Protocol documents are not necessarily easy to digest. They are often overstuffed with information, making them dry and difficult to understand. While the IETF is a good resource on protocols, their descriptions are often too pedantic and lack a “big picture” perspective. And if you’re like me, you need that big picture perspective before wading into the details.
I’ve been unable to find that big picture on OAuth 2.0, so I decided to write my own big picture, using what little I know about screenplay writing. I thought it would be fun to see how a conversation between three people could help understand the OAuth 2.0 protocol.
Wireless networks are an immense convenience, but they can be a security nightmare. Whether you’re sitting in a public wi-fi area or comfortably at home in front of your television, your connections to wireless devices are under constant threat. One of these threats involves vulnerabilities encountered when logging into an online service, when you can potentially reveal your account login and password information. Even if these values are encrypted, a smart hacker on the same wireless network might capture your traffic and attempt to replay it back to the server to gain access to your account.
Topics like authentication often give me the heebie-jeebies. I worry about nefarious hackers in some corner of Beijing trying to hack into my account by somehow circumventing the authentication mechanism I put in place. To fight the situation, I would write the entire authentication routines myself, but I worry that I haven’t tested it thoroughly; on the other hand, I worry about using a library solution that I don’t fully understand and could therefore leave myself open to an attacker that does fully understand the solution.
A good compromise is to understand a bit about authentication and then use a known solution. When it comes to Sinatra, both are within easy grasp.
Occasionally I run across the need to efficiently encrypt and decrypt small messages that get sent over public media. Sure, I could use SSL, but for simple situations, I don’t need such a big hammer. What I need is a way to take a message like, “I’m leaving the key under the doormat” and tuck it away in a message that otherwise does not need security.
Below is a class called Shencrypt, with two simple methods. To encrypt a message, just put it into the argument for self.encrypt, and it will provide an output hash that contains the encrypted message as well as the IV (Initialization Vector) that helps protect against analysis by the bad guys. Since this uses symmetric encryption, the receiver has to have access to the same key. This can be solved in various ways; perhaps the most obvious would be to use an MD5 hash of the login password as the key.