Class: RightScale::SecureIdentity
- Defined in:
- lib/right_agent/secure_identity.rb
Overview
Utility class that makes it easier to derive RightAgent identities in a secure, predictable and globally consistent fashion.
Given an agent base ID and a secret token shared by all relying parties, the #derive method will generate a public token that can be printed to log files, to a console, or sent in the clear over public networks without compromising the original token. Note that the public token is not guaranteed to be unique; if uniqueness is required (e.g. for an Agent ID) the public token should be combined with the base ID.
The #create_verifier method can be used by parties who both possess a secret token to prove their knowledge of the token to one another without disclosing the token. This would facilitate authentication over a public network. Note that this utility class does not implement an entire authentication protocol, it merely facilitates one.
Constant Summary collapse
- ID_SEPARATOR =
Separator used to differentiate between identity components when serialized
'*'
Class Method Summary collapse
-
.create_verifier(base_id, auth_token, timestamp) ⇒ Object
Create a cryptographic token verifier that can be used to demonstrate to another party that you have knowledge of an authentication token, without disclosing the token itself via a clear-text communications channel.
-
.derive(base_id, auth_token) ⇒ Object
Derive a public Identity Token from a base ID and a secret authentication token.
Class Method Details
.create_verifier(base_id, auth_token, timestamp) ⇒ Object
Create a cryptographic token verifier that can be used to demonstrate to another party that you have knowledge of an authentication token, without disclosing the token itself via a clear-text communications channel. The other party must also possess the secret authentication token so they can compute a corresponding verifier for comparison.
THIS METHOD DOES NOT CHECK TOKENS OR TIMESTAMPS FOR YOU; it is only useful to compute the token. The caller must check the outputs, compare the timestamp and make a decision about whether to trust the entity who is supplying the verifier.
Parameters
- base_id(Integer)
-
Numeric ID of the auth token
- auth_token(String)
-
Secret authentication token
- timestamp(Time|Integer)
-
Unix-epoch timestamp to help prevent replay attacks
Return
- verifier(String)
-
HMAC-SHA1(base_id, timestamp) keyed using auth_token
84 85 86 87 88 89 90 |
# File 'lib/right_agent/secure_identity.rb', line 84 def self.create_verifier(base_id, auth_token, ) hmac = OpenSSL::HMAC.new(auth_token, OpenSSL::Digest::SHA1.new) hmac.update(base_id.to_s) hmac.update(ID_SEPARATOR) hmac.update(.to_i.to_s) return hmac.hexdigest end |
.derive(base_id, auth_token) ⇒ Object
Derive a public Identity Token from a base ID and a secret authentication token. The public token is useful for including in world-readable values such as the name of an agent.
Public tokens are generated by taking the SHA1 hash of the base ID and the auth token, separated by a delimiter. Thus a public token can always be deterministically derived from its inputs.
Parameters
- base_id(Integer)
-
Numeric ID of the auth token
- auth_token(String)
-
Secret authentication token
Return
- public_token(String)
-
Public token
60 61 62 63 64 65 66 |
# File 'lib/right_agent/secure_identity.rb', line 60 def self.derive(base_id, auth_token) sha = OpenSSL::Digest::SHA1.new sha.update(base_id.to_s) sha.update(ID_SEPARATOR) sha.update(auth_token.to_s) return sha.hexdigest end |