This book (Understanding Windows CardSpace by Vittorio Bertocci, Garrett Serack and Caleb Baker) is not a guide how to implement Windows CardSpace in your website or webservice, but this book helps you understand the reasoning behind Windows CardSpace and how it fits in the Identity Metasystem. As such it is a much better book, than a book which just explains how to add a widget to your website to authenticate users, could ever be.

The parts of the book follow a logical structure. Part 1 discusses the problems we face on the Internet: identity theft, phishing and others and a technology independent solution is proposed. Finally in part 2 CardSpace is introduced and the implementation of CardSpace (both managed and self-issued) in websites and webservices is discussed. Part 3 shows the practical and business considerations when working with the Identity Metasystem and Windows CardSpace.

Even if you're a regular reader of Vittorio's blog, and are familiar with the Seven Laws of Identity, this book still has value. If you're not familiar with one or the other, you really should read this book, since it's the first book which really made me understand the problems we face on the Internet today with respect to identity and why and how Windows CardSpace provides a solution.

With the release of Zermatt this book really has proven it's value: Zermatt makes it much easier to implement a Security Token Service and a Relying Party, but it won't help you understand the concepts behind them or why you need to implement them (or not).

When hashing a password, you usually use a salt to to make it harder for an attacker to attack the password (see [0]), since the salt is needed to calculate the hash, the same salt is needed to verify a password.

The submitted Hash( Salt + Password ) must be equal to the stored Hash( Salt + Password ).

The common place to store the salt is in a separate field alongside the hash, but this may cause either one to get out-of-sync with the other. A better solution is to concatenate the salt and the hash and store both in one byte array.

static void Main(string[] args)
{
    RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();

    byte[] salt = new byte[0x10];
    rng.GetBytes(salt);

    Rfc2898DeriveBytes deriveBytes = new Rfc2898DeriveBytes("the password", salt, /*iterations*/ 5);

    byte[] passHash = deriveBytes.GetBytes(0x100);

    byte[] result = Merge(passHash, salt);
}

private static byte[] Merge(byte[] first, byte[] second)
{
    byte[] result = new byte[first.Length + second.Length];
    Buffer.BlockCopy(first, 0, result, 0, first.Length);

    Buffer.BlockCopy(second, 0, result, first.Length, second.Length);

    return result;
}

Extracting the salt from the hash is relatively simple:

private static byte[] ExtractSalt(byte[] hash, int length)
{
    byte[] salt = new byte[length];

    Buffer.BlockCopy(hash, hash.Length - length, salt, 0, length);

    return salt;
}

You use this salt to generate the hash for the password you want to check and after adding the salt to the end both byte arrays must be equal.

[0] See p.350-352 in Practical Cryptography by Niels Ferguson and Bruce Schneier why salting a password is a good idea.

Sample: HashSample.cs.txt (1.78 KB)

This class is an addition to the html- and url-encoding in the HttpServerUtility class. Where the methods in the base framework, only encode a limited number of characters. The classes in the AntiXss class encode everything, that is not explicitly allowed. These means that everything but the following characters are encoded in most cases: a-z, A-Z, 0-9, (comma), (period), (dash), (underscore) and (space). 

[download: Microsoft Anti-Cross Site Scripting Library V1.5]