[newbie] Encryption using OpenSSL

[Robert]

Hello!

I'm writing a website with Rails and I want to encrypt the passwords
that go into the database. However, I don't want to use hashes (e.g.
SHA1). Instead, I want to be able to decrypt to passwords again.

I searched Google and found this:

require 'openssl'
require 'digest/sha1'
c = OpenSSL::Cipher::Cipher.new("aes-256-cbc")
c.encrypt
# your pass is what is used to encrypt/decrypt
c.key = key = Digest::SHA1.hexdigest("yourpass")
c.iv = iv = c.random_iv <-------------------------- What's IV??
e = c.update("crypt this")
e << c.final
puts "encrypted: #{e}\n"
c = OpenSSL::Cipher::Cipher.new("aes-256-cbc")
c.decrypt
c.key = key
c.iv = iv
d = c.update(e)
d << c.final
puts "decrypted: #{d}\n"

That works. However, what's IV? I queried Google and found that it
stands for "initialization vector". Can anyone quickly explain to me
what that is, and most importantly: do I have to use that? Or can I
just leave it out? I'd prefer to just use a key to encrypt the
passwords, instead of "two keys"..


I'm grateful for any help,

thanks,
Rob

 

[Dirk Meijer]

------=_Part_16662_30027996.1128489067485
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

i'm sorry, not really an answer to your question here, a question of my own
actually..
i created an encrypting program (http://rubyforge.org/projects/rubycipher)
and i was wondering if technically, it could be used for the same purpose,
encrypting passwords in rails..
greetings, Dirk.

Hello!

I'm writing a website with Rails and I want to encrypt the passwords
that go into the database. However, I don't want to use hashes (e.g.
SHA1). Instead, I want to be able to decrypt to passwords again.

I searched Google and found this:

require 'openssl'
require 'digest/sha1'
c =3D OpenSSL::Cipher::Cipher.new("aes-256-cbc")
c.encrypt
# your pass is what is used to encrypt/decrypt
c.key =3D key =3D Digest::SHA1.hexdigest("yourpass")
c.iv =3D iv =3D c.random_iv <-------------------------- What's IV??
e =3D c.update("crypt this")
e << c.final
puts "encrypted: #{e}\n"
c =3D OpenSSL::Cipher::Cipher.new("aes-256-cbc")
c.decrypt
c.key =3D key
c.iv =3D iv
d =3D c.update(e)
d << c.final
puts "decrypted: #{d}\n"

That works. However, what's IV? I queried Google and found that it
stands for "initialization vector". Can anyone quickly explain to me
what that is, and most importantly: do I have to use that? Or can I
just leave it out? I'd prefer to just use a key to encrypt the
passwords, instead of "two keys"..


I'm grateful for any help,

thanks,
Rob

------=_Part_16662_30027996.1128489067485--

 

[Roland Schmitt]

Hi,

...

# your pass is what is used to encrypt/decrypt c.key = key =
Digest::SHA1.hexdigest("yourpass")
c.iv = iv = c.random_iv <-------------------------- What's IV??
e = c.update("crypt this")

...

look at http://www.cacr.math.uwaterloo.ca/hac/.

Chapter 7 gives a good explanation about block ciphers like AES and the use
of Ivs.

In short: block ciphers like AES or DES encrpyts/decrypts data in blocks
(ie. 16 bytes each block). The processing of each block depends on the
result of the block processed before. So for the first data block there is
no predecessor, instead a IV with the same block size is used to initialize
the algoritm. To initialize the algorithm for decryption/encryption you need
the same iv as for encryption/decryption.

Regards,

Roland