Forum: Ruby on Rails SHA2 Issues

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Cf17040cecb2618506f5ca4c14957957?d=identicon&s=25 Robert Dempsey (flatekmonkey)
on 2006-04-14 18:47
Hello all,

Thank you in advance for your help with this. I am trying to implement
the user authentication method from Ruby Recipes which calls for the use
of SHA 2. Here is the code for the password:

def password=(pass)
    salt = [Array.new(6){rand(256).chr}.join].pack("m").chomp
    self.password_salt, self.password_hash = salt,
Digest::SHA256.hexdigest(pass + salt)
  end

I open a console and can create a user but when I try to add a password
it says that the constant 256 is not initialized. I have changed the
Digest::SHA256 to Digest::SHA2 to no avail. I am using (on Windows -
development only trust me) Ruby 1.8.4 and Rails 1.1.2 with all the
latest updates. Does anyone know what the correct code might be? Thanks
again.

Sincerely,

Robert Dempsey
2c51fec8183a5d21c4e11b430beabb47?d=identicon&s=25 Patrick Hurley (Guest)
on 2006-04-14 22:18
(Received via mailing list)
On 4/14/06, Robert Dempsey <rdempsey@techcfl.com> wrote:
>   end
> Robert Dempsey
>
> --
> Posted via http://www.ruby-forum.com/.
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>

Did you:

require 'digest/sha2'

in either your environment.rb or the model where you are using this?

pth
Cf17040cecb2618506f5ca4c14957957?d=identicon&s=25 Robert Dempsey (flatekmonkey)
on 2006-04-14 22:23
> Did you:
>
> require 'digest/sha2'
>
> in either your environment.rb or the model where you are using this?
>
> pth

No I didn't. I will insert that and try again. Thank you.

- Robert Dempsey
7ed3175d60e44aa7cb891973223e3998?d=identicon&s=25 Chad Fowler (Guest)
on 2006-04-20 05:08
(Received via mailing list)
On 4/14/06, Robert Dempsey <rdempsey@techcfl.com> wrote:
> > Did you:
> >
> > require 'digest/sha2'
> >
> > in either your environment.rb or the model where you are using this?
> >
> > pth
>
> No I didn't. I will insert that and try again. Thank you.
>

Looks like this is indeed required on -some- Ruby installations.  It
seems to be hit or miss.  The book has been updated to reflect it.

Thanks,

--
Chad Fowler
http://chadfowler.com
http://pragmaticprogrammer.com/titles/fr_rr/ (Rails Recipes - In Beta!)
http://pragmaticprogrammer.com/titles/mjwti/ (My Job Went to India,
and All I Got Was This Lousy Book)
http://rubycentral.org
http://rubygarden.org
http://rubygems.rubyforge.org (over three million gems served!)
009c581be96c1c9a2da7da4741c9580b?d=identicon&s=25 Anonymous (Guest)
on 2006-04-28 04:00
(Received via mailing list)
I don't see how adding some random salt makes the website any more
secure.  I enter my username and password into a signin_form, and click
signin. The server calls User.password_is?(password+salt).   If my
password is n characters long, it should take on the average n/2 guesses
to get it right by typing into the signin_form, no matter what salt is.
If I had the password_hash(how would I get that?) and was trying to
reverse engineer the password, yes--some unknown salt would make that
harder.  If I did have the password_hash, why wouldn't I have the salt,
and anything else I wanted too?
A0ed1bbfe42f4f87e6db0a16706246e2?d=identicon&s=25 Michael Greenly (mgreenly)
on 2006-04-28 14:18
Anonymous wrote:
> I don't see how adding some random salt makes the website any more
> secure.  I enter my username and password into a signin_form, and click
> signin. The server calls User.password_is?(password+salt).   If my
> password is n characters long, it should take on the average n/2 guesses
> to get it right by typing into the signin_form, no matter what salt is.
> If I had the password_hash(how would I get that?) and was trying to
> reverse engineer the password, yes--some unknown salt would make that
> harder.  If I did have the password_hash, why wouldn't I have the salt,
> and anything else I wanted too?

The salt is intended to add protection against dictonary attacks.  With
the salt added an attacker is forced to do the hash operation during an
attack, as opposed to pre-constructing a dictionary of common password
hashes.
This topic is locked and can not be replied to.