A Quick Review on ENCRYPTIONS
We all are very familiar with the ruby encryptions we usually implement SHA1 or MD5 in our rails applications. In my ongoing project i have been through encryptions in little bit more depth.
MD5 was the most widely used hash algorithm, it converts a string into a 32 characters long hashed key. Then comes the SHA - Secure Hash Algorith. SHA is a series of hash algorithms and its first member is SHA-0 however soon its usage was replaced by the successor SHA-1 and thereafter SHA-0 was never used again. The current members to the SHA series are SHA-1, SHA-224, SHA-256, SHA-384 and the latest SHA-512. At this moment SHA-1 is considered to be the successor of MD5 because of the usage and popularity statistics.
However SHA-224, SHA-256, SHA-384 and SHA-256 are collectively known as SHA-2 series.
Till yet SHA-0 and SHA-1 have been reported attacked but no attack has been found on SHA-2 series.(took from wiki)
Here we will discuss the javascript and ruby based encryptions for SHA-256 only.
Javascript Encryption in Ruby on Rails
If you need to encrypt the password at client side in ror or any other web-based form submission so that the real password string can not reach the server you can you can download the Javascript Encryption files from here. There is all collection of the javascript encryption files available in the above archive. You will not need all of them. Put the file sha256.js in the /public/javascripts/ directory of your rails application.
Now lets take the example of Reset Password where encryption is a must.
This is how you can make your view say reset_password.rhtml
<%= javascript_include_tag 'sha256' %>
<script type="text/javascript">
// <![CDATA[
function hashPassword() {
reg = new RegExp(/^(?=.*\d)(?=.*([a-z]|[A-Z]))([\x20-\x7E]){8,40}$/);
if((reg.test($F(’password’)))&&($F(’password’)==$F(’password_confirmation’))){
document.reset_password.realpass.value = hex_sha256($F(’password’));
$(’password_confirmation’).value = ”;
$(’password’).value = ”;
Element.hide(”reset_password”);
Element.show(”updating”);
return true
}
else{
$(’errors_in_pass’).innerHTML = “Password should match confirmation.<br />Password should contain at least one letter and one integer.<br />Password length should be 8 to 40 characters long.<br />”;
$(’password_confirmation’).value = ”;
$(’password’).value = ”;
return false
}
}
// ]]>
</script>
<h1>Change Password</h1>
<div style=”display:none;” id=”updating”>Updating Password</div>
<div id = “reset_password”>
<div style = “color:red” id = “errors_in_pass”><%= flash[:notice] %></div>
<% form_for :person, @person, :url => {:action => “reset_password”}, :html => {:name => “reset_password”,:onsubmit => “return hashPassword()”} do |f| %>
<%= hidden_field_tag ‘realpass’ %>
New Password
<%= f.password_field :password, :id=>”password”, :class => “field text”, :value=>”" %>
Confirm New Password
<%= f.password_field :password_confirmation, :id=>”password_confirmation”, :class => “field text”, :value=>”" %>
<%= f.submit_tag “Continue” %>
<% end %>
</div>
However it may possible that a user have disabled the javascript of the browser. In that case we will need to add the encryption at server side too. In rubyonrails we can easily handle the SHA256 encryption for let say password by adding the code
require "digest/sha2"
hashed_password = Digest::SHA256.hexdigest("password_string")
in an appropriate position in the controller.
Please share your thoughts
Filed in: encryption, javascript, ror, rubyonrails, validations
