encryption library

[Joe Van Dyk]

I could've sworn that I saw some Ruby library for encrypting stuff
like credit cards. But my google fu fails me. Any ideas?

Joe

 

[Timothy Goddard]

OpenSSL?

 

[William Crawford]

OpenSSL?

I think he actually means for -storing- credit cards. I highly
reccommend you do NOT do this. Or at least tell me what the website is,
so I never shop there.

Is this what you are looking for? http://rubyforge.org/projects/crypt/

 

[Aleks Kissinger]

OpenSSL can be used as a general-purpose crypto lib. Theres a good
example of using a plain symmetric cipher in the ruby 1.8.4 source, in
samples/openssl/crypt.rb:

************************
#!/usr/bin/env ruby
require 'openssl'

text = "abcdefghijklmnopqrstuvwxyz"
key = "key"
alg = "DES-EDE3-CBC"
#alg = "AES-128-CBC"

puts "--Setup--"
puts %(clear text: "#{text}")
puts %(symmetric key: "#{key}")
puts %(cipher alg: "#{alg}")
puts

puts "--Encrypting--"
des = OpenSSL::Cipher::Cipher.new(alg)
des.encrypt(key) #, "iv12345678")
cipher = des.update(text)
cipher << des.final
puts %(encrypted text: #{cipher.inspect})
puts

puts "--Decrypting--"
des = OpenSSL::Cipher::Cipher.new(alg)
des.decrypt(key) #, "iv12345678")
out = des.update(cipher)
out << des.final
puts %(decrypted text: "#{out}")
puts
***************************

 

[Cliff Cyphers]

This example clearly shows why in the other thread the question was
raised regarding hiding the key in a C extention. As-is anybody would
easily be able to decrypt. And if you have an algoritm that builds the
key into part of the encrypted string somebody could easily digest the
algorithm and extract the key from the encrypted string. Am I missing
something in general about cryptography? I admit I need to read up more
in this area.

OpenSSL can be used as a general-purpose crypto lib. Theres a good
example of using a plain symmetric cipher in the ruby 1.8.4 source, in
samples/openssl/crypt.rb:

************************
#!/usr/bin/env ruby
require 'openssl'

text = "abcdefghijklmnopqrstuvwxyz"
key = "key"
alg = "DES-EDE3-CBC"
#alg = "AES-128-CBC"

puts "--Setup--"
puts %(clear text: "#{text}")
puts %(symmetric key: "#{key}")
puts %(cipher alg: "#{alg}")
puts

puts "--Encrypting--"
des = OpenSSL::Cipher::Cipher.new(alg)
des.encrypt(key) #, "iv12345678")
cipher = des.update(text)
cipher << des.final
puts %(encrypted text: #{cipher.inspect})
puts

puts "--Decrypting--"
des = OpenSSL::Cipher::Cipher.new(alg)
des.decrypt(key) #, "iv12345678")
out = des.update(cipher)
out << des.final
puts %(decrypted text: "#{out}")
puts
***************************

 

[snacktime]

IMO, if you are going to use encryption for sensitive data then you
should read up a bit on asymmetric (publik key) versus symmetric
cryptography and at least have a basic understanding of how this stuff
works. Ruby openssl works great, but unless you are already familiar
with openssl in general the docs probably won't do you much good. The
test suite in the ruby source though has a lot of examples.

Chris

 

[Cliff Cyphers]

What do you do in the situation where the key is in a store protected by
a passphrase? And one's application needs to run in the background and
can't accept user input. Aren't you still in the same position? Need a
way to hide the key/passphrase.

 

[Jan Svitok]

IMO, if you are going to use encryption for sensitive data then you
should read up a bit on asymmetric (publik key) versus symmetric
cryptography and at least have a basic understanding of how this stuff
works. Ruby openssl works great, but unless you are already familiar
with openssl in general the docs probably won't do you much good. The
test suite in the ruby source though has a lot of examples.

Chris

Right. Cryptography is a tricky thing, and if your effort should bring
any results, it is necessary to know what you're doing. That's why
it's better to stick with the standard schemes, if possible. Omit one
little step, and your super secure encryption might degrade to
something a child will break.

Good intro book is Schneier's Applied Cryptography, and maybe the
newer Practical Cryptography, although I haven't read the latter.

Good 'encyclopedic' book is Handbook of applied cryptography by
Menezes et al., You can even download it from the web. It lists most
common-used algorithms, along with their usage and drawbacks. Beware:
It contains lots of math ;-)

 

[Jan Svitok]

What do you do in the situation where the key is in a store protected by
a passphrase? And one's application needs to run in the background and
can't accept user input. Aren't you still in the same position? Need a
way to hide the key/passphrase.

It depends on several factors:
- what are your target criteria for security
- what attack do you want to prevent by encryption - i.e. up to what
level of reverse engineering (looking at ruby sources, debugging
executable code,...)
- what access has the attacker to the machine and/or to the code
- etc.
then:
- it's hard to keep the password on the computer where attacker has
access to. From that point, it's just a matter of who of you is
willing to put more effort.

possible solutions:
- ask the password when the thing starts, and keep in the memory;
- use closed C module to do the encryption/decryption (and try to
prevent running the module by the attacker) with memory locking,
permissions etc.
- use hardware crypto device (aka smartcard. you can pull it off the
system, and you can assume the keys in it are safe, and it is not
duplicable)
- forget sesions keys asap
- make key exchanges unrepeatable

 

[snacktime]

Here is an example of one way to use public key (asymmetric)
encryption using openssl. Requires an ssl certificate/key pair, but
only the certificate is required to encrypt.

require 'openssl'

keyfile = 'test.key'
certfile = 'test.crt'
data = "this is a test"

cert = OpenSSL::X509::Certificate.new(File.read(certfile))
key = OpenSSL:Key::RSA.new(File.read(keyfile))
cipher = OpenSSL::Cipher::AES.new("128-CBC")

tmp = OpenSSL:KCS7.encrypt([cert], data, cipher, OpenSSL:KCS7::BINARY)
p7 = OpenSSL:KCS7:KCS7.new(tmp.to_der)

## Data will be stored as string so emulate that here
p7s = p7.to_s

## Create pkcs7 object out of pkcs7 data
p7 = OpenSSL:KCS7:KCS7.new(p7s)
dec = p7.decrypt(key,cert)
print dec

 

[Srinivas JONNALAGADDA]

Good 'encyclopedic' book is Handbook of applied cryptography by
Menezes et al., You can even download it from the web. It lists most
common-used algorithms, along with their usage and drawbacks. Beware:
It contains lots of math ;-)

I have done some search but could not find a place where I could get the
downloadable version. Could you provide a link please?

Greetings,
JS

 

[Matt Long]

--Apple-Mail-10-440339614
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed

Google "Handbook of applied cryptography" & click "I'm feeling lucky"

I have done some search but could not find a place where I could
get the
downloadable version. Could you provide a link please?

Greetings,
JS

--
Matt Long (e-mail address removed) /
(e-mail address removed)
University of South Florida, CRASAR
GnuPG public key: http://www.robothor.com/key.gpgkey

"If you have to ask what jazz is, you'll never know" --Louis Armstrong



--Apple-Mail-10-440339614
content-type: application/pgp-signature; x-mac-type=70674453;
name=PGP.sig
content-description: This is a digitally signed message part
content-disposition: inline; filename=PGP.sig
content-transfer-encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)

iD8DBQFE9j8Qv08Tl3wOyDwRAhmrAJwNlDkAdEGsXrJ4/CS/hSqzwbc0HQCgjAZn
VH5EYElMqxG8KfOw8DjQyOg=
=0XVf
-----END PGP SIGNATURE-----

--Apple-Mail-10-440339614--

 

[Srinivas JONNALAGADDA]

Google "Handbook of applied cryptography" & click "I'm feeling lucky"

Great!

Greetings,
JS