Tech Talk (12/02)
Microsoft Passport & Security (?)
by Brian K. Lewis, Ph.D.*
Member of the Sarasota Personal Computer Users Group, Inc.
In 1999 Microsoft established its .Net Passport service.
This has developed into their .Net services program. This program "is a set of software technologies designed to connect your world of information, people, systems, and devices" according to Microsoft's web site. The Passport service is only one part of this overall program. The role of Passport is to provide "a suite of services for authenticating (signing in) users across a number of devices and applications. The suite includes the Passport single sign in service..." This quotation and many others in this article are from Microsoft's Passport Review Guide.
The idea behind Passport is to simplify the process of authenticating users when they sign into a web site. The information needed for this has been included in the users registration with Microsoft's Passport site. The only required items for this registration are an e-mail address and a password. Once you have a Passport account, you use this user name and password to access any web sites associated with the .Net Passport system. Once you are authenticated to a site, your profile information is made available to that site. This is accomplished by the use of three cookies which are created when you sign-in. The profile information that is shared is determined by the user at the time of registration. For example, my account contains my address, telephone number and birth date. However, I have elected to share none of this information. The following figure is excerpted from Microsoft's Passport Review Guide and shows a portion of the registration page:
"When a user registers a Passport account, their account is assigned a Passport User ID (PUID) that becomes the unique identifier for the account. This PUID is a 64-bit number that will be sent (encrypted) to your site as the authentication credential when a Passport user signs in. This is done so that you can identify the user. As it is up to the user whether they want to share their e-mail address and other information with you (assuming they registered their account at a different site) you cannot depend on this type of information to identify the user. The PUID solves this problem by providing you a way to easily understand who each unique customer is, while still respecting their desire not to share personal information about themselves if they choose not to." (Microsoft Passport Review Guide)
So the process starts when a user goes to a site that has a Passport log-in icon. During the process of signing in, the user is re-directed to a site within the .Net server domain. Here the user name and password are entered. The .Net server attaches two cookies to the browser and returns it to the originating site. These cookies are used to authenticate the user to the original site. One of the cookies contains the PUID. These cookies are placed on the users computer and are encrypted using the Triple Data Encryption Standard (3DES).
"When the user arrives back at your site, they will bring two encrypted packets of information attached as cookies. The first cookie contains the authentication ticket information. The second contains any profile information that the user has chosen to share, and any operational information and unique identifiers that need to be passed. These packets are encrypted with a unique secret key that is shared between Passport and your site. This helps to ensure that only you can decode these messages." "Passport uses cookies whenever a user signs in to a Passport participating site. These cookies allow users to move from page to page at a participating site without having to sign in again on each page. The following is a general overview of the cookies used by the Passport service."
MSPAuth, common name: Ticket Encrypted with participating sites Passport key. Contains the Passport timestamps (last refresh and last manual sign in), saved-password flag, key version verification, and other flags.
MSPProf, common name: Profile Encrypted with participating sites Passport key. Contains each of the core profile attributes, if they are present and the user has chosen to share them.
MSPCAuth, common name: Kids Passport Ticket Encrypted with participating sites Passport key. Copy of MSPAuth cookie used in Kids Passport scenarios.
MSPCProf, common name: Kids Passport Profile Encrypted with participating sites Passport key. Copy of MSPProf cookie used in Kids Passport scenarios.
MSPConsent, common name: Kids Passport Consent Encrypted with participating sites Passport key. Used in managing consent in later versions of the Kids Passport system.
MSPSec, common name: Ticket-Granting Cookie Encrypted with participating sites Passport key. Used to cross check MSPAuth for validity.
MSPSecAuth, common name: SSL Secured Channel Sent via HTTPS for all browsers that allow HTTPS cookie writes. Used to indicate the participating site is using the SSL secured channel feature.
"Most Passport cookies are temporary cookies and are deleted when the browser session is closed. In addition, Passport-related cookies are deleted when a user clicks the sign out link. When the user signs out of Passport, the Passport server checks the cookies for participating sites and launches a script executed by each site to delete the cookies created at sign in. The script for deleting a cookie is provided by each participating site during the site registration process. Only the site that has created the cookies can delete them." (Microsoft Passport Review Guide)
In addition to the basic Passport information, the user can create a Passport Wallet also referred to a the Passport Express Purchase. This stores your credit card and contact information. This information can be used by web merchants to automatically fill in billing and shipping information for purchases. Since the Wallet is stored in the same servers (.passport.com domain), it uses the same cookies to identify you. Microsoft claims that one of the benefits of using the Wallet is that your credit card information is not stored on your computer. Instead, it is "securely" stored on Microsoft servers. However, I have just learned that Microsoft is discontinuing its "Express Purchase" system which uses the Passport Wallet. All Wallet information will be deleted within four weeks of the service cancellation, expected early in 2003.
<http://www.passport.net/Consumer/WalletLetter.asp?lc=1033>
With all of this information being transmitted using encrypted methods (SSL & 3DES), it would seem that user information should be quite secure. However, many questions have been raised about security issues related to Passport. Most of them seem to relate to the log-in process in the .Net domain servers and the transmission of information by the cookies stored on the users computer. There are also questions about information retained relative to users and the web sites they have visited. Microsoft does retain information for some period of time for "customer service" purposes.
In August, 2002 Microsoft settled with the Federal Trade Commission on charges regarding the privacy and security of personal information collected from Passport users. The FTC complaint alleged that Microsoft misrepresented several things, including the level of online security, that no identifiable information was retained relative to sites visited, and that purchases using the Wallet were more secure than purchases on the same site which did not use the Wallet. The FTC alleged that none of this information was true and has required that Microsoft institute changes to improve their security. They also have to change their documentation and advertising to eliminate any misrepresentations. Microsoft is required to establish and maintain a comprehensive information security program in writing that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers. They are also required to obtain an annual report from a third-party certifying the effectiveness of their security program.
A Microsoft representative has stated "that we know of no instance where a Passport users information has been compromised, in hindsight we wish we had held ourselves to a higher bar". (This lack of knowledge may only be because a compromised user would have no evidence as to how, or where the information, including credit card numbers, was collected.) Whether the FTC agreement is what led to the cancellation of the Passport Wallet remains only speculation at this point. However, I suspect that this is just the first of many changes which will have to be instituted by Microsoft to comply with the full FTC order. I would not be surprised to see the whole Passport system replaced with some implementation of Palladium. So, stay tuned for the changes and, as always, use caution on the web!
*Dr. Lewis is a former University and Medical School professor. He has more than 20 years of experience working with personal computer hardware and software. He can be reached via e-mail at brian_klewis@hotmail.com or voice mail at 941-925-3047. :
Copyright 2002. This article is from the December 2002 issue of the Sarasota PC Monitor, the official monthly publication of the Sarasota Personal Computer Users Group, Inc., P.O. Box 15889, Sarasota, FL 34277-1889. Permission to reprint is granted only to other non-profit computer user groups, provided proper credit is given to the author and our publication. We would appreciate receiving a copy of the publication the reprint appears in, please send to above address, Attn: Editor. For further information about our group, email: admin@spcug.org/ Web: http://www.spcug.org/
The Sarasota Personal Computer Users Group, Inc. has 1,300+ members and was established in 1982. We are members of the Assoc. of PC User Groups (APCUG), the Florida Assoc. of PC Users Groups, Inc., and we are members of the America Online Ambassador Program.
See http://www.spcug.org for all reviews from the Sarasota PC Monitor, go to the Newsletter Section.