Restful_authentication - how does encryption work?


#1

Hi all,

I’m trying to understand how the restful_authentication encryption of
the password works.

I understand that there is three key fields in teh database (schema
migration file):

  • login
  • encrypted_password
  • salt

I was just wondering how these work together, for example if my password
is “yellowpages” how does this plugin encrypt the clear text password
and how does it work with the salt field as well?

I have tried looking for docs on this but there isn’t much out there.

Why I’m asking this is because I want to try and get an external
application to authentication with my RoR application and for me to do
this I need to understand how restful_authentication encrypts, validates
a clear text password.

Thanks for your help in advance.

schone


#2

On Thu, Mar 26, 2009 at 1:52 AM, Prashant Raju <
removed_email_address@domain.invalid> wrote:

  • encrypted_password
    this I need to understand how restful_authentication encrypts, validates
    a clear text password.

Thanks for your help in advance.

schone

I would recommend taking a look at the code which can be found here:

or

to get a general example you can read chapter 11 in the AWDwRails 3rd.

Good luck,

-Conrad


#3

Very generally speaking:

For a login, when the login was first created and validated, the code
takes the clear text password and the salt, sticks them in a blender
(SHA1.hexdigest if I recall correctly) and creates the encrypted
password.

By storing the salt and the encrypted password, any subsequent login
attempt just submits a password, which is run through the same blender
with the stored salt, and is compared to the stored encrypted password.


#4

Ar Chron wrote:

Very generally speaking:

For a login, when the login was first created and validated, the code
takes the clear text password and the salt, sticks them in a blender
(SHA1.hexdigest if I recall correctly) and creates the encrypted
password.

By storing the salt and the encrypted password, any subsequent login
attempt just submits a password, which is run through the same blender
with the stored salt, and is compared to the stored encrypted password.

For clarity’s sake SHA1 is not an encryption. It is a message digest
(hash). Encryption is a two-way function, but a message digest such as
SHA1 is one-way only. In fact that is its fundamental feature. A hashed
result from SHA1 can never (at least that’s the idea) be reversed back
to the clear text used to generate it. It should never reveal
information about the original clear text. Good hash function like SHA1
should also vary greatly (more the 50%) with very small changes to the
input text (1 bit difference in clear text should produce something like
50% of the bits changing in the hash).

A “salt” value is something that is appended, or mixed in, with the
original clear text in an effort to strengthen what otherwise might be a
weak input. The longer the input to the message digest the better it can
hide any information leakage into the resulting hash output thereby
strengthening the result.


#5

Oops, forgot to make my actual direct point to the OP question…

I assume that restful_authentication uses the SHA1 algorithm. But, you
will have to confirm that. There are many different hash functions and
each will result in a very different output. Since you must compare the
outputs to know if the clear text passwords matched, you must ensure you
are using the same algorithm.