encryption library

Discussion in 'Ruby' started by Joe Van Dyk, Aug 30, 2006.

  1. Joe Van Dyk

    Joe Van Dyk Guest

    I could've sworn that I saw some Ruby library for encrypting stuff
    like credit cards. But my google fu fails me. Any ideas?

    Joe
    Joe Van Dyk, Aug 30, 2006
    #1
    1. Advertising

  2. OpenSSL?

    Joe Van Dyk wrote:
    > I could've sworn that I saw some Ruby library for encrypting stuff
    > like credit cards. But my google fu fails me. Any ideas?
    >
    > Joe
    Timothy Goddard, Aug 30, 2006
    #2
    1. Advertising

  3. William Crawford, Aug 30, 2006
    #3
  4. OpenSSL can be used as a general-purpose crypto lib. Theres a good
    example of using a plain symmetric cipher in the ruby 1.8.4 source, in
    samples/openssl/crypt.rb:

    ************************
    #!/usr/bin/env ruby
    require 'openssl'

    text = "abcdefghijklmnopqrstuvwxyz"
    key = "key"
    alg = "DES-EDE3-CBC"
    #alg = "AES-128-CBC"

    puts "--Setup--"
    puts %(clear text: "#{text}")
    puts %(symmetric key: "#{key}")
    puts %(cipher alg: "#{alg}")
    puts

    puts "--Encrypting--"
    des = OpenSSL::Cipher::Cipher.new(alg)
    des.encrypt(key) #, "iv12345678")
    cipher = des.update(text)
    cipher << des.final
    puts %(encrypted text: #{cipher.inspect})
    puts

    puts "--Decrypting--"
    des = OpenSSL::Cipher::Cipher.new(alg)
    des.decrypt(key) #, "iv12345678")
    out = des.update(cipher)
    out << des.final
    puts %(decrypted text: "#{out}")
    puts
    ***************************

    On 8/30/06, William Crawford <> wrote:
    > Timothy Goddard wrote:
    > > OpenSSL?

    >
    > I think he actually means for -storing- credit cards. I highly
    > reccommend you do NOT do this. Or at least tell me what the website is,
    > so I never shop there.
    >
    > Is this what you are looking for? http://rubyforge.org/projects/crypt/
    >
    > --
    > Posted via http://www.ruby-forum.com/.
    >
    >
    Aleks Kissinger, Aug 30, 2006
    #4
  5. This example clearly shows why in the other thread the question was
    raised regarding hiding the key in a C extention. As-is anybody would
    easily be able to decrypt. And if you have an algoritm that builds the
    key into part of the encrypted string somebody could easily digest the
    algorithm and extract the key from the encrypted string. Am I missing
    something in general about cryptography? I admit I need to read up more
    in this area.

    Aleks Kissinger wrote:
    > OpenSSL can be used as a general-purpose crypto lib. Theres a good
    > example of using a plain symmetric cipher in the ruby 1.8.4 source, in
    > samples/openssl/crypt.rb:
    >
    > ************************
    > #!/usr/bin/env ruby
    > require 'openssl'
    >
    > text = "abcdefghijklmnopqrstuvwxyz"
    > key = "key"
    > alg = "DES-EDE3-CBC"
    > #alg = "AES-128-CBC"
    >
    > puts "--Setup--"
    > puts %(clear text: "#{text}")
    > puts %(symmetric key: "#{key}")
    > puts %(cipher alg: "#{alg}")
    > puts
    >
    > puts "--Encrypting--"
    > des = OpenSSL::Cipher::Cipher.new(alg)
    > des.encrypt(key) #, "iv12345678")
    > cipher = des.update(text)
    > cipher << des.final
    > puts %(encrypted text: #{cipher.inspect})
    > puts
    >
    > puts "--Decrypting--"
    > des = OpenSSL::Cipher::Cipher.new(alg)
    > des.decrypt(key) #, "iv12345678")
    > out = des.update(cipher)
    > out << des.final
    > puts %(decrypted text: "#{out}")
    > puts
    > ***************************
    >
    > On 8/30/06, William Crawford <> wrote:
    >> Timothy Goddard wrote:
    >> > OpenSSL?

    >>
    >> I think he actually means for -storing- credit cards. I highly
    >> reccommend you do NOT do this. Or at least tell me what the website is,
    >> so I never shop there.
    >>
    >> Is this what you are looking for? http://rubyforge.org/projects/crypt/
    >>
    >> --
    >> Posted via http://www.ruby-forum.com/.
    >>
    >>

    >
    Cliff Cyphers, Aug 30, 2006
    #5
  6. Joe Van Dyk

    snacktime Guest

    IMO, if you are going to use encryption for sensitive data then you
    should read up a bit on asymmetric (publik key) versus symmetric
    cryptography and at least have a basic understanding of how this stuff
    works. Ruby openssl works great, but unless you are already familiar
    with openssl in general the docs probably won't do you much good. The
    test suite in the ruby source though has a lot of examples.

    Chris
    snacktime, Aug 30, 2006
    #6
  7. What do you do in the situation where the key is in a store protected by
    a passphrase? And one's application needs to run in the background and
    can't accept user input. Aren't you still in the same position? Need a
    way to hide the key/passphrase.

    snacktime wrote:
    > IMO, if you are going to use encryption for sensitive data then you
    > should read up a bit on asymmetric (publik key) versus symmetric
    > cryptography and at least have a basic understanding of how this stuff
    > works. Ruby openssl works great, but unless you are already familiar
    > with openssl in general the docs probably won't do you much good. The
    > test suite in the ruby source though has a lot of examples.
    >
    > Chris
    >
    Cliff Cyphers, Aug 30, 2006
    #7
  8. Joe Van Dyk

    Jan Svitok Guest

    On 8/30/06, snacktime <> wrote:
    > IMO, if you are going to use encryption for sensitive data then you
    > should read up a bit on asymmetric (publik key) versus symmetric
    > cryptography and at least have a basic understanding of how this stuff
    > works. Ruby openssl works great, but unless you are already familiar
    > with openssl in general the docs probably won't do you much good. The
    > test suite in the ruby source though has a lot of examples.
    >
    > Chris


    Right. Cryptography is a tricky thing, and if your effort should bring
    any results, it is necessary to know what you're doing. That's why
    it's better to stick with the standard schemes, if possible. Omit one
    little step, and your super secure encryption might degrade to
    something a child will break.

    Good intro book is Schneier's Applied Cryptography, and maybe the
    newer Practical Cryptography, although I haven't read the latter.

    Good 'encyclopedic' book is Handbook of applied cryptography by
    Menezes et al., You can even download it from the web. It lists most
    common-used algorithms, along with their usage and drawbacks. Beware:
    It contains lots of math ;-)
    Jan Svitok, Aug 30, 2006
    #8
  9. Joe Van Dyk

    Jan Svitok Guest

    On 8/30/06, Cliff Cyphers <2go.com> wrote:
    > What do you do in the situation where the key is in a store protected by
    > a passphrase? And one's application needs to run in the background and
    > can't accept user input. Aren't you still in the same position? Need a
    > way to hide the key/passphrase.


    It depends on several factors:
    - what are your target criteria for security
    - what attack do you want to prevent by encryption - i.e. up to what
    level of reverse engineering (looking at ruby sources, debugging
    executable code,...)
    - what access has the attacker to the machine and/or to the code
    - etc.
    then:
    - it's hard to keep the password on the computer where attacker has
    access to. From that point, it's just a matter of who of you is
    willing to put more effort.

    possible solutions:
    - ask the password when the thing starts, and keep in the memory;
    - use closed C module to do the encryption/decryption (and try to
    prevent running the module by the attacker) with memory locking,
    permissions etc.
    - use hardware crypto device (aka smartcard. you can pull it off the
    system, and you can assume the keys in it are safe, and it is not
    duplicable)
    - forget sesions keys asap
    - make key exchanges unrepeatable
    Jan Svitok, Aug 30, 2006
    #9
  10. Joe Van Dyk

    snacktime Guest

    Here is an example of one way to use public key (asymmetric)
    encryption using openssl. Requires an ssl certificate/key pair, but
    only the certificate is required to encrypt.

    require 'openssl'

    keyfile = 'test.key'
    certfile = 'test.crt'
    data = "this is a test"

    cert = OpenSSL::X509::Certificate.new(File.read(certfile))
    key = OpenSSL::pKey::RSA.new(File.read(keyfile))
    cipher = OpenSSL::Cipher::AES.new("128-CBC")

    tmp = OpenSSL::pKCS7.encrypt([cert], data, cipher, OpenSSL::pKCS7::BINARY)
    p7 = OpenSSL::pKCS7::pKCS7.new(tmp.to_der)

    ## Data will be stored as string so emulate that here
    p7s = p7.to_s

    ## Create pkcs7 object out of pkcs7 data
    p7 = OpenSSL::pKCS7::pKCS7.new(p7s)
    dec = p7.decrypt(key,cert)
    print dec
    snacktime, Aug 30, 2006
    #10
  11. On Thu, 2006-08-31 at 05:11 +0900, Jan Svitok wrote:
    > Good 'encyclopedic' book is Handbook of applied cryptography by
    > Menezes et al., You can even download it from the web. It lists most
    > common-used algorithms, along with their usage and drawbacks. Beware:
    > It contains lots of math ;-)


    I have done some search but could not find a place where I could get the
    downloadable version. Could you provide a link please?

    Greetings,
    JS
    Srinivas JONNALAGADDA, Aug 31, 2006
    #11
  12. Joe Van Dyk

    Matt Long Guest

    --Apple-Mail-10-440339614
    Content-Transfer-Encoding: 7bit
    Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed

    Google "Handbook of applied cryptography" & click "I'm feeling lucky"


    On 30 Aug , 2006, at 9:01 PM, Srinivas JONNALAGADDA wrote:

    > On Thu, 2006-08-31 at 05:11 +0900, Jan Svitok wrote:
    >> Good 'encyclopedic' book is Handbook of applied cryptography by
    >> Menezes et al., You can even download it from the web. It lists most
    >> common-used algorithms, along with their usage and drawbacks. Beware:
    >> It contains lots of math ;-)

    >
    > I have done some search but could not find a place where I could
    > get the
    > downloadable version. Could you provide a link please?
    >
    > Greetings,
    > JS
    >
    >


    --
    Matt Long /

    University of South Florida, CRASAR
    GnuPG public key: http://www.robothor.com/key.gpgkey

    "If you have to ask what jazz is, you'll never know" --Louis Armstrong



    --Apple-Mail-10-440339614
    content-type: application/pgp-signature; x-mac-type=70674453;
    name=PGP.sig
    content-description: This is a digitally signed message part
    content-disposition: inline; filename=PGP.sig
    content-transfer-encoding: 7bit

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.3 (Darwin)

    iD8DBQFE9j8Qv08Tl3wOyDwRAhmrAJwNlDkAdEGsXrJ4/CS/hSqzwbc0HQCgjAZn
    VH5EYElMqxG8KfOw8DjQyOg=
    =0XVf
    -----END PGP SIGNATURE-----

    --Apple-Mail-10-440339614--
    Matt Long, Aug 31, 2006
    #12
  13. On Thu, 2006-08-31 at 10:44 +0900, Matt Long wrote:
    > Google "Handbook of applied cryptography" & click "I'm feeling lucky"


    Great!

    Greetings,
    JS
    Srinivas JONNALAGADDA, Aug 31, 2006
    #13
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Robert Vabo

    Encryption

    Robert Vabo, Oct 8, 2003, in forum: ASP .Net
    Replies:
    1
    Views:
    1,278
    Ed Kaim [MSFT]
    Oct 14, 2003
  2. abhinav

    encryption algorithms

    abhinav, Dec 26, 2004, in forum: VHDL
    Replies:
    2
    Views:
    642
  3. Jules
    Replies:
    0
    Views:
    934
    Jules
    Jul 18, 2007
  4. Mike Carr

    Help with Encryption Library

    Mike Carr, Apr 6, 2004, in forum: ASP .Net Security
    Replies:
    1
    Views:
    99
    Hernan de Lahitte
    Apr 7, 2004
  5. Sudo Nim
    Replies:
    1
    Views:
    121
    Bart Van der Donck
    Feb 19, 2008
Loading...

Share This Page