PassCard Files

How to install PassCard
1. Unzip the PassCard package.
2. Click on the setup wizard, and simply follow the instructions thereafter. 
3. In the Register folder, right-click on the Register PassCard file and click on Run as administrator.
4. Restart your IE browser. 



How to uninstall PassCard	
1. In the Register folder, right-click on the Unregister PassCard file and click on Run as administrator.
2. Two possible methods:
a. click (again) on the setup wizard, and simply follow the instructions thereafter; or
b. uninstall PassCard from the Control Panel.



How to disable/enable PassCard	
Start your IE browser; then go to the Tools menu; then click on Manage Add-ons; then select the appropriate entry for PassCard, and, finally, click on the Enable/Disable button. 



How to create a PassCard
1. Go to Control Panel and double click on Windows CardSpace.
2. Create a personal card, i.e. a PassCard, by clicking on Add a card and then choosing a personal card. Please give the card a name, and, if you like, you can also upload a picture to appear on the card. Then, enter your username in the First Name field, and your password in the Last Name field. Optionally, you can also enter the URL of the login page of the visited site in the Web Page field (in order to eliminate phishing attacks). 
3. Finally, click on the save button.



Notes
1. If you refresh the visited webpage, PassCard will terminate at that site. Please visit the site again if you would like to turn on PassCard again.
2. When operating in HTTPS mode, PassCard encrypts username-password values using AES in CBC mode with a 64-character key (the key is stored in the JavaScript file, which is part of the plug-in package, and can  therefore be seen by anyone viewing the file).   Please note that the encryption of the username and password is not necessary to prevent channel eavesdropping, because an SST/TLS channel is already established between the browser and the target HTTPS site. However, if the username and password are sent as part of the URL (as is the case here), then if sent in plaintext these values will be vulnerable to shoulder-surfing attacks since they will be shown in the browser address bar (and possibly also in the browser status bar). The implementation uses a symmetric encryption scheme for username/password encryption in order to minimise the overhead.
3. When operating in HTTPS mode, the HTTP server (HS) may be one of the PassCard default website, your own HS site, or a local HTTP-based webserver running on your PC (setting a webserver is typically straightforward, e.g. by installing XAMPP on Windows).
4. This PassCard version has been successfully tested with more 30 websites, including RHUL, YouTube, Facebook, Google, Yahoo, Amazon, ACM Portal, Springerlink, IEEE Explore, Wikipedia, Myopenid, and Microsoft Research (websites most recently checked on 25/12/2010).



How to set your (http) home page to act as the TTP
1. Copy the full URL of your webpage and paste it in line 50 of the JavaScript file, particularly in place of http://www.isg.rhul.ac.uk/~cjm/PassCard.htm, and that is that – the end!