can be used to implement user-centric identity for example, a user providing their own identity services via a Liberty-enabled device such as a cellphone. It's a good read. it starts from the basics, so you should be able to follow it even if you're new to Liberty and SAML.

vOn the same topic, John Kemp of Nokia and my esteemed colleague Hubert Le Van Gong will be presenting a webcast on April 12 2006 at 8am Pacific. PLEASE NOTE: Registration is required and limited to the first 100 respondents! The last webcast on the Liberty People Service 'sold out' very quickly, so get in there straight away if you're interested. If you're too late, don't despair - the webcast will be available in archive form after the event. I'll update this entry with the URL once it's online.

To register for the webcast, follow these steps.

  1. Go to
  2. Under the heading Attend a Meeting, click Register
  3. Search for centric
  4. Select User Centric Identity: Success Today and click on the Register Button. (Don't bother clicking on the link - it doesn't lead anywhere useful!)
  5. Fill out the required information and click Register Now at the bottom of the page.
Please email Tricia DeHart of the Liberty Alliance Project with any questions.

Thursday Mar 23, 2006

claims with infocards

Self issued information cards support only a select number of claims. Each of these claims is associated with an URI that one could use to look up the claim inside the token.

The claims that are supported are:

  1. Given Name = "";
  2. Email Address = "";
  3. Surname = "";
  4. Street Address = "";
  5. Locality = "";
  6. State/Province = "";
  7. Postal Code = "";
  8. Country = "";
  9. Home Phone = "";
  10. Other Phone = "";
  11. Mobile Phone = "";
  12. Date of Birth = "";
  13. Gender = "";
  14. PPID = "";

One could use the URIs with the TokenHelper class to extract out the values for the claims.

..... more later.....


Rohan Pinto


« July 2016
My Bookmarks
Currently Surfing