king_hmac¶ ↑

This gem started with a copy & disection of auth-hmac gem v1.1.1

king_hmac is a Ruby implementation of HMAC based authentication of HTTP requests. HMAC authentication involves a client and server having a shared secret key. When sending the request the client, signs the request using the secret key. This involves building a canonical representation of the request and then generating a HMAC of the request using the secret. The generated HMAC is then sent as part of the request.

When the server receives the request it builds the same canonical representation and generates a HMAC using it’s copy of the secret key, if the HMAC produced by the server matches the HMAC sent by the client, the server can be assured that the client also possesses the shared secret key.

HMAC based authentication also provides message integrity checking because the HMAC is based on a combination of the shared secret and the content of the request. So if any part of the request that is used to build the canonical representation is modified by a malicious party or in transit the authentication will then fail.

KingHmac::Auth is loosely based on the Amazon Web Services authentication scheme but without the Amazon specific components, i.e. it is HMAC for the rest of us.

Gem hosted on gemcutter.org

sudo gem install king_hmac

See github.com/salesking/king_hmac The source repository:

git clone git://github.com/salesking/king_hmac.git

HMAC Authentication is best used as authentication for communication between applications such as web services. It provides better security than HTTP Basic authentication without the need to set up SSL. Of course if you need to protect the confidentiality of the data then you need SSL, but if you just want to authenticate requests without sending credentials in the clear KingHmac::Auth is a good choice.

The simplest way to use KingHmac::Auth is with the KingHmac::Auth.sign! and KingHmac::Auth.authenticate? methods. KingHmac::Auth.sign! takes a HTTP request object, an access id and a secret key and signs the request with the access_id and secret key.

On the server side you can then authenticate these requests using the KingHmac::Auth.authenticated? method. This takes the same arguments as the sign! method but returns true if the request has been signed with the access id and secret or false if it hasn’t.

If you have more than one set of credentials you might find it useful to create an instance of the KingHmac::Auth class, passing your credentials as a Hash of access id => secret keys, like so:

@hmac_auth = KingHmac::Auth.new('access_id1' => 'secret1', 'access_id2' => 'secret2')

You can then use the instance methods of the @hmac_auth object to sign and authenticate requests, for example:

@hmac_auth.sign!(request, "access_id1")

Sign request with “access_id1” and it’s corresponding secret key. Similarly authentication is done like so:

@hmac_auth.authenticated?(request)

which will return true if the request has been signed with one of the access id and secret key pairs provided in the constructor.

KingHmac::Auth will do its best to figure out which type it is an handle it accordingly.

• Net::HTTP::HTTPRequest

• CGI::Request

• Webrick HTTP request object.

• Rack::Request

The access_id is used to identify the secret key that was used to sign the request. Think of it as like a user name, it allows you to hand out different keys to different clients and authenticate each of them individually. The access_id is sent in the clear so you should avoid making it an important string.

The secret key is the shared secret between the client and the server. You should make this sufficiently random so that is can’t be guessed or exposed to dictionary attacks. The follow code will give you a pretty good secret key:

random = File.read('/dev/random', 512)
secret_key = Base64.encode64(Digest::SHA2.new(512).digest(random))

KingHmac::Auth supports authentication within Rails controllers and signing of requests generated by Active Resource. See KingHmac::Rails::ControllerFilter::ClassMethods and KingHmac::Rails::ActiveResourceExtension::BaseHmac::ClassMethods for details.

When creating a signature for a HTTP request KingHmac::Auth first generates a canonical representation of the request.

This canonical string is created like so:

canonical_string = HTTP-Verb    + "\n" +
                 Content-Type + "\n" +
                 Content-MD5  + "\n" +
                 Date         + "\n" +
                 request-uri;

Where Content-Type, Content-MD5 and Date are all taken from the headers of the request. If Content-Type or Content-MD5 are not present, they are substituted with an empty string. If Date is not present it is added to the request headers with the value Time.now.httpdate. request-uri is the path component of the request, without any query string, i.e. everything up to the ?.

This string is then used with the secret to generate a SHA1 HMAC using the following:

OpenSSL::HMAC.digest(OpenSSL::Digest::Digest.new('sha1'), secret_key, canonical_string)

The result is then Base64 encoded and added to the headers of the request as the Authorization header in the format:

Authorization: KingHmac::Auth <access_id>:<base64 encoded king_hmac>

When authenaticating a request, KingHmac::Auth looks for the Authorization header in the above format, parses out the components, regenerates a HMAC for the request, using the secret key identified by the access id and then compares the generated HMAC with the one provided by the client. If they match the request is authenticated.

Using these details it is possible to build code that will sign and authenticate KingHmac::Auth style requests in other languages.

This gem started with a copy & disection of auth-king_hmac gem v1.1.1. Most of this doc was written by Sean Geoghegan auth-king_hmac was developed by Sean Geoghegan rubyforge.org/projects/auth-king_hmac && by Peerworks.