Forum: Ruby cryptor 1.0.0: an easy-to-use multi-backend encryption library for Ruby

4131d2f57a0db2a2b4d9a62bd389fd44?d=identicon&s=25 Tony Arcieri (Guest)
on 2014-06-15 01:27
(Received via mailing list)
Cryptor is a multi-backend high-level encryption library for Ruby,
partly
inspired by tools like GPG and Google Keyczar:

https://github.com/cryptosphere/cryptor

Much like an audiophile soundsystem, Cryptor doesn't have a whole lot of
knobs. Instead, all of the tough decisions have been made for you in
advance by experts, providing a safe API that's simple and easy-to-use.
Cryptor utilizes what's known as "authenticated encryption" exclusively,
and supports two backends:

- RbNaCl: a Ruby binding to libsodium, a portable version of the
state-of-the-art NaCl encryption library
- ActiveSupport::MessageEncryptor: a bespoke authenticated encryption
scheme using AES-CBC and HMAC built on Ruby's OpenSSL extension

Here's an example of using Cryptor with the recommended
"xsalsa20poly1305"
cipher supplied by RbNaCl:

    require 'cryptor'
    require 'cryptor/symmetric_encryption/ciphers/message_encryptor'

    secret_key =
Cryptor::SymmetricEncryption.random_key(:xsalsa20poly1305)

    cryptor = Cryptor::SymmetricEncryption.new(secret_key)
    ciphertext = cryptor.encrypt(plaintext)
    decrypted = cryptor.decrypt(ciphertext)

That's it!

Cryptor also supports key rotation, allowing multiple decryption keys to
be
active at the same time, but ensuring all new ciphertexts are produced
by
the newest, "active" key. This means that if keys are ever compromised,
or
you'd like to have a policy of rotating keys, you can easily update
existing ciphertexts to be encrypted under a new key.

Cryptor uses the experimental ORDO message format for representing
ciphertexts:

https://github.com/cryptosphere/ordo

Future versions of Cryptor may support additional message formats like
OpenPGP and JWE.

Cryptor only supports symmetric encryption at this time. Future versions
may support asymmetric encryption using RbNaCl's "Box" encryption
primitive
(a.k.a. curve25519xsalsa20poly1305)

Enjoy!
Cb6bbc826cd7d9238a2fae344958f7ec?d=identicon&s=25 Sándor Szücs (Guest)
on 2014-06-16 20:04
(Received via mailing list)
Hi!

Thanks for your work.

On 15/06/14 01:26, Tony Arcieri wrote:

> Cryptor utilizes what's known as "authenticated encryption" exclusively,
> and supports two backends:
>
> - RbNaCl: a Ruby binding to libsodium, a portable version of the
> state-of-the-art NaCl encryption library
> - ActiveSupport::MessageEncryptor: a bespoke authenticated encryption
> scheme using AES-CBC and HMAC built on Ruby's OpenSSL extension

AES-CBC is not a strong decision.
If you can, please try to use AES-GCM.

Hth. regards, sandor
--
A74a68807619459925cc1d8e1045c7bd?d=identicon&s=25 Tony Arcieri (Guest)
on 2014-06-16 20:16
(Received via mailing list)
On Mon, Jun 16, 2014 at 11:03 AM, Sándor Szücs
<sandor.szuecs@fu-berlin.de>
wrote:

> AES-CBC is not a strong decision.
> If you can, please try to use AES-GCM.


While I agree with you that AES-CBC is inferior to AES-GCM, the
recommended
cipher for Cryptor is XSalsa20Poly1305, an authenticated stream cipher
provided by RbNaCl, which is arguably better than AES-GCM.

AES-CBC + HMAC is provided as an alternative for those who don't want
RbNaCl as a dependency, and used because it's what ActiveSupport's
MessageEncryptor class provides. I am not explicitly choosing to use
AES-CBC. ActiveSupport made the decision for me.
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.