Asp.Net components and Internet solutions
Quality Data
  Shopping Cart
Home | Products| Support| Downloads| Contact Us| Your account

Support Information Cards on your Asp.Net website!

CardSpace Control Links
Introduction
Supporting Information Cards
Database elements
Decrypt Information Cards
CardSpace Control
CardSpace Button Control
CardSpace Login Control
ManageCards Control
CardSpace Sign-In Control
Documentation (API)
Download the Controls

New!

Update your web pages just by sending Email


Send2Page Control »



Decrypting the Information Card


When users submit an information card to your web site, their identity selector (Windows CardSpace) uses the public key of your SSL Certificate to encrypt the body of the information card before it is submitted. Thus, the message is encrypted twice. Once to encrypt the contents and once for transport.

The CardSpace Control uses the Private Key of your SSL Certificate to decrypt the message after it arrives. To do so, however, the identity under which it is running (usually Network Service) requires read permissions to the Private Key File.

Dominick Baier points out that by granting the worker process of your web application read access to your SSL private key, you are increasing the attack surface.  He has written an out-of-proc token decryption service that allows decrypting tokens without having to have direct access to the private key in the application. Consider whether his approach would be better for your situation.



How to provide your worker process read permissions to your SSL Private Key file

First, you will need to verify the identity under which your worker process is running. This is usually NETWORK SERVICE and can be verified by opening IIS on your server and checking the Identity property of the application pool of your web app.

Next, you need to determine which file contains the private key for your SSL certificate. The FindPrivateKey utility, by Microsoft, will help you to do this.

Finally, you need to grant the NETWORK SERVICE (or other) account read access to the private key file.

These steps are illustrated below.


Step 1 - Verify the identity of your worker process.

In IIS 6, on the Home tab of the properties dialog for your application, make note of the application pool.  Close the dialog then expand the Application Pools node of the IIS tree-view as shown below.



In this example, our web application is running an Application Pool which we had created and named "Asp.Net 2 App Pool".

When we right-click on the application pool and then click "Properties", we get a dialog similar to the one shown here.

As you can see, the identity for our application pool (and therefore our web application) is verified as "Network Service" which is the default for IIS 6 sites on Windows Server 2003.



Step 2 - Locate the private key file for your SSL Certificate

Microsoft has created a utility called FindPrivateKey.Exe which is available here. Once you've downloaded and built the utility, you'll run it from a command prompt to get back the filename of your SSL private key.  The following combination of parameters accepts the thumbprint for your certificate (which is easy to determine.)

FindPrivateKey.exe   My   LocalMachine    –t   “THETHUMBPRINT”   –a


To get the thumbprint for your site's SSL private key, just fire up your browser and navigate to a secure page on your web site to view its certificate.

As shown here, you can view your SSL certificate by clicking the SSL icon in your browser's address bar.

Once you've clicked "View certificates", the Certificate dialog provides information about your SSL Certificate. As illustrated, you can select the thumbprint and then copy it to the Windows Clipboard for use in running FindPrivateKey.exe.



Now that you've determined the thumbprint for your SSL certificate, you can run FindPrivateKey.exe as shown below:



Tip: If you click the icon at the top left corner of the Command Prompt window, a menu option will let you "paste" the thumbprint from the Windows Clipboard.

As shown above, the FindPrivateKey utility gives you the file name of the private key that corresponds to the SSL Certificate whose thumbprint you provided.


Step 3 - Grant read permissions to the SSL Private Key file

Now that you know which file contains the SSL private key, you can use Icacls.exe (built into Windows Server 2003 SP2) at the command line to grant read rights for the worker process account (Network Service) to the private key file.

Icacls C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\aba..63 /grant networkservice:r
(filename abbreviated here for clarity)

Alternatively, you can simply navigate to the file using Windows Explorer then right-click on the file to set its permissions.






Done!

While the steps for granting your Network Service account read permissions to the SSL Private key file are not too difficult, they do require access to your server. If your web application is running on a shared hosting server, you may need to solicit the help of your ISP or network administrator.  If you need help, have suggestions for improving this process or would like to simply share your experience with this, please visit our Support Forum. The complete API for the CardSpace Controls is available here.

Tel: (407) 253-2266 | Home | Site Map | Contact us
(c) 2006, Quality Data, Inc.  All Rights Reserved | Legal | Privacy
Quality Data