Authentication and Podcasts
I'm taking a break from the beach to post this interesting email (and my reply) on how to set up some security around podcasts. Using hashing/encryption to check a key before generating the RSS feed ... very workable and hard to pierce.
Very interesting. I use similar methods in PHP with crypt() and randomly generated salts to generate keys out of text and numeric fields in user records. I'd never thought, though, of extending that authentication to the generation of an RSS feed.
I'd explore the possiblity of storing the mp3's outside of the web directory itself, though this might get kludgy.
I'll post this.
-Jeff
> I really enjoy your podcasts and would like to let you know about the
> following ideas for distributing podcasts to faculty and students in a
> more secure manner.
>
> 1. When a user registers with a class (as either an instructor or a
> student), create a row in a database table or file consisting of the
> user's email address and 3 random numbers.
>
> 2. Calculate hash values for the following combinations:
> md5(email + md5(number1))
> md5(email + md5(number2))
> md5(email + md5(number3))
> md5(number1 + md5(number2))
> md5(number2 + md5(number3))
> md5(number1 + md5(number3))
>
> 3. Concatenate the 6 hash values in a secret order to generate a 120
> character key for the user. Do not store this key anywhere.
>
> 4. Inform the user that their link for downloading the podcast will be:
> http://server.../dircast.php?u=<120>
>
> 5. Modify dircaster.php or any other RSS generation script to get the
> key value from the querystring and walk through the table, calculating
> the hash value for each row using the same algorithm in step 2.
>
> 6. If the calculated hash value for the row equals the value of the
> querystring, then we have a valid user. Continue executing the script
> to generate the XML for the RSS feed. Send the user an email so they
> will know whenever a podcast is downloaded using their account. Keep
> a log of all podcasts downloaded by each user with timestamps for
> audit purposes. If any user believes their account has been
> compromised, allow them to regenerate their key and resubscribe to the
> podcast.
>
> 7. If none of the rows' hash values match the querystring, then we
> have an invalid user. Do not generate any XML output. Send an email
> to the application administrator and log the attempt. If frequent
> hacks occur, consider moving the directory where the podcasts are
> stored.
posted by J. P. Moore @ 6:41 AM
2 Comments:
“We cannot live for ourselves alone. Our lives are connected by a thousand invisible threads, and along these sympathetic fibers, our actions run as causes and return to us as results.”
- Herman Melville
RSS is the way of the Future...
bit rss rssbit
You have a great blog here.
I have a top web hosting site. It's about top web hosting related stuff.
Feel free to visit and let me know what you think :-)
Post a Comment
<< Home