spacer    
  Search  
Blog Search
Others' posts of interest
Recent del.icio.us tags
Consumer evaluation of mental health and substance abuse providers - sharing experiences on the web

Yubico's YubiKey and DNN

May 14

Written by: Matthew Hile
5/14/2008 10:12 AM

I got enthused about an new security device, Yubico's YubiKey, after listening to Steve Gibson's Security Now podcast episode 141 (with a brief description) and episode 143 (with an interview and full description). Basically, this slim USB device emulates aYubikey_finger_key keyboard and emits a unique password each time it is touched. Using a web service, as well as other methods, you can test to make sure the string is a valid password. Various software examples for doing so is available from their web site.

Since I deal with securing protected HIPAA data I am constantly on the lookout for solutions to further protect access to that information. Combined with a user ID and password this device seemed to offer a simple, cost effective, two factor authentication approach.

Yubico provides a variety of sample code for Java, C, and a C# .NET. However, I needed a VB implementation that I could use in DotNetNuke. To this end I created a new DNN module, rewrote the code from the C# example, and implemented a basic system for validating the YubiKey against the Yubico's web service.

The basic code for the validations is below

Function verify(ByVal strAuthorizationId As String, ByVal strOdp As String) As Boolean
Dim _result As Boolean = False
Dim _response As String = ""
Dim request As HttpWebRequest
Dim response As HttpWebResponse
Dim strYUBICO_AUTH_SRV_URL As String = "http://api.yubico.com/wsapi/verify?id="

Try

request = HttpWebRequest.Create(strYUBICO_AUTH_SRV_URL + strAuthorizationId + "&otp=" + strOdp)
response = request.GetResponse

Dim ver As String = response.ProtocolVersion.ToString
Dim reader As StreamReader = New StreamReader(response.GetResponseStream)

' Review the response and proceed accordingly
Dim str As String = reader.ReadLine

Do While str <> ""
str = reader.ReadLine
_response += str + "-"
If str.StartsWith("status=") Then
If str.StartsWith("status=OK") Then
_result = True
End If
 Exit Do
End If
Loop

If Not _result Then
 ' Write failed attempt to log
Dim objEventLog As New DotNetNuke.Services.Log.EventLog.EventLogController
objEventLog.AddLog( _
"Yubikey Authenticaion Failure", _
"ID: " & Left(strOdp, 12) & " Returned: " & _response, _
PortalSettings, _
-1, _
DotNetNuke.Services.Log.EventLog.EventLogController.EventLogType.ADMIN_ALERT)
 End If

Return _result

Catch exc As Exception

ProcessModuleLoadException(Me, exc)

End Try

End Function

 

I have also zipped the source code and the installation file if you would like to explore and play with this function. NOTE: To use this code you will need to replace

Dim _authId As String = "-1" '

with your code that can be obtained for free from http://yubico.com/developers/api/

Trackback Print
Location: Blogs Matthew's Musings
Tags:

Your name:
Title:
Comment:
Add Comment    Cancel  
Disclaimer
NOTE: The ideas, opinions, and viewpoints expressed in these entries are solely those of the author.
There are no categories in this blog.
 
Missouri Institute of Mental Health    Terms Of Use    Privacy Statement