Posts Tagged ‘identity’
Privacy and Mobile ID
 |
Privacy and Mobile ID
SecureIDNews | Researchers test privacy and mobile ID
App enables relying parties to see only relevant data Gina Jordan, contributing editor, Avisian Publications With the emergence of Google Wallet and the slow migration toward mobile payment transactio…
|
 |
6 Months of Security Links #2011
I’m a regular curator of daily links, and like to give overviews of my collection of curated links and posts. This is partly as there are some good sources and articles in here and as I am working on a research project which I started based on a number of books I read.
I’m sure you’ll find something interesting in the items below – there are some gems in the list – and I dare to hazard the guess you might learn something you wanted to know. 
Proof of Concept: Simple Authenticated Internet Access
Sitting in the train at Amsterdam’s “Centraal Station” I was considering what the simplest method would be to provide public authenticated internet access – such as the one I was using in the train – with a payment/self-service to track the users. I’m not saying that this is possible to do with low end systems such as your provider gives away as part of the DSL subscription.
I’m into quick paper prototypes, so there could be an even simpler way in practice, and I think I mostly covered it in the diagram.
- Firstly the client must be able to connect, which is symbolized by this arrow. I don’t want the user to be redirected to the internet immediately so I have the “proxy” redirect the user, this could be based on the MAC address that the user’s computer broadcasts to the Access Point, IP allocated in the DHCP lease, or both. The risk here is that the IP and MAC can both be spoofed. In a system for which payment is needed the risk is theft of the connection from the real customer or a DoS due to the IP address collision. The choice here is to accept and budget for it, making all the honest customers pay for the crimes perpetrated against them, or reduce this by using the Access Manager (AM) to ensure that the current user is the user who authenticated by using some browser magic.
- The user goes to the Self Service and either creates and pays for an account, or requests some type of (limited/trial) access. There is a risk here that identity theft can take place, as the network is not secured with a password, and this risk can be reduced by using SSL to encrypt the session.
- The user then uses the created data to authenticate, again this risk can be reduced by using a SSL connection.
- After authentication the user session is passed on to the AM.
- The AM checks the access rights for the user/session and passes this data on to the Self Service so the user can see the current status of the account.
- The “proxy” is also updated at the same time as the Self Service, this to ensure that the user can make use of the service that has been acquired.
- The user starts to use the service which has been acquired. To avoid the theft of the user’s information due to an insecure wifi network the choice can be made to tunnel the connection to the internet over SSL, the issue is naturally that each page or item will get a SSL security warning. And this may give issues with sites which do use SSL. The simplest strategy is to warn the customers of the risk during the Self Service in a EULA that they will never read, although the nicest way would be to warn them in a more prominent way – still the treatment of this risk is to not become involved in any resolution.
Any comments?
Image source: purpleslog
This year’s articles about programming #2010
In 2010 I was less focussed on programming articles on the blog than previous years, still I have managed to create some interesting articles with code in 2010. This is an overview of the activity:
Sync Web with Phone #html #javascript #scratchpad
Having some fun today with QR codes, JavaScript and the Google Analytics URL …
The Structure of a Daily Scrum #agile #scrum
The only questions that are asked in the Daily Scrum, aka Stand-Up, are: What…
Features I Still Miss in Mail #mail #email
UPDATE: GMail has introduced my number 3. YEAH! (Gmail introduces Priority In…
YouTube Channel Unsubscribe #bookmarklet
I like YouTube, and often subscribe to new channels and unsubscribe after a w…
PCI is nice (or what I do) #pcidss
Since I started working for my company I’ve been exposed to PCI DSS (Pa…
Solving the URL shortening problem #twitter #tweet
I don’t understand why url expansion after url shortening is such an is…
VeriSign PIP Browser Certificate workaround (PIN Request) #identity #openid
VeriSign – Personal Identity Portal is a OpenID provider with multiple …
Image source D’Arcy Norman
VeriSign PIP Browser Certificate workaround (PIN Request) #identity #openid
VeriSign – Personal Identity Portal is a OpenID provider with multiple factor identification: Password +
- Mobile Credential (phone or mail PIN)
- Account Information Card (can be used by applications such as Microsoft CardSpace)
- VeriSign browser certificate
- VeriSign Identity Protection (VIP) Credential (Physical Token)
As I have a browser certificate linked to my old browser and couldn’t login with my current browser I had to figure out a workaround when I don’t have the browser certificate: PIN Request. On the page that does the browser certificate request there is a hidden link to get a PIN send by mail or mobile, which you can find here.
Hope that helps you.
Podcasts I Like – Speaking of Security #podcast
The RSA Podcast Speaking of Security is one of my favourite podcasts covering security, not just because they are my former employers. They cover many of the issues faced by enterprises, many of the subjects such as online fraud and privacy, enterprise data protection, authentication strategies, and government policy are covered from enterprise perspective.
It’s also a good source of discussion on RSA’s Conference
technorati tags: security, podcast, compliance, pci, mifid, fraud, authentication, identity
Clipperz, Online Password Share
I was trying to think about what to say about SlideShare, so I was browsing the site to give me inspiration, it didn’t work.
What I did find was Clipperz, Clipperz makes it possible to login with one click. The username and password for the site is stored encrypted at Clipperz and is decrypted and posted to the site. I’ll use the example of /., the bookmarklet provided extracts the form and uses that to populate the login form.
{
"page": {"title": "Slashdot: News for nerds, stuff that matters"},
"form": {
"attributes": {"action": "http://slashdot.org/login.pl", "method": "post"},
"inputs":[
{"type": "text", "name": "unickname", "value": "username"},
{"type": "hidden", "name": "returnto", "value": "//slashdot.org/"},
{"type": "hidden", "name": "op", "value": "userlogin"},
{"type": "password", "name": "upasswd", "value": "password"},
{"type": "checkbox", "name": "login_temp", "value": "yes"},
{"type": "submit", "name": "userlogin", "value": "Log in"}]
},
"version": "0.2.3"
}
To be entirely portable you can access the websites from a sidebar in your browser. Naturally this is a nice proof of concept for the real product they are selling: zero-knowledge web applications.
Zero-knowledge web applications is about making web applications more secure. Do you trust Google Documents with your confidential documents? You shouldn’t unless the data is stored without the knowledge of the SaaS provider. Clipperz password manager is the first zero-knowledge web application. This means that Clipperz knows nothing about its users and their data. They do this using a JavaScript library, based on Ajax and browser-based cryptography, which can be used to build applications that users can can use to manage their private data.
technorati tags: saas, business, javascript, security, authentication, identity
MySpace gains OpenID, FaceBook should
Firstly I’m not using WordPress’ Press This feature any more, this is the third time I am having to post this after it ate 2 previous drafts. Maybe I should fix the GreaseMonkey script I build for /. to work on Press This.
After predicting the death of MySpace they have surprised me by adding an OpenID Identity Provider. Obviously they are only allowing you to use it to authenticate on other sites, but still is a step with others including FaceBook haven’t done yet. So I started to muse how FaceBook would be able to top it, and what I actually want from a OpenID Identity Provider:
ClaimID already has 3 of the 4, but their friend system requires some kind of social networking and as it is not a social networking site it doesn’t really cover FOAF completely. This is why integration of FOAF would be a good step for both FaceBook and MySpace.
MySpace is only acting as an identity provider, meaning that while you can use your MySpace credentials to sign into other Web sites, you cannot yet use your credentials from another OpenID provider to sign into MySpace.
Source: MySpace Opens Up First; Launches Data Availability on Flixster and Eventful
technorati tags: authentication, foaf, hcard, identity, microformat, openid, security
OpenID Implementations
I have always loved Identity Management, and like Access Management. I’m a little funny, I like to be identified and want my identity to be linked on different sites. Which is why I like OpenID as an identity management system, I also like the possibility of limiting the exchange of personal information to the site to are identifying yourself too. Some may require a mail address, others may only need to verify that you are authenticated to the other site. LiveJournal allows commentary to be added when using an external authentication source, but does not allow blogging without your identity.
My personal favourites are VeriSign Personal Identity Provider – it has a Firefox add-on “VeriSign’s OpenID SeatBelt” – and ClaimID – it allows attaching external links to your identity. You can examine many more of the implementations on the official OpenID site.
technorati tags: openid, authentication, authorization, identity, verisign, livejournal, firefox
