Nipper Labs

by Michael Nipper

Read this first

Deep Dive on the Rails secret_key_base

secret_key_base is a long, pseudorandom string of hex characters in Rails versions 4.0 and later (it was named secret_token in earlier versions and was used slightly differently). It is used to generate an encryption key that encrypts and signs your session data that is stored in your users’ cookies.

A secret_key_base should look something like this:

2f4cef0a1548b04ad4825bfc3b7502fb3e801ff546b2815b9dfff06a40483207
76f08ac0052bef106bb44bae8c5516d1250c3b4f6448dc4e144fddff6b902351

It is used to create something like this:

MUZQenBHbjdEQ0N6ZXU1c2E1MUc1a200cVVJOFNMSHdHRkJTNnNibGZ
3dmE0OWd4SE9VcjVYVVJBN2VISlVEZlZLZTIrVnFmbktLQlZLcXo3bEdBRC
svSitqWTJiNUdVbUN6VGZCcEtna0VOemQ2cXR2WGM5VnF5MEtPakNMR
m5aVXFDaitCbVdvVWVCZzYyN1hXbWhCY3pNMVVuRXJnSGZOZHNUdlh
hbXM1bWRqYmRuNG5oTkxaTDlBbk92ejdmOTVLbGxSRnhtTXh3dEJ2eWM
5d3d4T0R6V1JwN1E5R0pXSmR1eC94VlZKenZrOUU3TTl4U3FZMHZVak4z
bG5JUktMUjE5OHkrTm5rQUZ4S1

Continue reading →


Encryption in a Distributed System

I build android and web apps intended to be used for research projects. This presents a few unique security challenges, one of which is that PII (personally identifiable information) and research data should not be stored together. This is a problem, since I need to collect PII and research data on android devices which cannot guarantee internet access (and therefore cannot rely on transferring these to separate servers as they are entered).

In order to solve this, I wanted to store the PII in such a way that it is encrypted and cannot be decrypted even if the device is lost and the app reverse-engineered (remember, android apps are client-side code!). In order to do this, I obviously had to be okay with the PII not being re-displayed to the user after saving (since this would require that the data be recoverable on the device).

I had a look at a few java libraries and ruby gems to

Continue reading →

Subscribe to Nipper Labs

Don’t worry; we hate spam with a passion.
You can unsubscribe with one click.

HIYXJKd9CJLCHrWyVxO