Question: Has anyone developed a Ruby encoder that would allow me to
encrypt my Ruby code to avoid revealing database passwords or other such
things to a potential hacker?
Thanks,
Carl
Carl Youngblood wrote:
Question: Has anyone developed a Ruby encoder that would allow me to
encrypt my Ruby code to avoid revealing database passwords or other such
things to a potential hacker?Thanks,
Carl
Carl,
Even if you could encrypt your database passwords, at some point you have
to decrypt them in order to make a database connection. That means if I
have access to your script, I can figure out your password via a debugger
or whatever.
The best you can really do is obfuscation. Michael has added my dbrc
module to the DBI distro, which is specifically designed for this. It
provides an interface to a file called “.dbrc”, moduled somewhat on Perl’s
Net::Netrc module. It’s good for preventing “over your shoulder” syndrome.
Your best security, really, is permissions. 
Regards,
Dan
···
Description
This is a supplement to the dbi module, allowing you to avoid hard-coding
passwords in your programs that make database connections.
Synopsis
require ‘dbi/dbrc’
dbrc = DBRC.new(“mydb”)
or
dbrc = DBRC.new(“mydb”,“someUser”)
puts dbrc.db
puts dbrc.user
puts dbrc.driver
puts dbrc.timeout
puts dbrc.max_reconn
puts dbrc.interval
puts dbrc.dsn
dbh = DBI.connect(dbrc.dsn,dbrc.user,dbrc.password)
Requirements
The ‘etc’ module
Designed for *nix systems. Untested on Windows.
Notes on the .dbrc file
This module relies on a file in your home directory called “.dbrc”, and it
is meant to be analogous to the “.netrc” file used by programs such as
telnet.
The .dbrc file has several conditions that must be met by the module or it
will fail:
-
Permissions must be set to 600.
-
Must be owned by the current user
-
Must be in the following space-separated format:
e.g. mydb dan mypass oracle 10 2 30
You may include comments in the .dbrc file by starting the line with a “#”
symbol
Class Methods
new(db,?user?)
The constructor takes one or two arguments. The first argument is the
database name. This must be provided. If only the database name is
passed, the
module will look for the first database entry in the .dbrc file that
matches.
The second argument, a user name, is optional. If it is passed, the
module will look for the first entry in the .dbrc file where both the
database and user
name match.
Instance Methods
The name of the database. Note that the same entry can appear more
than once, presumably because you have multiple user id’s for the same
database.
A valid user name for that database.
The password for that user.
The driver type for that database (Oracle, MySql, etc).
The timeout period for a connection before the attempt is dropped.
The maximum number of reconnect attempts that should be made for the
the database. Presumablly, you would use this with a “retry” within a
rescue block.
The number of seconds to wait before attempting to reconnect to the
database again should a network/database glitch occur.
Returns a string in "dbi:<driver>:<database>" format.
Summary
These “methods” don’t really do anything. They’re simply meant as a
convenience
mechanism for you dbi connections, plus a little bit of obfuscation (for
passwords).
Hi, Carl.
Question: Has anyone developed a Ruby encoder that would allow me to
encrypt my Ruby code to avoid revealing database passwords or other such
things to a potential hacker?
Not me. I have something that “solves” the problem in a different way.
The way I tend to do this is to place the password into ini files
that the application reads. I store them encrypted and then decrypt
them on the fly using my Crypto class. Not very elegant nor secure,
however it seems to be enough to discourage casual abuse.
The obvious problem of someone taking the code and making a decryptor
is there. The assumption on my side is that the user doesn’t have
access to this library (via permissions, etc.).
Feel free to change DefSeed and RandSeed to suit.
Hope this helps,
-mark.
-----
Crypto – a class to do some simple crypto stuff
···
At 04:33 AM 11/6/2002 +0900, you wrote:
class Crypto
DefSeed =
“1913241303102769784369176881852378684052287024444246184380987196”
RandStr = “4]fdsfA94kk4t380t4”
def encrypt(str)
s = str.dup + RandStr
n = 0
s.length.times do
s[n] = (s[n] + DefSeed[n] - 48).chr.to_s
n += 1
end
return s
end
def decrypt(str)
s = str.dup
n = 0
s.length.times do
s[n] = (s[n] - DefSeed[n] + 48).chr.to_s
n += 1
end
return s.slice!(0, s.length - RandStr.length)
end
end
With regard to passwords, you could embed MD5 hashes into your code and
then use MD5.new(“password”) to check against these.You could also
dispense with embedding and read the MD5 hashed passwords from a
separate file (which I believe is the preferred way to do this.)
As for “other such things”) it depends. Md5 is a one-way hashing – you
can’t get the original value back out. This works fine for checking
input against static values, but not for data that has to be re-ouput
into readable form.or for data that goes in and out dynamically.
For such needs you should check out the cryptography library section at
RAA (Ruby Application Archive). You also might want to take a lokk at
Michael Neumann’s cryptography page at
http://www.s-direktnet.de/homepages/neumann/crypt/en/
Hope this helps.
Regards,
W. kent Starr
···
On Tue, 2002-11-05 at 14:33, Carl Youngblood wrote:
Question: Has anyone developed a Ruby encoder that would allow me to
encrypt my Ruby code to avoid revealing database passwords or other such
things to a potential hacker?Thanks,
Carl