-------- Original-Nachricht --------
> Datum: Mon, 14 Sep 2009 17:44:31 +0900
> Von: Brian Candler <b.candler / pobox.com>
> An: ruby-talk / ruby-lang.org
> Betreff: Re: Password on code - what\'s the best way to obfuscate it?

> Rodrigo Bermejo wrote:
> > I've been in the need to crate applications which require to make use of
> > another program which requires authentication.  As everyone who has
> > tried to solve this problem with a script lang (no compiled, what would
> > be the best term /?), a security concern comes in play.
> > 
> > Where in hell should I put the password /?
> 

Dear Rodrigo,

you can use a variant of a secret sharing scheme. In such a scheme, a secret (password) is split up in n parts, and there is a number k<=n of partial secrets needed to retrieve it.
The fact that a secret is split enables you to distribute less than
the k information bits to any user and keep the remaining secret parts and the application to recombine it at a safe place (somewhere the user cannot read from - I assume this is possible for you as you say that you want to interface another program - which I assume you'll run on a web server or the like).

In the safe place, you'd have to write some code to combine the password from the k bits necessary to retrieve it. 
Thus, when the user enters his info, the information transferred is not
sufficient to intercept or rebuild the correct password and the combined
one is wrong.

There's a descriptions of Shamir's secret sharing scheme with a simplified
example and links to some (non-Ruby) code (the web interface didn't work for me) here:

http://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing

If you'd have to give away the entire application on a user's computer,
I second the previous respondents' pessimism - just like everything else
they wrote.

Best regards,

Axel


-- 
Neu: GMX Doppel-FLAT mit Internet-Flatrate + Telefon-Flatrate
f nur 19,99 Euro/mtl.!* http://portal.gmx.net/de/go/dsl02