TypeKey is live (beta)

I ran into a site that is running MovableType 3.0 (beta1) with TypeKey support.

There is no public protocol doc yet (afaik), but here's a quick analysis attempt.

Let's start with some shameless plugs to my previous posts on web authentication, for some background on existing solutions. "Microsoft Passport 101" (a detailled explanation of Microsoft's protocol) and "Comment authentication" (an investigation on alternative protocols).
Now, let's dive into the details of TypeKey (which seems similar in design to Passport, but with less features/options and is more open).

Authentication request:
Whenever you register an account, you can also enlist your blog. In that case a blog token is provided to you, for the blog urls you declare. It looks like "LjRd2DpifL51sB0iFeYT".
This token is passed in the authentication request (as the t parameter) along with return url (_return). The return url is checked against the blog urls you enlisted for.

So a login url follows this format (notice that the url is static for a given blog): https://www.typekey.com/t/typekey/login?t=<blog token>&_return=<return url>

Successful authentication:
The return request contains the time (epoch format) of the authentication (ts parameter), the TypeKey login name (name), some kind of hash of the email (email), the display name (nick) and a secure signature (sig).

So, after you authenticate with TypeKey, you are returned to a url like: <return url>&ts=<timestamp>&email=<hashed email>&name=<name>&nick=<display name>&sig=<crypto signature>

Real parameters would look like:
<Return Url>&ts=1082595857

A SHA-1 hash is used for the email (like FOAF). I confirmed it by computing the SHA-1 hash for mailto:dumky at ifrance.com, and then also found out the url for my TypeKey FOAF file.
I'm not sure how the query string is signed yet, probably a PGP type signature. The blog token is probably involved, so that signatures can't be re-used from sites to sites.

If need_email=1 is part of the auth request, a consent checkbox is shown in the login prompt. In that case, a cleartext version of the email is returned instead of just a hash.
Idly.org uses this option.

Also, the TypeKey site will set a cookie that looks like:
Tp_commenter0 = b75783e8ef6b9433e014aed547fa028d

Since the TypeKey authentication occurs over SSL, I'm not sure why they didn't use a secure cookie.
Also, this cookie is set in the same domain all the UI is displayed (for account management), which might be a risk in terms of script injection.
For example, the Profile currently is vulnerable to a script injection (I notified the SixApart team as I did with similar problems with MovableType <2.64 and used my profile page as a demo), but lukily it resides in a separate domain profile.typekey.com instead of www.typekey.com.

Back onto the blog site two cookies are set, that look like:
Tp_commenter = PyL52XkB98cxSo2sE%3D%3AUvzQdLVyw38%20qJBIjKz4lj1HkDY%3D
Commenter_name = Julien%20Couvreur%20%28Dumky%29

If you hit the mt-comments.cgi on the blog site, with logout=1, you'll get logged out of the blog and bounced on the TypeKey logout url (https://www.typekey.com/t/typekey/logout?&_return=<return url>).
I'm not sure how the sign-out works when you logged into multiple sites, it might just not be supported.

TypeKey's FAQ.

Update: I implemented a TypeKey authentication provider for ASP.Net, based on the newly published official documentation of the TypeKey protocol.

Posted by Julien on April 23, 2004. Permalink
comments powered by Disqus

Thank you for the rundown of the protocol, very nice information.

Perhaps you'll write another post about any weaknesses in the protocol you might perceive? It'd be nice to learn how or if the protocol can be hacked or exploited, if there is any possibility to impersonate someone else, etc?

Posted by: Tomas at April 23, 2004 01:43 PM

If I am not mistake, logout is specific to the blog you are following the "Sign out" link from and *not* a Type Key service wide logout.

Posted by: Srijith at April 25, 2004 09:08 PM

Tomas, I'll do that, probably after the official doc is published.

Srijith, that's what it looks like to me too. But for a good security and privacy handling, a single sign-on system should have a single sign-out ;-)

Posted by: Dumky at April 26, 2004 09:44 AM

Is an SSL URL forced?

Posted by: Mike at August 5, 2004 04:15 PM

I just upgraded a blogs www.jointeffects.com to MT 3.15, and can't send email notifications any more. The error I get:
Can't use string ("ARRAY(0x898e4cc)") as an ARRAY ref while "strict refs" in use at...
Seems that quite a few people have this problem.

Did anyone solve it yet?


Posted by: another web designer at March 31, 2005 06:05 PM

Perhaps you'll write another post about any weaknesses in the protocol you might perceive? It'd be nice to learn how or if the protocol can be hacked or exploited, if there is any possibility to impersonate someone else, etc?

Posted by: chris at January 25, 2006 09:41 AM
TypeKey Revealed.
Excerpt: Over here somebody has been doing some reverse engineering of the TypeKey authentication protocol. I want to pick that apart a bit since I think this is going to spread fast once it's released. It's a good thing for people to know what's going on. The...
Weblog: Ascription is an anathema to any enthusiasm
Tracked: April 24, 2004 02:01 PM
Deconstruction of TK authentication
Excerpt: Hey, look at that! Someone did a fairly deep deconstruction of the TypeKey authentication process. I only briefly read over it after the initial few paragraphs. It looks pretty good. Of course, they could have waited until the docs came...
Weblog: Jay's Super Secret Test Blog
Tracked: April 24, 2004 03:04 PM
Beta Testing
Excerpt: Well Movable Type beta testing is going along fine. Bugs are being reported and fixed, patches are being released and so are timestamp builds. Typekey has gone belly up and configurations have had to be changed and have become a...
Weblog: Chinwags From Abu Dhabi ~ Into the Mind of Arvind Satyanarayan
Tracked: April 25, 2004 05:24 AM