Hi all, I'm trying to understand how the restful_authentication encryption of the password works. I understand that there is three key fields in teh database (schema migration file): - login - encrypted_password - salt I was just wondering how these work together, for example if my password is "yellowpages" how does this plugin encrypt the clear text password and how does it work with the salt field as well? I have tried looking for docs on this but there isn't much out there. Why I'm asking this is because I want to try and get an external application to authentication with my RoR application and for me to do this I need to understand how restful_authentication encrypts, validates a clear text password. Thanks for your help in advance. schone
on 2009-03-26 10:52
on 2009-03-26 12:17
On Thu, Mar 26, 2009 at 1:52 AM, Prashant Raju < email@example.com> wrote: > - encrypted_password > this I need to understand how restful_authentication encrypts, validates > a clear text password. > > Thanks for your help in advance. > > schone I would recommend taking a look at the code which can be found here: http://github.com/technoweenie/restful-authenticat... or to get a general example you can read chapter 11 in the AWDwRails 3rd. Good luck, -Conrad
on 2009-03-26 17:14
Very generally speaking: For a login, when the login was first created and validated, the code takes the clear text password and the salt, sticks them in a blender (SHA1.hexdigest if I recall correctly) and creates the encrypted password. By storing the salt and the encrypted password, any subsequent login attempt just submits a password, which is run through the same blender with the stored salt, and is compared to the stored encrypted password.
on 2009-03-26 18:46
Ar Chron wrote: > Very generally speaking: > > For a login, when the login was first created and validated, the code > takes the clear text password and the salt, sticks them in a blender > (SHA1.hexdigest if I recall correctly) and creates the encrypted > password. > > By storing the salt and the encrypted password, any subsequent login > attempt just submits a password, which is run through the same blender > with the stored salt, and is compared to the stored encrypted password. For clarity's sake SHA1 is not an encryption. It is a message digest (hash). Encryption is a two-way function, but a message digest such as SHA1 is one-way only. In fact that is its fundamental feature. A hashed result from SHA1 can never (at least that's the idea) be reversed back to the clear text used to generate it. It should never reveal information about the original clear text. Good hash function like SHA1 should also vary greatly (more the 50%) with very small changes to the input text (1 bit difference in clear text should produce something like 50% of the bits changing in the hash). A "salt" value is something that is appended, or mixed in, with the original clear text in an effort to strengthen what otherwise might be a weak input. The longer the input to the message digest the better it can hide any information leakage into the resulting hash output thereby strengthening the result.
on 2009-03-26 18:51
Oops, forgot to make my actual direct point to the OP question... I assume that restful_authentication uses the SHA1 algorithm. But, you will have to confirm that. There are many different hash functions and each will result in a very different output. Since you must compare the outputs to know if the clear text passwords matched, you must ensure you are using the same algorithm.