4

Scenario:

  • A web application (RoR 3.2) needs to talk with a remote web service (SOAP, using Savon gem).
  • The web service requires username and password.
  • Communication is SOAP, traffic is through a VPN (no SSL for SOAP).
  • I need to store the password that the remote Web Service Admin gives me.
  • The web service admin requires that I store the password in a secure way.
  • When my web server calls the web service I need to use the original password in clear.
  • Bcrypt is the best way to store passwords, but it is "one way".
  • I cannot send the encrypted password, I need a way to decrypt it in order to be able to send it to the web service.

This seems to be a "chicken-and-egg" problem.

Is there a way to securely store a password and be able to decrypt it for use in an automated service?

Any hint?

kranz
  • 599
  • 1
  • 6
  • 23
  • Does the remote service use OAuth? That's your best bet. If not, have a look at this question: http://stackoverflow.com/questions/8036233/what-is-the-best-way-to-store-password-in-database-when-api-call-requires-sendin – mccannf Dec 08 '12 at 09:27
  • No OAuth unfortunately. I'm thinking to use ssh keys to encrypt the password, and use an hashed password from devise as the key passphrase. I'm borrowing the idea of using ssh keys from zenTourist (http://distributed-frostbite.blogspot.it/2010/06/file-encryption-in-ruby-with-openssl.html) – kranz Dec 09 '12 at 04:45

2 Answers2

1

If the encrypted information needs to be sent as plain text how about using a strong reversible cipher, this is probably what the Web Service Admin meant.

You can add other info as a salt (using anything that's well-known to you and can be applied algorythmically, say, a name) before encrypting using (for example) AES encryption.
Then you can store the encrypted password in a location of you choice.

SteB
  • 1,999
  • 4
  • 32
  • 57
  • Yes, this is the way I'm going to try (almost the same suggested in the link I posted before; as soon as I find the right solution I'll post it. – kranz Dec 09 '12 at 09:41
0

I would store this password in an environment variable (plain text, obfuscated, doesn't matter) to avoid putting this into VCS.

Also reading Is it secure to store passwords as environment variables (rather than as plain text) in config files? can help.

Community
  • 1
  • 1
Tomek Wałkuski
  • 989
  • 12
  • 22
  • Thanks for the suggestion, but I'm quite ahead of these solutions. I have to sign documents where I affirm that the password that someone else gave me is stored securely. So, no plain text, no security by obscurity, no env vars in config files. Not having it in VCS is very very very first step.... like saying to a surgeon that he needs to wear gloves... – kranz Dec 09 '12 at 04:19