I could’ve sworn that I saw some Ruby library for encrypting stuff
like credit cards. But my google fu fails me. Any ideas?
Joe
Timothy G. wrote:
OpenSSL?
I think he actually means for -storing- credit cards. I highly
reccommend you do NOT do this. Or at least tell me what the website is,
so I never shop there.
Is this what you are looking for? http://rubyforge.org/projects/crypt/
OpenSSL?
OpenSSL can be used as a general-purpose crypto lib. Theres a good
example of using a plain symmetric cipher in the ruby 1.8.4 source, in
samples/openssl/crypt.rb:
#!/usr/bin/env ruby
require ‘openssl’
text = “abcdefghijklmnopqrstuvwxyz”
key = “key”
alg = “DES-EDE3-CBC”
#alg = “AES-128-CBC”
puts “–Setup–”
puts %(clear text: “#{text}”)
puts %(symmetric key: “#{key}”)
puts %(cipher alg: “#{alg}”)
puts
puts “–Encrypting–”
des = OpenSSL::Cipher::Cipher.new(alg)
des.encrypt(key) #, “iv12345678”)
cipher = des.update(text)
cipher << des.final
puts %(encrypted text: #{cipher.inspect})
puts
puts “–Decrypting–”
des = OpenSSL::Cipher::Cipher.new(alg)
des.decrypt(key) #, “iv12345678”)
out = des.update(cipher)
out << des.final
puts %(decrypted text: “#{out}”)
puts
IMO, if you are going to use encryption for sensitive data then you
should read up a bit on asymmetric (publik key) versus symmetric
cryptography and at least have a basic understanding of how this stuff
works. Ruby openssl works great, but unless you are already familiar
with openssl in general the docs probably won’t do you much good. The
test suite in the ruby source though has a lot of examples.
Chris
This example clearly shows why in the other thread the question was
raised regarding hiding the key in a C extention. As-is anybody would
easily be able to decrypt. And if you have an algoritm that builds the
key into part of the encrypted string somebody could easily digest the
algorithm and extract the key from the encrypted string. Am I missing
something in general about cryptography? I admit I need to read up more
in this area.
What do you do in the situation where the key is in a store protected by
a passphrase? And one’s application needs to run in the background and
can’t accept user input. Aren’t you still in the same position? Need a
way to hide the key/passphrase.
On 8/30/06, Cliff C. [email protected] wrote:
What do you do in the situation where the key is in a store protected by
a passphrase? And one’s application needs to run in the background and
can’t accept user input. Aren’t you still in the same position? Need a
way to hide the key/passphrase.
It depends on several factors:
- what are your target criteria for security
- what attack do you want to prevent by encryption - i.e. up to what
level of reverse engineering (looking at ruby sources, debugging
executable code,…) - what access has the attacker to the machine and/or to the code
- etc.
then:
- what attack do you want to prevent by encryption - i.e. up to what
- it’s hard to keep the password on the computer where attacker has
access to. From that point, it’s just a matter of who of you is
willing to put more effort.
possible solutions:
- ask the password when the thing starts, and keep in the memory;
- use closed C module to do the encryption/decryption (and try to
prevent running the module by the attacker) with memory locking,
permissions etc. - use hardware crypto device (aka smartcard. you can pull it off the
system, and you can assume the keys in it are safe, and it is not
duplicable) - forget sesions keys asap
- make key exchanges unrepeatable
Here is an example of one way to use public key (asymmetric)
encryption using openssl. Requires an ssl certificate/key pair, but
only the certificate is required to encrypt.
require ‘openssl’
keyfile = ‘test.key’
certfile = ‘test.crt’
data = “this is a test”
cert = OpenSSL::X509::Certificate.new(File.read(certfile))
key = OpenSSL::PKey::RSA.new(File.read(keyfile))
cipher = OpenSSL::Cipher::AES.new(“128-CBC”)
tmp = OpenSSL::PKCS7.encrypt([cert], data, cipher,
OpenSSL::PKCS7::BINARY)
p7 = OpenSSL::PKCS7::PKCS7.new(tmp.to_der)
Data will be stored as string so emulate that here
p7s = p7.to_s
Create pkcs7 object out of pkcs7 data
p7 = OpenSSL::PKCS7::PKCS7.new(p7s)
dec = p7.decrypt(key,cert)
print dec
On Thu, 2006-08-31 at 05:11 +0900, Jan S. wrote:
Good ‘encyclopedic’ book is Handbook of applied cryptography by
Menezes et al., You can even download it from the web. It lists most
common-used algorithms, along with their usage and drawbacks. Beware:
It contains lots of math
I have done some search but could not find a place where I could get the
downloadable version. Could you provide a link please?
Greetings,
JS
Google “Handbook of applied cryptography” & click “I’m feeling lucky”
On 30 Aug , 2006, at 9:01 PM, Srinivas JONNALAGADDA wrote:
Greetings,
JS
–
Matt Long [email protected] /
[email protected]
University of South Florida, CRASAR
GnuPG public key: http://www.robothor.com/key.gpgkey
“If you have to ask what jazz is, you’ll never know” --Louis Armstrong
On Thu, 2006-08-31 at 10:44 +0900, Matt Long wrote:
Google “Handbook of applied cryptography” & click “I’m feeling lucky”
Great!
Greetings,
JS
On 8/30/06, snacktime [email protected] wrote:
IMO, if you are going to use encryption for sensitive data then you
should read up a bit on asymmetric (publik key) versus symmetric
cryptography and at least have a basic understanding of how this stuff
works. Ruby openssl works great, but unless you are already familiar
with openssl in general the docs probably won’t do you much good. The
test suite in the ruby source though has a lot of examples.Chris
Right. Cryptography is a tricky thing, and if your effort should bring
any results, it is necessary to know what you’re doing. That’s why
it’s better to stick with the standard schemes, if possible. Omit one
little step, and your super secure encryption might degrade to
something a child will break.
Good intro book is Schneier’s Applied Cryptography, and maybe the
newer Practical Cryptography, although I haven’t read the latter.
Good ‘encyclopedic’ book is Handbook of applied cryptography by
Menezes et al., You can even download it from the web. It lists most
common-used algorithms, along with their usage and drawbacks. Beware:
It contains lots of math 