Class: RightScale::SecureIdentity

Inherits:

Object

• Object
• RightScale::SecureIdentity

Defined in:

lib/right_agent/secure_identity.rb

Overview

Utility class that makes it easier to derive RightAgent identities in a secure, predictable and globally consistent fashion.

Given an agent base ID and a secret token shared by all relying parties, the #derive method will generate a public token that can be printed to log files, to a console, or sent in the clear over public networks without compromising the original token. Note that the public token is not guaranteed to be unique; if uniqueness is required (e.g. for an Agent ID) the public token should be combined with the base ID.

The #create_verifier method can be used by parties who both possess a secret token to prove their knowledge of the token to one another without disclosing the token. This would facilitate authentication over a public network. Note that this utility class does not implement an entire authentication protocol, it merely facilitates one.

Constant Summary

ID_SEPARATOR =

Separator used to differentiate between identity components when serialized

'*'

Class Method Summary

• .create_verifier(base_id, auth_token, timestamp) ⇒ Object

  Create a cryptographic token verifier that can be used to demonstrate to another party that you have knowledge of an authentication token, without disclosing the token itself via a clear-text communications channel.

• .derive(base_id, auth_token) ⇒ Object

  Derive a public Identity Token from a base ID and a secret authentication token.

Class Method Details

.create_verifier(base_id, auth_token, timestamp) ⇒ Object

Create a cryptographic token verifier that can be used to demonstrate to another party that you have knowledge of an authentication token, without disclosing the token itself via a clear-text communications channel. The other party must also possess the secret authentication token so they can compute a corresponding verifier for comparison.

THIS METHOD DOES NOT CHECK TOKENS OR TIMESTAMPS FOR YOU; it is only useful to compute the token. The caller must check the outputs, compare the timestamp and make a decision about whether to trust the entity who is supplying the verifier.

Parameters

base_id(Integer)

Numeric ID of the auth token

auth_token(String)

Secret authentication token

timestamp(Time|Integer)

Unix-epoch timestamp to help prevent replay attacks

Return

verifier(String)

HMAC-SHA1(base_id, timestamp) keyed using auth_token

# File 'lib/right_agent/secure_identity.rb', line 84

def self.create_verifier(base_id, auth_token, timestamp)
  hmac =  OpenSSL::HMAC.new(auth_token, OpenSSL::Digest::SHA1.new)
  hmac.update(base_id.to_s)
  hmac.update(ID_SEPARATOR)
  hmac.update(timestamp.to_i.to_s)
  return hmac.hexdigest
end

.derive(base_id, auth_token) ⇒ Object

Derive a public Identity Token from a base ID and a secret authentication token. The public token is useful for including in world-readable values such as the name of an agent.

Public tokens are generated by taking the SHA1 hash of the base ID and the auth token, separated by a delimiter. Thus a public token can always be deterministically derived from its inputs.

Parameters

base_id(Integer)

Numeric ID of the auth token

auth_token(String)

Secret authentication token

Return

public_token(String)

Public token

# File 'lib/right_agent/secure_identity.rb', line 60

def self.derive(base_id, auth_token)
  sha = OpenSSL::Digest::SHA1.new
  sha.update(base_id.to_s)
  sha.update(ID_SEPARATOR)
  sha.update(auth_token.to_s)
  return sha.hexdigest
end