Home 
 
 
 Portfolio 
 
 
 Blog 
 
 
 Tutorials 
 
 
 Links 
 
Sytling Image

Archive for the ‘computer security’ Category

Single Sign On (SSO)

March 19th, 2010 - Be the First Comment!

Recently at work I have been trying to integrate a MediaWiki’s login with our SSO. My boss explained to me how SSO works. I decided to make a diagram of the way it works and write up a blog post about it. This is a basic overview of SSO. I made an image

Step 1: Step one is the initial request from the client to view a page that requires signing in. When the page receives it checks to see if the client is logged in. Login information is stored in a cookie which I will explain more in the last step. If they are logged in, they are allowed to view the page. Otherwise move to Step 2.

Step 2: Redirect the user to the CAS (Central Authentication Service) server. In the URL used for the redirection urlencode and pass the current webpage as a parameter in the url to the CAS server (Example: https://cas.brokenbytes.info/login/?service=http://admin.brokenbytes.info/index.php). This will be used later (in step 3). CAS provides a login page to the user where they can enter their credentials. If it fails, let them attempt it again. If validation is successful, generate a SSO Token ID (Example: 165asdefASD5). This is a unique token for this single sign on for the client. It will be used for only this session. In memory or a database associate the client with that token. Now move to Step 3.

Step 3: In step 3 the client has just been validated. In this step we need to redirect the user back to the Web Server, but first we must modify the URL to pass the SSO Token ID back to the Web Server. So something like this will be your redirect address: http://admin.brokenbytes.info/index.php?token=165asdefASD5.

Step 4: When the Web Server receives this request, it sees the token variable and then it knows to check the CAS server for its validity. This check to see if the token is valid is between the Web Server and the CAS Server. The client is not involved at all. In PHP you can do this by using file_get_contents(“https://cas.brokenbytes.info/login/validate?token=165asdefASD5″) or similar. If the CAS server replies with an okay, true, yes, etc response then you generate an encrypted cookie for the user to authenticate them. From this point forward they authenticate with the cookie until deleted or time out.

Notes: The SSO Token ID should only be valid for a few minutes or until used and then it should be unassigned.

Downfalls: Session hijacking can still happen because the cookie is stored on the clients machine.

SSO Diagram

SSO Diagram

[ Tags ]: ,
[ Category ]: computer security, programming

Knowledge

January 12th, 2010 - Be the First Comment!

Knowledge is the most powerful tool that is available to humans. For this reason sharing knowledge is a wonderful thing. In an effort to disperse knowledge I will posting some this I have been reading. I will probably also be commenting on whether i found them useful to look at or think they are definite skip.

People who know me, know that I love computer security. I’m still at meager beginnings but I enjoy learning about it. This passion has lead to my discovery of many security related sites. Here are a couple and what I think of them.

Infinity Exists is a very interesting site. It is probably on the lesser known side and has a bunch of tutorial type videos relating to computer security. There are a few videos unrelated to it as well. I like this site. They are very open and it comes from someone in the same position as me. Someone starting out with a interest in security and learning. The production quality is low budget but still pretty decent.

Heorot is another site that I like. I recently bought a book called “Professional Penetration Testing: Creating and Operating a Formal Hacking Lab” and am really enjoying it  so far. The guy who wrote the book maintains the Heorot site. The author is the creator of De-Ice. De-Ice is a bootable CD that is built for you to try to break into, but doesn’t contain unpatched software. It is based on misconfiguration discovery and exploitation. They also contain multiple levels of difficulty.

[ Tags ]: , , ,
[ Category ]: computer security

Wi-Fi Project

December 22nd, 2009 - Be the First Comment!

Well the semester is over and I finished my wireless project. I have a 10 page paper detailing the information I gathered and the things I learned regarding wireless security. In the paper I go into a reasonable amount of depth about each type of wireless security and their weaknesses/strengths. I also give a proposed solution to make Wi-Fi Communication secure. I used a program called inSSIDer by MetaGeek for wireless scanning then wrote a simple WPF application to combine and coordinate the logs I collected. I have attached the paper to this post and everything else I used in a rar file.

Paper:  Wi-Fi Security (doc)

All files: Wi-Fi Project (rar)

[ Tags ]: , , , , , , , ,
[ Category ]: computer security

Drupal and wireless security

October 11th, 2009 - Be the First Comment!

I’m starting a project for my networking class that is going to cover wireless security. After it is finished I will probably post the material up here for people to look at if they would like. It will include a proposal, presentation, and paper about wireless security methodologies. Any programs and such (if any) I make related to this project I will also release. I plan to collect local data about wireless access points as well which will be available.

Recently I have also been working on a project for my friends in drupal. I have been learning how to implement a website in drupal and include forums and other things. It is for Legion (guild) in Aion (video game) called The Fifth Column. It can be found at www.5column.org

[ Tags ]: , ,
[ Category ]: computer security

Styling Image