RealTime IT News

WinFX Adds New Security Method

Lost in the hoopla of Microsoft's numerous announcements at the Windows Hardware Engineering Conference (WinHEC) was the news that beta 2 of WinFX was available with full support for InfoCard, a technology that could radically change security on the internet.

WinFX is a core part of the Windows Vista operating system and a superset of the.NET framework and Win32 API. WinFX has been developed on Windows XP, so it will be available on both XP and Windows Server 2003 in addition to Vista.

It consists of four elements: Windows Presentation Foundation (WPF), a new graphical foundation for 3D graphics; Windows Communication Foundation (WCF), a service-oriented messaging system; Windows Workflow Foundation (WF), which allows task automation; and InfoCard, a method for securely storing and transmitting personal identities.

The three Foundations have received considerable ink, but InfoCard has flown under the radar, until now. WinFX beta 2 is released under a Go-Live license, which means the code is in a particularly advanced state than the usual beta and Microsoft is encouraging customers to deploy it in a live environment to see how well it operates.

"This beta is a culmination of the CTPs we've been releasing for the past year," said Ami Vora, product manager for WinFX at Microsoft. "We're thinking of WinFX as a development platform that people will use for the next ten years in scenarios as intense as monitoring patients in intensive care."

WinFX is largely feature complete and there shouldn't be any major changes to the feature set and programming model, she said.

However, there is something notably missing from InfoCard: support for RSA's SecureID authentication tokens. The reason for that is SecureID and other mechanisms are semi-proprietary, each with their own wire protocol and password exchange methods.

RSA is working with other security/identity firms to come up with a standard method for a one-time password clicker, so Microsoft doesn't want to add support just yet. A future version of InfoCard will add this support when a standardized method of one-time password click is agreed upon, said Rich Turner, product manager for InfoCard at Microsoft.

InfoCard will support two-factor authentication methods such as X.509 digital certificates, smart cards and MD5 hashes in the initial release, said Turner. The company is working with larger players, from banks to merchants to the U.S. Postal Service, to provide trusted third-party tokens, so a person could create an account on an etailer like Amazon.com simply by transmitting an encrypted token they obtained from the USPS.

Because usernames and passwords have to be entered into forms, most identity theft and phishing traps are built around fraudulent interfaces, where the victim thinks they are logging into an official site of a merchant or commerce site. Token exchange eliminates that.

"What we're trying to do is replace manually entered usernames and passwords full stop," said Turner. "Instead of having to manually enter a username/password combination, the user is prompted to select one of several identities which might be applicable in a given situation and have them submit the card across secure mechanisms" to a recipient such as an ecommerce site.

Jamie Lewis, president of The Burton Group, agrees there isn't a single standard for one-time tokens, so it remains to be seen how much impact InfoCard can have. But he does think it could bring about a fundamental change in security and identity.

"Microsoft, with InfoCard, is attempting to solve some problems we desperately need to solve in terms of the trust levels of the Internet," he said. "It's bad and getting worse and if it gets much worse, it could tip over things to the point where people won't use it." The degree to which InfoCard achieves this level of trusted authentication is uncertain because we haven't seen the final product, he said, but it certainly offers the promise.

WinFX Beta 2 can be downloaded from the WinFX Developer Center on MSDN.