Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Ruby > encryption library

Reply
Thread Tools

encryption library

 
 
Joe Van Dyk
Guest
Posts: n/a
 
      08-30-2006
I could've sworn that I saw some Ruby library for encrypting stuff
like credit cards. But my google fu fails me. Any ideas?

Joe

 
Reply With Quote
 
 
 
 
Timothy Goddard
Guest
Posts: n/a
 
      08-30-2006
OpenSSL?

Joe Van Dyk wrote:
> I could've sworn that I saw some Ruby library for encrypting stuff
> like credit cards. But my google fu fails me. Any ideas?
>
> Joe


 
Reply With Quote
 
 
 
 
William Crawford
Guest
Posts: n/a
 
      08-30-2006
Timothy Goddard wrote:
> OpenSSL?


I think he actually means for -storing- credit cards. I highly
reccommend you do NOT do this. Or at least tell me what the website is,
so I never shop there.

Is this what you are looking for? http://rubyforge.org/projects/crypt/

--
Posted via http://www.ruby-forum.com/.

 
Reply With Quote
 
Aleks Kissinger
Guest
Posts: n/a
 
      08-30-2006
OpenSSL can be used as a general-purpose crypto lib. Theres a good
example of using a plain symmetric cipher in the ruby 1.8.4 source, in
samples/openssl/crypt.rb:

************************
#!/usr/bin/env ruby
require 'openssl'

text = "abcdefghijklmnopqrstuvwxyz"
key = "key"
alg = "DES-EDE3-CBC"
#alg = "AES-128-CBC"

puts "--Setup--"
puts %(clear text: "#{text}")
puts %(symmetric key: "#{key}")
puts %(cipher alg: "#{alg}")
puts

puts "--Encrypting--"
des = OpenSSL::Cipher::Cipher.new(alg)
des.encrypt(key) #, "iv12345678")
cipher = des.update(text)
cipher << des.final
puts %(encrypted text: #{cipher.inspect})
puts

puts "--Decrypting--"
des = OpenSSL::Cipher::Cipher.new(alg)
des.decrypt(key) #, "iv12345678")
out = des.update(cipher)
out << des.final
puts %(decrypted text: "#{out}")
puts
***************************

On 8/30/06, William Crawford <(E-Mail Removed)> wrote:
> Timothy Goddard wrote:
> > OpenSSL?

>
> I think he actually means for -storing- credit cards. I highly
> reccommend you do NOT do this. Or at least tell me what the website is,
> so I never shop there.
>
> Is this what you are looking for? http://rubyforge.org/projects/crypt/
>
> --
> Posted via http://www.ruby-forum.com/.
>
>


 
Reply With Quote
 
Cliff Cyphers
Guest
Posts: n/a
 
      08-30-2006
This example clearly shows why in the other thread the question was
raised regarding hiding the key in a C extention. As-is anybody would
easily be able to decrypt. And if you have an algoritm that builds the
key into part of the encrypted string somebody could easily digest the
algorithm and extract the key from the encrypted string. Am I missing
something in general about cryptography? I admit I need to read up more
in this area.

Aleks Kissinger wrote:
> OpenSSL can be used as a general-purpose crypto lib. Theres a good
> example of using a plain symmetric cipher in the ruby 1.8.4 source, in
> samples/openssl/crypt.rb:
>
> ************************
> #!/usr/bin/env ruby
> require 'openssl'
>
> text = "abcdefghijklmnopqrstuvwxyz"
> key = "key"
> alg = "DES-EDE3-CBC"
> #alg = "AES-128-CBC"
>
> puts "--Setup--"
> puts %(clear text: "#{text}")
> puts %(symmetric key: "#{key}")
> puts %(cipher alg: "#{alg}")
> puts
>
> puts "--Encrypting--"
> des = OpenSSL::Cipher::Cipher.new(alg)
> des.encrypt(key) #, "iv12345678")
> cipher = des.update(text)
> cipher << des.final
> puts %(encrypted text: #{cipher.inspect})
> puts
>
> puts "--Decrypting--"
> des = OpenSSL::Cipher::Cipher.new(alg)
> des.decrypt(key) #, "iv12345678")
> out = des.update(cipher)
> out << des.final
> puts %(decrypted text: "#{out}")
> puts
> ***************************
>
> On 8/30/06, William Crawford <(E-Mail Removed)> wrote:
>> Timothy Goddard wrote:
>> > OpenSSL?

>>
>> I think he actually means for -storing- credit cards. I highly
>> reccommend you do NOT do this. Or at least tell me what the website is,
>> so I never shop there.
>>
>> Is this what you are looking for? http://rubyforge.org/projects/crypt/
>>
>> --
>> Posted via http://www.ruby-forum.com/.
>>
>>

>


 
Reply With Quote
 
snacktime
Guest
Posts: n/a
 
      08-30-2006
IMO, if you are going to use encryption for sensitive data then you
should read up a bit on asymmetric (publik key) versus symmetric
cryptography and at least have a basic understanding of how this stuff
works. Ruby openssl works great, but unless you are already familiar
with openssl in general the docs probably won't do you much good. The
test suite in the ruby source though has a lot of examples.

Chris

 
Reply With Quote
 
Cliff Cyphers
Guest
Posts: n/a
 
      08-30-2006
What do you do in the situation where the key is in a store protected by
a passphrase? And one's application needs to run in the background and
can't accept user input. Aren't you still in the same position? Need a
way to hide the key/passphrase.

snacktime wrote:
> IMO, if you are going to use encryption for sensitive data then you
> should read up a bit on asymmetric (publik key) versus symmetric
> cryptography and at least have a basic understanding of how this stuff
> works. Ruby openssl works great, but unless you are already familiar
> with openssl in general the docs probably won't do you much good. The
> test suite in the ruby source though has a lot of examples.
>
> Chris
>


 
Reply With Quote
 
Jan Svitok
Guest
Posts: n/a
 
      08-30-2006
On 8/30/06, snacktime <(E-Mail Removed)> wrote:
> IMO, if you are going to use encryption for sensitive data then you
> should read up a bit on asymmetric (publik key) versus symmetric
> cryptography and at least have a basic understanding of how this stuff
> works. Ruby openssl works great, but unless you are already familiar
> with openssl in general the docs probably won't do you much good. The
> test suite in the ruby source though has a lot of examples.
>
> Chris


Right. Cryptography is a tricky thing, and if your effort should bring
any results, it is necessary to know what you're doing. That's why
it's better to stick with the standard schemes, if possible. Omit one
little step, and your super secure encryption might degrade to
something a child will break.

Good intro book is Schneier's Applied Cryptography, and maybe the
newer Practical Cryptography, although I haven't read the latter.

Good 'encyclopedic' book is Handbook of applied cryptography by
Menezes et al., You can even download it from the web. It lists most
common-used algorithms, along with their usage and drawbacks. Beware:
It contains lots of math

 
Reply With Quote
 
Jan Svitok
Guest
Posts: n/a
 
      08-30-2006
On 8/30/06, Cliff Cyphers <(E-Mail Removed)2go.com> wrote:
> What do you do in the situation where the key is in a store protected by
> a passphrase? And one's application needs to run in the background and
> can't accept user input. Aren't you still in the same position? Need a
> way to hide the key/passphrase.


It depends on several factors:
- what are your target criteria for security
- what attack do you want to prevent by encryption - i.e. up to what
level of reverse engineering (looking at ruby sources, debugging
executable code,...)
- what access has the attacker to the machine and/or to the code
- etc.
then:
- it's hard to keep the password on the computer where attacker has
access to. From that point, it's just a matter of who of you is
willing to put more effort.

possible solutions:
- ask the password when the thing starts, and keep in the memory;
- use closed C module to do the encryption/decryption (and try to
prevent running the module by the attacker) with memory locking,
permissions etc.
- use hardware crypto device (aka smartcard. you can pull it off the
system, and you can assume the keys in it are safe, and it is not
duplicable)
- forget sesions keys asap
- make key exchanges unrepeatable

 
Reply With Quote
 
snacktime
Guest
Posts: n/a
 
      08-30-2006
Here is an example of one way to use public key (asymmetric)
encryption using openssl. Requires an ssl certificate/key pair, but
only the certificate is required to encrypt.

require 'openssl'

keyfile = 'test.key'
certfile = 'test.crt'
data = "this is a test"

cert = OpenSSL::X509::Certificate.new(File.read(certfile) )
key = OpenSSL:Key::RSA.new(File.read(keyfile))
cipher = OpenSSL::Cipher::AES.new("128-CBC")

tmp = OpenSSL:KCS7.encrypt([cert], data, cipher, OpenSSL:KCS7::BINARY)
p7 = OpenSSL:KCS7:KCS7.new(tmp.to_der)

## Data will be stored as string so emulate that here
p7s = p7.to_s

## Create pkcs7 object out of pkcs7 data
p7 = OpenSSL:KCS7:KCS7.new(p7s)
dec = p7.decrypt(key,cert)
print dec

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Which hard drive encryption program has the strongest tested encryption & security? =?iso-8859-1?Q?-=3D|__=28=BAL=BA=29__|=3D-____o=3D=5B:::::::::::::::=BB?= Computer Security 6 02-20-2008 01:35 PM
Encryption library recommendation request Sudo Nim Javascript 1 02-19-2008 08:53 AM
Enterprise Library June 2005 - DAAB Encryption Problem Jules ASP .Net 0 07-18-2007 09:56 AM
Re: Difference between Web Control Library and Class Library Mythran ASP .Net 0 08-24-2004 05:53 PM
Help with Encryption Library Mike Carr ASP .Net Security 1 04-07-2004 01:42 PM



Advertisments