Symmetric encryption Hash Passwords as keys Summary Using Symmetric Cryptography in Ruby Rzeszów Ruby User Group #3 Wojciech Rząsa [email protected] @wrzasa Katedra Informatyki i Automatyki, Politechnika Rzeszowska http://www.kia.prz.edu.pl/ 16.12.2016 Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 1/26 

Symmetric encryption Hash Passwords as keys Summary Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 2/26 

Symmetric encryption Hash Passwords as keys Summary Plan 1 Symmetric encryption Cipher types Cipher modes Characteristics In Ruby 2 Cryptographic hash functions 3 Password based cryptography 4 Summary Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 3/26 

Symmetric encryption Hash Passwords as keys Summary Why use cryptography? Confidentiality (data privacy) Authenticity (who wrote it?) Integrity (was it changed along the way?) Non-repudiation . . . Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 4/26 

Symmetric encryption Hash Passwords as keys Summary Bitwise XOR operation Frequently used in cryptography Simple Cheap Easily reversible a b a ⊕ b 1 1 0 0 0 0 1 0 1 0 1 1 a ⊕ b ⊕ a = b (1) a ⊕ b ⊕ b = a (2) Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 5/26 

Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby Symmetric cryptography Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 6/26 

Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby Cipher types Stream cipher Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 7/26 

Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby Cipher types Stream cipher Block cipher Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 7/26 

Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby Cipher modes – Electronic Code Book (ECB) [https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation] Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 8/26 

Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby Electronic Code Book (ECB) – example Original [https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation] Tux the Penguin, the Linux mascot. Created in 1996 by Larry Ewing with The GIMP. Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 9/26 

Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby Electronic Code Book (ECB) – example Original ECB encrypted [https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation] Tux the Penguin, the Linux mascot. Created in 1996 by Larry Ewing with The GIMP. Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 9/26 

Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby Electronic Code Book (ECB) – example Original ECB encrypted Securely encrypted [https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation] Tux the Penguin, the Linux mascot. Created in 1996 by Larry Ewing with The GIMP. Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 9/26 

Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby Cipher modes – Cipher Block Chaining (CBC) [https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation] Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 10/26 

Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby Cipher modes – Counter (CTR) [https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation] Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 11/26 

Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby Characteristics Shared key Only the key must be kept secret Initialization vector (IV) required Never reuse IV with the same key! Check how to chose IV Consciously! Randomly? Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 12/26 

Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby In Ruby – stream cipher § 1 require ’openssl ’ 2 3 c = OpenSSL :: Cipher.new ’AES -256 - CTR ’ # CTR makes stream cipher 4 c.encrypt 5 6 #key = "Litwo Ojczyzno moja , ty jesteś jak zdrowie" 7 key = "\x02\x9A\x04h\xED\xC1 |\ xAE\ xABTE9ZknO\x82\xB9\xD9W" + 8 "\xD9\x9A\x03\x80\x9B\xC6 -\ xE1\xE3O -\ x1D" 9 c.key = key 10 #key = c. random_key 11 iv = c.random_iv 12 13 message = "Był na Żmudzi ród możny Billewiczów, od Mendoga 14 się wywodzący , wielce skoligacony i w całym Rosieńskiem nad 15 wszystkie inne szanowany." 16 17 encrypted = c.update message 18 19 puts "ENCRYPTED :\n#{ encrypted}"  ¦ ¥ Symmetric encryption in Ruby Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 13/26 

Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby In Ruby – stream cipher § 21 d = OpenSSL :: Cipher.new(’AES -256 - CTR ’) 22 d.decrypt 23 d.iv = iv 24 d.key = key 25 26 decrypted = d.update(encrypted) 27 decrypted. force_encoding (’utf -8’) 28 29 puts "DECRYPTED :\n#{ decrypted}"  ¦ ¥ Symmetric decryption in Ruby Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 13/26 

Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby In Ruby – block cipher § 1 require ’openssl ’ 2 3 c = OpenSSL :: Cipher.new ’AES -256 - CBC ’ # a block cipher 4 c.encrypt 5 6 #key = "Litwo Ojczyzno moja , ty jesteś jak zdrowie" 7 key = "\x02\x9A\x04h\xED\xC1 |\ xAE\ xABTE9ZknO\x82\xB9\xD9W" + 8 "\xD9\x9A\x03\x80\x9B\xC6 -\ xE1\xE3O -\ x1D" 9 c.key = key 10 #key = c. random_key 11 iv = c.random_iv 12 13 message = "Był na Żmudzi ród możny Billewiczów, od Mendoga 14 się wywodzący , wielce skoligacony i w całym Rosieńskiem nad 15 wszystkie inne szanowany." 16 17 encrypted = c.update message 18 encrypted += c.final # rest of last ( incomplete ) block  ¦ ¥ Symmetric encryption in Ruby Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 14/26 

Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby In Ruby – block cipher § 21 22 d = OpenSSL :: Cipher.new(’AES -256 - CBC ’) 23 d.decrypt 24 d.iv = iv 25 d.key = key 26 27 decrypted = d.update(encrypted) 28 decrypted. force_encoding (’utf -8’) 29 30 puts "DECRYPTED :\n#{ decrypted}"  ¦ ¥ Symmetric decryption in Ruby Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 14/26 

Symmetric encryption Hash Passwords as keys Summary Plan 1 Symmetric encryption 2 Cryptographic hash functions 3 Password based cryptography 4 Summary Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 15/26 

Symmetric encryption Hash Passwords as keys Summary Cryptographic hash functions arbitrary-length message fixed-size result one-way function (hopefully ;-)) e.g. MD5, SHA1, SHA2 (SHA256, SHA384, SHA512) Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 16/26 

Symmetric encryption Hash Passwords as keys Summary In Ruby § 1 require ’openssl ’ 2 3 message = "Był na Żmudzi ród możny Billewiczów, od Mendoga 4 się wywodzący , wielce skoligacony i w całym Rosieńskiem nad 5 wszystkie inne szanowany." 6 7 h = OpenSSL :: Digest.digest(’SHA256 ’, message) 8 puts h.inspect 9 10 puts OpenSSL :: Digest.hexdigest(’SHA256 ’, message)  ¦ ¥ Compute digest in Ruby Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 17/26 

Symmetric encryption Hash Passwords as keys Summary In Ruby § 1 require ’openssl ’ 2 3 message = "Był na Żmudzi ród możny Billewiczów, od Mendoga 4 się wywodzący , wielce skoligacony i w całym Rosieńskiem nad 5 wszystkie inne szanowany." 6 7 h = OpenSSL :: Digest.digest(’SHA256 ’, message) 8 puts h.inspect 9 10 puts OpenSSL :: Digest.hexdigest(’SHA256 ’, message)  ¦ ¥ Compute digest in Ruby "\xC0p\xB92O\x8F\xF4\x18\xFCn\x89k\x97\x9B\xEF5\"\xEC’|\x8A\x8F\xAE\xC4\xDF\xC6 c070b9324f8ff418fc6e896b979bef3522ec277c8a8faec4dfc658a0efc9881f Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 17/26 

Symmetric encryption Hash Passwords as keys Summary In Ruby § 1 require ’openssl ’ 2 3 digest = OpenSSL :: Digest.new(’SHA256 ’) 4 5 5. times do 6 digest.update gets 7 end 8 9 puts digest.hexdigest  ¦ ¥ Compute digest in Ruby Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 17/26 

Symmetric encryption Hash Passwords as keys Summary In Ruby § 1 require ’openssl ’ 2 3 digest = OpenSSL :: Digest.new(’SHA256 ’) 4 5 5. times do 6 digest.update gets 7 end 8 9 puts digest.hexdigest  ¦ ¥ Compute digest in Ruby Litwo, Ojczyzno moja! ty jesteś jak zdrowie; Ile cię trzeba cenić, ten tylko się dowie, Kto cię stracił. Dziś piękność twą w całej ozdobie Widzę i opisuję, bo tęsknię po tobie. 899b352ef6b61bd08a2872a912908c2a54837efc1853c5458c08e9b2f17550bf Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 17/26 

Symmetric encryption Hash Passwords as keys Summary Plan 1 Symmetric encryption 2 Cryptographic hash functions 3 Password based cryptography 4 Summary Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 18/26 

Symmetric encryption Hash Passwords as keys Summary Passwords as keys? § 1 require ’openssl ’ 2 3 c = OpenSSL :: Cipher.new ’AES -256 - CTR ’ # CTR makes stream cipher 4 c.encrypt 5 6 #key = "Litwo Ojczyzno moja , ty jesteś jak zdrowie" 7 key = "\x02\x9A\x04h\xED\xC1 |\ xAE\ xABTE9ZknO\x82\xB9\xD9W" + 8 "\xD9\x9A\x03\x80\x9B\xC6 -\ xE1\xE3O -\ x1D" 9 c.key = key 10 #key = c. random_key 11 iv = c.random_iv 12 13 message = "Był na Żmudzi ród możny Billewiczów, od Mendoga 14 się wywodzący , wielce skoligacony i w całym Rosieńskiem nad 15 wszystkie inne szanowany." 16 17 encrypted = c.update message 18 19 puts "ENCRYPTED :\n#{ encrypted}"  ¦ ¥ Symmetric encryption in Ruby Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 19/26 

Symmetric encryption Hash Passwords as keys Summary Password-Based Key Derivation Function (PBKDF) Use password as input Generate binary (pseudorandom) key Use a lot of CPU time salt hash function XOR a lot of iterations (from 1000 in year 2000 to 10,000 in IOS 4, and even 100,000 now, serverside) Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 20/26 

Symmetric encryption Hash Passwords as keys Summary PBKDF2 in Ruby § 1 require ’openssl ’ 2 3 password = "Litwo Ojczyzno moja , Ty jesteś jak zdrowie" 4 5 salt = OpenSSL :: Random. random_bytes (16) # save with ciphertext 6 iter = 10 _000 7 key_len = 32 # e.g. for AES -256 8 9 digest = OpenSSL :: Digest.new(’SHA512 ’) 10 key = OpenSSL :: PKCS5. pbkdf2_hmac (password , salt , iter , 11 key_len , digest)  ¦ ¥ Generate password-based key Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 21/26 

Symmetric encryption Hash Passwords as keys Summary PBKDF2 and symmetric encryption in Ruby § 1 require ’openssl ’ 2 3 message = "Był na Żmudzi ród możny Billewiczów, od Mendoga 4 się wywodzący , wielce skoligacony i w całym Rosieńskiem nad 5 wszystkie inne szanowany." 6 password = "Litwo Ojczyzno moja , Ty jesteś jak zdrowie" 7 8 # Generate key from password 9 salt = OpenSSL :: Random. random_bytes (16) # save with ciphertext 10 iter = 10 _000 11 key_len = 32 # e.g. for AES -256 12 digest = OpenSSL :: Digest.new(’SHA512 ’) 13 key = OpenSSL :: PKCS5. pbkdf2_hmac (password , salt , iter , 14 key_len , digest) 15 # Encrypt message 16 c = OpenSSL :: Cipher.new ’AES -256 - CTR ’ # CTR makes stream cipher 17 c.encrypt 18 c.key = key 19 iv = c.random_iv 20 encrypted = c.update message 21 # deliver ciphertext with salt and IV 22 puts "ENCRYPTED :\n#{ encrypted}"  ¦ ¥ Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 22/26 

Symmetric encryption Hash Passwords as keys Summary PBKDF2 and symmetric decryption in Ruby § 24 # Generate key from password 25 # use salt delivered with ciphertext 26 iter = 10 _000 27 key_len = 32 # e.g. for AES -256 28 digest = OpenSSL :: Digest.new(’SHA512 ’) 29 key = OpenSSL :: PKCS5. pbkdf2_hmac (password , salt , iter , 30 key_len , digest) 31 32 # Decrypt message 33 d = OpenSSL :: Cipher.new(’AES -256 - CTR ’) 34 d.decrypt 35 d.iv = iv # use IV delivered with ciphertext 36 d.key = key 37 38 decrypted = d.update(encrypted) 39 decrypted. force_encoding (’utf -8’) 40 41 puts "DECRYPTED :\n#{ decrypted}"  ¦ ¥ Secure use of password for decryption Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 23/26 

Symmetric encryption Hash Passwords as keys Summary Summary Symmetric algorithms Cryptographic hashes Password-based cryptography Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 24/26 

Symmetric encryption Hash Passwords as keys Summary Summary Hard topic Be sure to know what you do before you do it! No ”but it works... somehow...” approach! Next: asymmetric cryptography Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 24/26 

Symmetric encryption Hash Passwords as keys Summary References Ruby OpenSSL rdoc Samolej, Rząsa, Rzońca, Sadolewski: Wprowadzenie do informatyki II – bezpieczeństwo systemów informatycznych, sieci komputerowe, systemy operacyjne i bazy danych, Oficyna Wyd. PRz., 2014. RFC 2898 PKCS #5: Password-Based Cryptography Specification Version 2.0 https://tools.ietf.org/html/rfc2898#section-5.2 https://en.wikipedia.org/wiki/Block_cipher_mode_ of_operation Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 25/26 

Symmetric encryption Hash Passwords as keys Summary Questions? Wojciech Rząsa [email protected] @wrzasa Katedra Informatyki i Automatyki, Politechnika Rzeszowska http://www.kia.prz.edu.pl/ Wojciech Rząsa, @wrzasa, KIiA PRz Questions? 26/26