Authentication and Podcasts

I'm taking a break from the beach to post this interesting email (and my reply) on how to set up some security around podcasts. Using hashing/encryption to check a key before generating the RSS feed ... very workable and hard to pierce.

Very interesting. I use similar methods in PHP with crypt() and randomly generated salts to generate keys out of text and numeric fields in user records. I'd never thought, though, of extending that authentication to the generation of an RSS feed.

I'd explore the possiblity of storing the mp3's outside of the web directory itself, though this might get kludgy.

I'll post this.

-Jeff

> I really enjoy your podcasts and would like to let you know about the
> following ideas for distributing podcasts to faculty and students in a
> more secure manner.
>
> 1. When a user registers with a class (as either an instructor or a
> student), create a row in a database table or file consisting of the
> user's email address and 3 random numbers.
>
> 2. Calculate hash values for the following combinations:
> md5(email + md5(number1))
> md5(email + md5(number2))
> md5(email + md5(number3))
> md5(number1 + md5(number2))
> md5(number2 + md5(number3))
> md5(number1 + md5(number3))
>
> 3. Concatenate the 6 hash values in a secret order to generate a 120
> character key for the user. Do not store this key anywhere.
>
> 4. Inform the user that their link for downloading the podcast will be:
> http://server.../dircast.php?u=<120>
>
> 5. Modify dircaster.php or any other RSS generation script to get the
> key value from the querystring and walk through the table, calculating
> the hash value for each row using the same algorithm in step 2.
>
> 6. If the calculated hash value for the row equals the value of the
> querystring, then we have a valid user. Continue executing the script
> to generate the XML for the RSS feed. Send the user an email so they
> will know whenever a podcast is downloaded using their account. Keep
> a log of all podcasts downloaded by each user with timestamps for
> audit purposes. If any user believes their account has been
> compromised, allow them to regenerate their key and resubscribe to the
> podcast.
>
> 7. If none of the rows' hash values match the querystring, then we
> have an invalid user. Do not generate any XML output. Send an email
> to the application administrator and log the attempt. If frequent
> hacks occur, consider moving the directory where the podcasts are
> stored.

Summertime ...

Summertime is busy-time for me. Today's episode:

• NECC, and why I won't be there
• the Effective Access report
• object oriented programming
• a brief aside on CMap Tools

Here's a direct link to the podcast.

Wired to Create

I talk about a few topics, here: LAMS and Moodle, my experiences during a local middle school career day, and an affirmation on the human need to create. Also, exactly whose music am I listening to on the Turnpike?!?!

Moodle + LAMS ... Great news!

A marriage made in heaven! Moodle will play nicely with LAMS activities. And ... single-sign-on between the two! Click here to learn more.

Anti-Intellectualism in Our Schools

Part I of a discussion on anti-intellectualism in our schools ... I talk about two related factors within schools that may be contributing to the problem: motivation and responsibilties.

Click here to listen.

Hosting ...

I am in the process of moving to a new hosting solution. This won't affect feed addresses, etc., but the podcasts may be unavailable for a few days.