"It's easy to get crypto wrong, and useless)"
Yes, it is. I wrote a blog entry that discusses the various factors involving
portability w/ block symmetric encryption algorithms (specifically AES, but it
applies to any block encryption algoritm). In a nutshell, you have
these things
which must match:
(1) Algorithm (Blowfish, AES, Twofish, etc.)
(2) Mode (CBC, ECB)
(3) Key Length (128-bit, 192-bit, 256-bit)
(4) Initialization Vector
(5) Secret Key
(6) Padding Scheme (but only last block will differ if mismatched).
(7) Byte ordering issues?
(8) Charset encoding if encrypting text (are you encrypting Unicode,
ANSI, utf-8, etc?)
The blog entry is here:
http://blog.chilkatsoft.com/?p=123
I wrote it because I get so many emails that read like: "I'm
encrypting in PHP, but need to
decrypt in ASP..." The general problem is that you're encrypting in
one programming
language, or with one tool/sdk, but need to decrypt on something
entirely different.
Or worse, you have a database full of encrypted data and a few years
down the road
you want to re-design your systems in some other programming language.
I wrote another blog entry about data expansion with block encryption
algorithms:
http://blog.chilkatsoft.com/?p=119
The common question is: "How big should my database field be when
encrypting strings
that are no longer than N?" The factors involved are:
(1) Algorithm block size
(2) Padding scheme
(3) Output encoding, such as hex or base64 if encrypted output is a string
(4) Character encoding -- again, are you encrypting 2 byte/char
Unicode, utf-8, iso-8859-1, etc...?
I think the info in these blog posts apply to any programming
language or API...
Best Regards,
Matt
Does anyone use openssl within Ruby to encrypt data? I want to use a hosted
MySQL database, but most of the hosting companies do not support
MySQL with the
aes_encrypt() or aes_decrypt() functions.
Most have Ruby bindings to MySQL and they support Rails. So, I
thought I could
use openssl to encrypt data within Ruby and then store that data in the
database. I don't know if others are doing this. I thought I'd ask
the list to
see if others do this.
Thank you,
Brad
I'm not doing it ('cause I just don't need it ;-). Anyway I think it
should work. However please note some possible problems:
1. you'll want o have your records independent - therefore either
using ECB mode or special IV for each record.
2. you don't want to have the same data in different places encrypted
into the same ciphertexts - therefore you'll need either IV or some
kind of salt, that you'll need to store somewhere (it depends on the
data you store, maybe a per row IV would be enough)
3. most probably you can't encrypt the index fields, and search will
not work as usual on encrypted fields.
Taking this into consideration, it should be possible to create a
schema that will work.
(If you don't know what these IV, ECB and salt things are, I recommend
reading something on cryptography, e.g. [1]. It's easy to get crypto
wrong, and useless)
[1]
http://www.cacr.math.uwaterloo.ca/hac/
