Xu Hao graduated from Information Security Department of Shanghai Jiaotong University. Now he works on developing information security products and researching advanced security technology. He began to focus on researching information security technologies five years ago, the main direction of research: Windows kernel, Rootkit and malware, hardware virtualization technology, reverse engineering, smart card & PKI. And he has spoken at XCon2008, XCon2009.
Authentication system is widely used to control user access authority. Individuals, companies, governments need the authentication system to protect sensitive information. Username and password authentication system is easy to implement, but there are many disadvantages of such system. By comparison, certificate-based authentication system and Microsoft CardSpace is thought to be much safer.
This paper will firstly introduce some basic knowledge about cryptography, certificate, PKI. And then analyzes local certificate management of Windows, proposes methods to steal certificate and talks about some real cases. After that, the paper talks about Microsoft CardSpace feature and gives the way to steal personal information card stored in CardSpace. At the end, the paper describes the concepts of smart card and the components of a smart card product. The paper also raises the possible way to attack smart card and discusses online bank case.