Microsoft is disputing that its CardSpace authentication management technology can be hacked despite a research paper that outlines a proof-of-concept attack.

CardSpace manages personal information that might be needed to access certain Web sites or conduct e-commerce transactions. CardSpace, which ships in the Windows Vista OS, keeps personal information in virtual cards stored on the computer.

Also, that information can be held by a trusted organization that acts as an identity provider. That provider can then tell another Web site the information is valid. An encrypted token is sent to the Web site, which reduces the chance of identity theft.

In a sometimes sarcastic retort, Kim Cameron, who is Microsoft's chief identity architect in the Connected Systems Division, wrote that the attack requires key defenses to be lowered before the attack would work, a scenario that's unlikely in a real attack.

"For the attack to succeed, the user has to bring full administrative power to bear against her own system," Cameron wrote on his blog. "In my view, the students did not compromise CardSpace."

The researchers' paper is bad press for Microsoft and CardSpace, which the company hopes will develop become widely used for identity management.

The researchers, from the Horst Görtz Institute for IT Security at Ruhr University in Bochum, Germany, wrote in their paper it is possible to intercept the authentication tokens from CardSpace. The tokens could be reused by hackers to gain access or use other functions on another Web site.

However, intercepting the token comes after several key defenses have been breached and warnings ignored, Cameron wrote.

First, the PC's DNS (Domain Name System) configuration must be modified so that the PC's browser goes to a malicious Web site even if the proper domain name is typed in, a technique known as pharming.

Once the DNS settings have been changed, the PC's browser must be convinced the malicious Web site is not a fraudulent site. Browsers such as Internet Explorer have a mechanism that checks a Web site's certificate -- an encrypted electronic document that verifies the domain name visited belongs to the Web site the browser is looking at.

Part of the attack also involves tricking a user to upload a fake root certificate that would not trip Internet Explorer's phishing alarms. Cameron writes that installing the bogus certificate must overcome another defense, which "requires a complex manual override."

The IDG News Service is a Network World affiliate.