Friday, January 04, 2008

Ambigous Standards

One big thing that is missing in the openinfocard id selector is the export of self-issued cards in a CardSpace compatible way. It would be easy to export cards and to reimport them in another instance of the same selector (openinfocard). This was nevertheless never implemented because the real goal is to be able to export a card from the openinfocard selector and to import it into CardSpace and be recognized at a relyingparty.
Why is this hard?
Please read "A Technical Reference for the Information Card Profile V1.0" section "7.6.2. Regeneration of Input Parameters" and imagine yourself implementing this without getting too depressed before you even start.

During the holidays I started to implement this. Luckily there is a C++ implementation by Andrew Hodgkinson of the Bandit-Project.

But yesterday I noticed a difference between Andrew's code and the definition of an AES key that is defined in the information card's technical reference guide.

Encrypt the padded value using the AES-128 (Electronic Code Book mode) algorithm and the constant C (shown here) used as the encryption key.

C = f561e58b-3ebc-4e0c-940d-0a6ddc219dfd

Parts of the bytes are reversed while other parts are not...
Mark Oluper from Microsoft found a better definition of the constant that is compatible to Andrew's C++ byte array. You find it in the Identity Selector Interop Profile (page 45).

Encrypt the padded value with the AES-128 (Electronic Code Book mode) algorithm using the 16-byte constant below as the encryption key:
Encryption Key
{ 0x8b, 0xe5, 0x61, 0xf5, 0xbc, 0x3e, 0x0c, 0x4e, 0x94, 0x0d, 0x0a, 0x6d, 0xdc, 0x21, 0x9d, 0xfd }

I hope that Microsoft removes the ambigous definition. This stuff is hard enough without confusing "standards". The best thing Microsoft could do is to publish their code
  • to compute the OrgIdString/QualifiedOrgIdString from a pem encoded certificate
  • to compute the rpIdentifier from a certificate
  • to compute the keypair from the masterkey
  • of the RegenFunction
  • ...

have fun. Axel

2 comments:

Mike said...

"A Technical Reference for the Information Card Profile V1.0" is obsolete and has been superseded by the "Identity Selector Interoperability Profile V1.0", as per http://self-issued.info/?p=8.

Cheers,
-- Mike

Axel Nennker said...

True. But it still would be nice if the outdated document would be replaced on MSDN: http://msdn2.microsoft.com/en-us/library/bb298802.aspx
or modified to say that an update is available.