Microsoft acquires Credentica
Blogger: Mark Diodati
Today, Microsoft announced its acquisition of Credentica, a consumer authentication technology company. Like Arcot and TriCipher, its executive team holds patents on some interesting cryptographic techniques, which are embedded in the company’s U-Prove technology. The technology relies heavily upon PKI. If you are interested in the protocols, you can retrieve the “U-Prove SDK Overview” and a corresponding Power Point presentation here.
I have yet to speak to Microsoft and Credentica (this is likely to happen in the next few days), and my understanding will likely change once that happens. Within the U-Prove environment, there are three parties: the issuer (AKA credential or identity provider), the user, and the verifier (AKA the service provider). After a user successful authentication, the issuer provides the user with a credential – the ID Token. The ID Token can be short- or long- lived. The ID Token is signed by the issuer (similar to an X.509 certificate), and the user subsequently presents ID Token to the Verifier.
The user authenticates to the verifier when presenting the ID Token by sending along a nonce (that is, a random number) that is encrypted with the user’s private key. The verifier can validate that the ID Token originated from the user in possession of the private key (yes, Virginia, the U-Prove technology appears to require that the user possess a private key).
One important distinction exists when compared to X.509 authentication. Before presenting the ID Token, the user can control which attributes in the ID Token are revealed to the verifier, which provides some privacy controls.
The technology also appears to provide man-in-the-middle mitigation, digital signature capabilities, and supports stronger authentication (e.g., a smart card) by the user to the issuer.
The U-Prove protocol also appears to work nicely with SAML, while providing the user control over information presented to the verifier (AKA service provider). The issuer (AKA identity provider) provides the ID Token credential to the user. The ID Token contains user attributes, which are signed by the issuer. The user has control over which attributes are disclosed to the verifier because the user builds the SAML assertion from the desired attributes. The user signs the assertion, and then presents it to the verifier.
Why did Microsoft acquire Credentica? The U-Prove technology looks like a good candidate as an authentication mechanism for CardSpace managed cards (i.e., those cards issued by an identity provider) that is consistent with Kim’s Laws of Identity . The authentication mechanism we’re talking about is between the identity provider (AKA issuer in Credentica-speak) and the user, not the user and the service provider (AKA verifier in Credentica-speak). My colleague Bob Blakley is our resident CardSpace expert; I learned most of what I know about the technology from him. If you are a Burton Group IdPS customer and are interested in CardSpace, his recent document “The Information Card Landscape” is a good read.
The aforementioned Credentica white paper (published in April of 2007) provides references these benefits.
“ID Tokens are the only practical technology by means of which the Windows CardSpace identity selector can fully comply with the “laws of identity” defined by its chief architect, Kim Cameron. Cameron has confirmed that standard digital certificates break the fourth law of identity In addition, the second and third laws of identity cannot be fully met using standard certificate technology.”
It appears that the Credentica technology is more protocol than product, which is beneficial to Microsoft. Microsoft will have fewer pre-acquisition customers to support. Also, Microsoft should have an easier time integrating the U-Prove technology into CardSpace. Microsoft appears to have at least one integration challenge because the U-Prove SDK appears to be Java-based, and requires the Java runtime environment on the user’s client.
Comments