Advertisements

General Musing

blaze your trail

Posts Tagged ‘identity

Privacy and Mobile ID

leave a comment »

Privacy and Mobile ID
SecureIDNews | Researchers test privacy and mobile ID

App enables relying parties to see only relevant data Gina Jordan, contributing editor, Avisian Publications With the emergence of Google Wallet and the slow migration toward mobile payment transactio…

View or comment on Daniël Crompton’s post »

Advertisements

Written by Daniël W. Crompton (webhat)

July 9, 2012 at 3:58 pm

6 Months of Security Links #2011

leave a comment »

I’m a regular curator of daily links, and like to give overviews of my collection of curated links and posts. This is partly as there are some good sources and articles in here and as I am working on a research project which I started based on a number of books I read.

I’m sure you’ll find something interesting in the items below – there are some gems in the list – and I dare to hazard the guess you might learn something you wanted to know. 🙂

Read the rest of this entry »

Written by Daniël W. Crompton (webhat)

July 15, 2011 at 4:10 pm

Posted in tagging

Tagged with , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Proof of Concept: Simple Authenticated Internet Access

leave a comment »

Sitting in the train at Amsterdam’s “Centraal Station” I was considering what the simplest method would be to provide public authenticated internet access – such as the one I was using in the train – with a payment/self-service to track the users. I’m not saying that this is possible to do with low end systems such as your provider gives away as part of the DSL subscription.

I’m into quick paper prototypes, so there could be an even simpler way in practice, and I think I mostly covered it in the diagram.

Simple Authenticated Internet Access Diagram

  1. Firstly the client must be able to connect, which is symbolized by this arrow. I don’t want the user to be redirected to the internet immediately so I have the “proxy” redirect the user, this could be based on the MAC address that the user’s computer broadcasts to the Access Point, IP allocated in the DHCP lease, or both. The risk here is that the IP and MAC can both be spoofed. In a system for which payment is needed the risk is theft of the connection from the real customer or a DoS due to the IP address collision. The choice here is to accept and budget for it, making all the honest customers pay for the crimes perpetrated against them, or reduce this by using the Access Manager (AM) to ensure that the current user is the user who authenticated by using some browser magic.
  2. The user goes to the Self Service and either creates and pays for an account, or requests some type of (limited/trial) access. There is a risk here that identity theft can take place, as the network is not secured with a password, and this risk can be reduced by using SSL to encrypt the session.
  3. The user then uses the created data to authenticate, again this risk can be reduced by using a SSL connection.
  4. After authentication the user session is passed on to the AM.
  5. The AM checks the access rights for the user/session and passes this data on to the Self Service so the user can see the current status of the account.
  6. The “proxy” is also updated at the same time as the Self Service, this to ensure that the user can make use of the service that has been acquired.
  7. The user starts to use the service which has been acquired. To avoid the theft of the user’s information due to an insecure wifi network the choice can be made to tunnel the connection to the internet over SSL, the issue is naturally that each page or item will get a SSL security warning. And this may give issues with sites which do use SSL. The simplest strategy is to warn the customers of the risk during the Self Service in a EULA that they will never read, although the nicest way would be to warn them in a more prominent way – still the treatment of this risk is to not become involved in any resolution.

Any comments?

Image source: purpleslog

Written by Daniël W. Crompton (webhat)

January 3, 2011 at 8:30 am

This year’s articles about programming #2010

leave a comment »

Programming Hands

In 2010 I was less focussed on programming articles on the blog than previous years, still I have managed to create some interesting articles with code in 2010. This is an overview of the activity:

Having some fun today with QR codes, JavaScript and the Google Analytics URL …

The only questions that are asked in the Daily Scrum, aka Stand-Up, are: What…

UPDATE: GMail has introduced my number 3. YEAH! (Gmail introduces Priority In…

I like YouTube, and often subscribe to new channels and unsubscribe after a w…

Since I started working for my company I’ve been exposed to PCI DSS (Pa…

I don’t understand why url expansion after url shortening is such an is…

VeriSign – Personal Identity Portal is a OpenID provider with multiple …

Image source D’Arcy Norman

VeriSign PIP Browser Certificate workaround (PIN Request) #identity #openid

leave a comment »

VeriSign – Personal Identity Portal is a OpenID provider with multiple factor identification: Password +

  • Mobile Credential (phone or mail PIN)
  • Account Information Card (can be used by applications such as Microsoft CardSpace)
  • VeriSign browser certificate
  • VeriSign Identity Protection (VIP) Credential (Physical Token)

As I have a browser certificate linked to my old browser and couldn’t login with my current browser I had to figure out a workaround when I don’t have the browser certificate: PIN Request. On the page that does the browser certificate request there is a hidden link to get a PIN send by mail or mobile, which you can find here.

Hope that helps you.

Written by Daniël W. Crompton (webhat)

April 17, 2010 at 7:24 pm

Podcasts I Like – Speaking of Security #podcast

leave a comment »

The RSA Podcast Speaking of Security is one of my favourite podcasts covering security, not just because they are my former employers. They cover many of the issues faced by enterprises, many of the subjects such as online fraud and privacy, enterprise data protection, authentication strategies, and government policy are covered from enterprise perspective.

It’s also a good source of discussion on RSA’s Conference

Technorati technorati tags: , , , , , , ,

Written by Daniël W. Crompton (webhat)

August 18, 2008 at 8:13 pm

Clipperz, Online Password Share

with one comment

I was trying to think about what to say about SlideShare, so I was browsing the site to give me inspiration, it didn’t work.

What I did find was Clipperz, Clipperz makes it possible to login with one click. The username and password for the site is stored encrypted at Clipperz and is decrypted and posted to the site. I’ll use the example of /., the bookmarklet provided extracts the form and uses that to populate the login form.

{
  "page": {"title": "Slashdot: News for nerds, stuff that matters"},
  "form": {
    "attributes": {"action": "http://slashdot.org/login.pl", "method": "post"},
    "inputs":[
      {"type": "text",     "name": "unickname",   "value": "username"},
      {"type": "hidden",   "name": "returnto",    "value": "//slashdot.org/"},
      {"type": "hidden",   "name": "op", "value": "userlogin"},
      {"type": "password", "name": "upasswd",     "value": "password"},
      {"type": "checkbox", "name": "login_temp",  "value": "yes"},
      {"type": "submit",   "name": "userlogin",   "value": "Log in"}]
    },
  "version": "0.2.3"
}

To be entirely portable you can access the websites from a sidebar in your browser. Naturally this is a nice proof of concept for the real product they are selling: zero-knowledge web applications.

Zero-knowledge web applications is about making web applications more secure. Do you trust Google Documents with your confidential documents? You shouldn’t unless the data is stored without the knowledge of the SaaS provider. Clipperz password manager is the first zero-knowledge web application. This means that Clipperz knows nothing about its users and their data. They do this using a JavaScript library, based on Ajax and browser-based cryptography, which can be used to build applications that users can can use to manage their private data.

Technorati technorati tags: , , , , ,

Written by Daniël W. Crompton (webhat)

July 26, 2008 at 8:07 pm

%d bloggers like this: