Javascript Validations and Encryptions — how to use javascript encryptions in rails.

November 14, 2006 at 8:14 pm 2 comments

A Quick Review on ENCRYPTIONS
We all are very familiar with the ruby encryptions we usually implement SHA1 or MD5 in our rails applications. In my ongoing project i have been through encryptions in little bit more depth.
MD5 was the most widely used hash algorithm, it converts a string into a 32 characters long hashed key. Then comes the SHASecure Hash Algorith. SHA is a series of hash algorithms and its first member is SHA-0 however soon its usage was replaced by the successor SHA-1 and thereafter SHA-0 was never used again. The current members to the SHA series are SHA-1, SHA-224, SHA-256, SHA-384 and the latest SHA-512. At this moment SHA-1 is considered to be the successor of MD5 because of the usage and popularity statistics.
However SHA-224, SHA-256, SHA-384 and SHA-256 are collectively known as SHA-2 series.
Till yet SHA-0 and SHA-1 have been reported attacked but no attack has been found on SHA-2 series.(took from wiki)

Here we will discuss the javascript and ruby based encryptions for SHA-256 only.

Javascript Encryption in Ruby on Rails

If you need to encrypt the password at client side in ror or any other web-based form submission so that the real password string can not reach the server you can you can download the Javascript Encryption files from here. There is all collection of the javascript encryption files available in the above archive. You will not need all of them. Put the file sha256.js in the /public/javascripts/ directory of your rails application.
Now lets take the example of Reset Password where encryption is a must.
This is how you can make your view say reset_password.rhtml


<%= javascript_include_tag 'sha256' %>
<script type="text/javascript">
// <![CDATA[
  function hashPassword() {
  reg = new RegExp(/^(?=.*\d)(?=.*([a-z]|[A-Z]))([\x20-\x7E]){8,40}$/);
  if((reg.test($F('password')))&&($F('password')==$F('password_confirmation'))){
  document.reset_password.realpass.value = hex_sha256($F('password'));
  $('password_confirmation').value = '';
  $('password').value = '';
  Element.hide("reset_password");
  Element.show("updating");
  return true
  }
  else{
  $('errors_in_pass').innerHTML = "Password should match confirmation.<br />Password should contain at least one letter and one integer.<br />Password length should be 8 to 40 characters long.<br />";
  $('password_confirmation').value = '';
  $('password').value = '';
  return false
  }
  }
// ]]>
</script>
<h1>Change Password</h1>
<div style="display:none;" id="updating">Updating Password</div>
<div id = "reset_password">
<div style = "color:red" id = "errors_in_pass"><%= flash[:notice] %></div>
<% form_for :person, @person, :url => {:action => "reset_password"}, :html => {:name => "reset_password",:onsubmit => "return hashPassword()"} do |f| %>
<%= hidden_field_tag 'realpass' %>
        New Password
        <%= f.password_field :password, :id=>"password", :class => "field text", :value=>"" %>
	Confirm New Password
        <%= f.password_field :password_confirmation, :id=>"password_confirmation", :class => "field text", :value=>"" %>
	<%= f.submit_tag "Continue" %>
<% end %>
</div>

However it may possible that a user have disabled the javascript of the browser. In that case we will need to add the encryption at server side too. In rubyonrails we can easily handle the SHA256 encryption for let say password by adding the code


require "digest/sha2"

hashed_password = Digest::SHA256.hexdigest("password_string")

in an appropriate position in the controller.

Advertisements

Entry filed under: encryption, javascript, ror, rubyonrails, validations.

Integration Testing in Ruby on Rails — How to maintain sessions while testing in Rails Sample Rails Application – A demo for the ajax based drag drop tree in rubyonrails

2 Comments Add your own

  • 1. Marco Barulli  |  February 6, 2007 at 1:38 pm

    You may be interested in checking our Javascript library of crypto primitives.

    http://code.google.com/p/clipperz/

    The library aims to obtain maximum execution speed while preserving modularity and reusability.

    It presently includes:

    * SRP authentication protocol
    * SHA2 hash functions
    * AES symmetric encryption
    * Fortuna PRNG

    Any contribution is welcome!

    Regards,
    Marco

    Reply
  • 2. Sur Max  |  February 6, 2007 at 3:45 pm

    Sounds really interesting !!
    I will look forward for using it.

    Thanks.

    Reply

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed


Contact

sur.max(at)gmail.com
November 2006
M T W T F S S
« Oct   Dec »
 12345
6789101112
13141516171819
20212223242526
27282930  

Power Shots

Subscribe


%d bloggers like this: