Rails - Sep 2006 - Storing login info for other services/applications

I''ve been kind of stumped on this one lately . . .
I''m planning on adding syncing and interfacing in my application to a  
couple other web apps through their API''s (specifically Basecamp and  
del.icio.us). How can I store users'' login credentials to these other  
services securely? Obviously a regular MD5 or SHA1 hash wont work,  
because I need to be able to retrieve the full password to send to  
these services.
Any ideas?

--AQ

{0}~---------------------------------

	Aaron Quint
	aaron-9QXZP/q+QCpBDgjK7y7TUQ@public.gmane.org
	http://www.quirkey.com

---------------------------------------





--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk
-~----------~----~----~----~------~----~------~--~---

Yeah, fundamentally there''s no really secure way to do it. To avoid
storing clear-text passwords, you can use a 2-way (reversible)
encryption function to store the foreign password. Basically encrypt
the password to save it, then decrypt it when you need to use it.

The problem is that if your app can decrypt the password, then so can
an attacker. You can add salt to the encryption, but it will still be
possible to break the encryption, especially if the attacker can get
access to your code.

One approach is the "key store" approach used by common password vault
systems. Here you encrypt the passwords using a "master password"
given
to you by the user. The trick is that you NEVER store this password.
Instead, you ask the user for it whenever you need to decrypt and use
on of the stored passwords.

This should be pretty secure, but obviously at the disadvantage of
requiring the user to type in the master password frequently.


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk
-~----------~----~----~----~------~----~------~--~---

I figured there was no easy solution. What about using the database  
stored hash of the users password as the salt for encryption? This  
way every users salt is different, and a little more secure.

The problem with using the "key store" approach is that if the user  
is constantly entering a password, there''s no real advantage to  
storing the passwords at all . . .

Is there an easy way to do salted two way encryption in Ruby? What  
types of encryption are two way?

Thanks for your help!
--AQ


{o}~~~~~~~~~~~~~~~~~~~
    	Aaron Quint
	aaron-9QXZP/q+QCpBDgjK7y7TUQ@public.gmane.org
	http://www.quirkey.com
	



On Sep 19, 2006, at 12:57 PM, scott-mv9nzzu5k9jSUeElwK9/Pw@public.gmane.org
wrote:
>
> Yeah, fundamentally there''s no really secure way to do it. To
avoid
> storing clear-text passwords, you can use a 2-way (reversible)
> encryption function to store the foreign password. Basically encrypt
> the password to save it, then decrypt it when you need to use it.
>
> The problem is that if your app can decrypt the password, then so can
> an attacker. You can add salt to the encryption, but it will still be
> possible to break the encryption, especially if the attacker can get
> access to your code.
>
> One approach is the "key store" approach used by common password
vault
> systems. Here you encrypt the passwords using a "master password"
> given
> to you by the user. The trick is that you NEVER store this password.
> Instead, you ask the user for it whenever you need to decrypt and use
> on of the stored passwords.
>
> This should be pretty secure, but obviously at the disadvantage of
> requiring the user to type in the master password frequently.
>
>
> >


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk
-~----------~----~----~----~------~----~------~--~---