Re: [ruby-81] User authentication technique

From: Loqi
Sent on: Sunday, November 4, 2007 6:59 PM
East Bay Ruby people:

I hope this is the right place for this. Please let me know if it's improper.

So I'm tackling my first Rails application. It will have the usual 
list of user accounts, but I'm challenged by the user authentication 
scheme. Instead of (or in addition to) conventional password 
authentication, I'd like to use some sort of public-key scheme for 
user login.

I'm thinking a user can tell my app their public key when they sign 
up for an account. During user login, my app will encrypt a snippet 
of random data using the public key on file, which the user's browser 
will then somehow decrypt and return. This way I can be sure the user 
knows his own private key, without my end or the Internet ever seeing 
that private key. The encryption scheme can be light- to heavy-duty 
as needed. The main point is that passwords suck. Not only are they 
often insecure in transit, but they must be changed frequently and 
not re-used at multiple servers, and they should be full of funny 
characters, and all those annoying things that cause people to just 
leave everything half-locked all the time. The sort of authentication 
protocol I have in mind allows a user to safely re-use a key all over 
town, and the public key data can be handled with total carelessness 
because it's published anyway.

So, has anyone heard of an existing login protocol that sounds 
anything like this? And if not, does anyone have ideas on how to make 
one for a Rails app?


Our Sponsors

People in this
Meetup are also in:

Sign up

Meetup members, Log in

By clicking "Sign up" or "Sign up using Facebook", you confirm that you accept our Terms of Service & Privacy Policy