Pretty Good Podcast Security

The following algorithm can be used to distribute podcasts to faculty and students in a more secure manner.

1. When a user registers with a class (as either an instructor or a student), create a row in a database table or file consisting of the user's email address and 3 random numbers.



2. Calculate hash values for the following combinations:
   
   md5(email + md5(number1))
   md5(email + md5(number2))
   md5(email + md5(number3))
   md5(number1 + md5(number2))
   md5(number2 + md5(number3))
   md5(number1 + md5(number3))



3. Concatenate the 6 hash values in a secret order to generate a 120 character key for the user. Do not store this key anywhere.



4. Inform the user that their link for downloading the podcast will be:
   
   

   http://server.../dircast.php?u={the 120 character key}
   

5. Modify dircaster.php or any other RSS generation script to get the key value from the querystring and walk through the table, calculating the hash value for each row using the same algorithm in step 2.



6. If the calculated hash value for the row equals the value of the querystring, then we have a valid user. Continue executing the script to generate the XML for the RSS feed. Send the user an email so they will know whenever a podcast is downloaded using their account. Keep a log of all podcasts downloaded by each user with timestamps for audit purposes. If any user believes their account has been compromised, allow them to regenerate their key and resubscribe to the podcast.



7. If none of the rows' hash values match the querystring, then we have an invalid user. Do not generate any XML output. Send an email to the application administrator and log the attempt. If frequent hacks occur, consider moving the directory where the podcasts are stored.