Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/salesking/king_hmac
HMAC Authentification
https://github.com/salesking/king_hmac
Last synced: about 2 months ago
JSON representation
HMAC Authentification
- Host: GitHub
- URL: https://github.com/salesking/king_hmac
- Owner: salesking
- License: mit
- Created: 2010-04-09T17:01:09.000Z (over 14 years ago)
- Default Branch: master
- Last Pushed: 2010-04-23T11:49:24.000Z (over 14 years ago)
- Last Synced: 2024-11-07T12:50:09.571Z (about 2 months ago)
- Language: Ruby
- Homepage:
- Size: 109 KB
- Stars: 2
- Watchers: 3
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.rdoc
- License: MIT-LICENSE
Awesome Lists containing this project
README
= king_hmac
This gem started with a copy & disection of auth-hmac gem v1.1.1
king_hmac is a Ruby implementation of HMAC[http://en.wikipedia.org/wiki/HMAC]
based authentication of HTTP requests. HMAC authentication involves a client and
server having a shared secret key. When sending the request the client, signs
the request using the secret key. This involves building a canonical
representation of the request and then generating a HMAC of the request using
the secret. The generated HMAC is then sent as part of the request.
When the server receives the request it builds the same canonical representation
and generates a HMAC using it's copy of the secret key, if the HMAC produced by
the server matches the HMAC sent by the client, the server can be assured that
the client also possesses the shared secret key.
HMAC based authentication also provides message integrity checking because the
HMAC is based on a combination of the shared secret and the content of the
request. So if any part of the request that is used to build the canonical
representation is modified by a malicious party or in transit the authentication
will then fail.
KingHmac::Auth is loosely based on the Amazon Web Services authentication scheme
but without the Amazon specific components, i.e. it is HMAC for the rest of us.
== INSTALL:
Gem hosted on gemcutter.org
sudo gem install king_hmac
== Source Code
See http://github.com/salesking/king_hmac
The source repository:
git clone git://github.com/salesking/king_hmac.git
== When to use it?
HMAC Authentication is best used as authentication for communication between
applications such as web services. It provides better security than HTTP Basic
authentication without the need to set up SSL. Of course if you need to protect
the confidentiality of the data then you need SSL, but if you just want to
authenticate requests without sending credentials in the clear KingHmac::Auth
is a good choice.
== Usage
The simplest way to use KingHmac::Auth is with the KingHmac::Auth.sign! and
KingHmac::Auth.authenticate? methods. KingHmac::Auth.sign! takes a HTTP request
object, an access id and a secret key and signs the request with the access_id
and secret key.
On the server side you can then authenticate these requests using the
KingHmac::Auth.authenticated? method. This takes the same arguments as the sign!
method but returns true if the request has been signed with the access id and
secret or false if it hasn't.
If you have more than one set of credentials you might find it useful to create
an instance of the KingHmac::Auth class, passing your credentials as a Hash of
access id => secret keys, like so:
@hmac_auth = KingHmac::Auth.new('access_id1' => 'secret1', 'access_id2' => 'secret2')
You can then use the instance methods of the @hmac_auth object to sign and
authenticate requests, for example:
@hmac_auth.sign!(request, "access_id1")
Sign +request+ with "access_id1" and it's corresponding secret key. Similarly
authentication is done like so:
@hmac_auth.authenticated?(request)
which will return true if the request has been signed with one of the access id
and secret key pairs provided in the constructor.
=== Supported HTTP request objects
KingHmac::Auth will do its best to figure out which type it is an handle it
accordingly.
* Net::HTTP::HTTPRequest
* CGI::Request
* Webrick HTTP request object.
* Rack::Request
=== access id
The access_id is used to identify the secret key that was used to sign the
request. Think of it as like a user name, it allows you to hand out different
keys to different clients and authenticate each of them individually. The
access_id is sent in the clear so you should avoid making it an important string.
=== secret key
The secret key is the shared secret between the client and the server.
You should make this sufficiently random so that is can't be guessed or exposed
to dictionary attacks.
The follow code will give you a pretty good secret key:
random = File.read('/dev/random', 512)
secret_key = Base64.encode64(Digest::SHA2.new(512).digest(random))
=== Rails Integration
KingHmac::Auth supports authentication within Rails controllers and signing of
requests generated by Active Resource. See
KingHmac::Rails::ControllerFilter::ClassMethods and
KingHmac::Rails::ActiveResourceExtension::BaseHmac::ClassMethods for details.
== How does it work?
When creating a signature for a HTTP request KingHmac::Auth first generates a
canonical representation of the request.
This canonical string is created like so:
canonical_string = HTTP-Verb + "\n" +
Content-Type + "\n" +
Content-MD5 + "\n" +
Date + "\n" +
request-uri;
Where Content-Type, Content-MD5 and Date are all taken from the headers of the
request. If Content-Type or Content-MD5 are not present, they are substituted
with an empty string. If Date is not present it is added to the request headers
with the value +Time.now.httpdate+. +request-uri+ is the path component of the
request, without any query string, i.e. everything up to the ?.
This string is then used with the secret to generate a SHA1 HMAC using the
following:
OpenSSL::HMAC.digest(OpenSSL::Digest::Digest.new('sha1'), secret_key, canonical_string)
The result is then Base64 encoded and added to the headers of the request as the
+Authorization+ header in the format:
Authorization: KingHmac::Auth :
When authenaticating a request, KingHmac::Auth looks for the Authorization
header in the above format, parses out the components, regenerates a HMAC for
the request, using the secret key identified by the access id and then compares
the generated HMAC with the one provided by the client. If they match the
request is authenticated.
Using these details it is possible to build code that will sign and authenticate
KingHmac::Auth style requests in other languages.
== Authors and Contributors
This gem started with a copy & disection of auth-king_hmac gem v1.1.1.
Most of this doc was written by Sean Geoghegan
auth-king_hmac was developed by Sean Geoghegan http://rubyforge.org/projects/auth-king_hmac && by Peerworks[http://peerworks.org].