Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Using Symmetric Cryptography in Ruby

wrzasa
December 16, 2016

Using Symmetric Cryptography in Ruby

Presentation from my talk during RRUG (Rzeszów Ruby User Group, http://rrug.pl) meetup on 16 Dec. 2016.

wrzasa

December 16, 2016
Tweet

More Decks by wrzasa

Other Decks in Programming

Transcript

  1. Symmetric encryption Hash Passwords as keys Summary
    Using Symmetric Cryptography in Ruby
    Rzeszów Ruby User Group #3
    Wojciech Rząsa
    [email protected]
    @wrzasa
    Katedra Informatyki i Automatyki, Politechnika Rzeszowska
    http://www.kia.prz.edu.pl/
    16.12.2016
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 1/26

    View Slide

  2. Symmetric encryption Hash Passwords as keys Summary
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 2/26

    View Slide

  3. Symmetric encryption Hash Passwords as keys Summary
    Plan
    1 Symmetric encryption
    Cipher types
    Cipher modes
    Characteristics
    In Ruby
    2 Cryptographic hash functions
    3 Password based cryptography
    4 Summary
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 3/26

    View Slide

  4. Symmetric encryption Hash Passwords as keys Summary
    Why use cryptography?
    Confidentiality (data privacy)
    Authenticity (who wrote it?)
    Integrity (was it changed along the way?)
    Non-repudiation
    . . .
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 4/26

    View Slide

  5. Symmetric encryption Hash Passwords as keys Summary
    Bitwise XOR operation
    Frequently used in cryptography
    Simple
    Cheap
    Easily reversible
    a b a ⊕ b
    1 1 0
    0 0 0
    1 0 1
    0 1 1
    a ⊕ b ⊕ a = b (1)
    a ⊕ b ⊕ b = a (2)
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 5/26

    View Slide

  6. Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby
    Symmetric cryptography
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 6/26

    View Slide

  7. Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby
    Cipher types
    Stream cipher
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 7/26

    View Slide

  8. Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby
    Cipher types
    Stream cipher
    Block cipher
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 7/26

    View Slide

  9. Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby
    Cipher modes – Electronic Code Book (ECB)
    [https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation]
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 8/26

    View Slide

  10. Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby
    Electronic Code Book (ECB) – example
    Original
    [https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation]
    Tux the Penguin, the Linux mascot. Created in 1996 by Larry Ewing with The GIMP.
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 9/26

    View Slide

  11. Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby
    Electronic Code Book (ECB) – example
    Original ECB encrypted
    [https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation]
    Tux the Penguin, the Linux mascot. Created in 1996 by Larry Ewing with The GIMP.
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 9/26

    View Slide

  12. Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby
    Electronic Code Book (ECB) – example
    Original ECB encrypted Securely encrypted
    [https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation]
    Tux the Penguin, the Linux mascot. Created in 1996 by Larry Ewing with The GIMP.
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 9/26

    View Slide

  13. Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby
    Cipher modes – Cipher Block Chaining (CBC)
    [https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation]
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 10/26

    View Slide

  14. Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby
    Cipher modes – Counter (CTR)
    [https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation]
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 11/26

    View Slide

  15. Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby
    Characteristics
    Shared key
    Only the key must be kept secret
    Initialization vector (IV) required
    Never reuse IV with the same key!
    Check how to chose IV
    Consciously!
    Randomly?
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 12/26

    View Slide

  16. Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby
    In Ruby – stream cipher
    §
    1 require ’openssl ’
    2
    3 c = OpenSSL :: Cipher.new ’AES -256 - CTR ’ # CTR makes stream cipher
    4 c.encrypt
    5
    6 #key = "Litwo Ojczyzno moja , ty jesteś jak zdrowie"
    7 key = "\x02\x9A\x04h\xED\xC1 |\ xAE\ xABTE9ZknO\x82\xB9\xD9W" +
    8 "\xD9\x9A\x03\x80\x9B\xC6 -\ xE1\xE3O -\ x1D"
    9 c.key = key
    10 #key = c. random_key
    11 iv = c.random_iv
    12
    13 message = "Był na Żmudzi ród możny Billewiczów, od Mendoga
    14 się wywodzący , wielce skoligacony i w całym Rosieńskiem nad
    15 wszystkie inne szanowany."
    16
    17 encrypted = c.update message
    18
    19 puts "ENCRYPTED :\n#{ encrypted}"

    ¦ ¥
    Symmetric encryption in Ruby
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 13/26

    View Slide

  17. Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby
    In Ruby – stream cipher
    §
    21 d = OpenSSL :: Cipher.new(’AES -256 - CTR ’)
    22 d.decrypt
    23 d.iv = iv
    24 d.key = key
    25
    26 decrypted = d.update(encrypted)
    27 decrypted. force_encoding (’utf -8’)
    28
    29 puts "DECRYPTED :\n#{ decrypted}"

    ¦ ¥
    Symmetric decryption in Ruby
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 13/26

    View Slide

  18. Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby
    In Ruby – block cipher
    §
    1 require ’openssl ’
    2
    3 c = OpenSSL :: Cipher.new ’AES -256 - CBC ’ # a block cipher
    4 c.encrypt
    5
    6 #key = "Litwo Ojczyzno moja , ty jesteś jak zdrowie"
    7 key = "\x02\x9A\x04h\xED\xC1 |\ xAE\ xABTE9ZknO\x82\xB9\xD9W" +
    8 "\xD9\x9A\x03\x80\x9B\xC6 -\ xE1\xE3O -\ x1D"
    9 c.key = key
    10 #key = c. random_key
    11 iv = c.random_iv
    12
    13 message = "Był na Żmudzi ród możny Billewiczów, od Mendoga
    14 się wywodzący , wielce skoligacony i w całym Rosieńskiem nad
    15 wszystkie inne szanowany."
    16
    17 encrypted = c.update message
    18 encrypted += c.final # rest of last ( incomplete ) block

    ¦ ¥
    Symmetric encryption in Ruby
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 14/26

    View Slide

  19. Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby
    In Ruby – block cipher
    §
    21
    22 d = OpenSSL :: Cipher.new(’AES -256 - CBC ’)
    23 d.decrypt
    24 d.iv = iv
    25 d.key = key
    26
    27 decrypted = d.update(encrypted)
    28 decrypted. force_encoding (’utf -8’)
    29
    30 puts "DECRYPTED :\n#{ decrypted}"

    ¦ ¥
    Symmetric decryption in Ruby
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 14/26

    View Slide

  20. Symmetric encryption Hash Passwords as keys Summary
    Plan
    1 Symmetric encryption
    2 Cryptographic hash functions
    3 Password based cryptography
    4 Summary
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 15/26

    View Slide

  21. Symmetric encryption Hash Passwords as keys Summary
    Cryptographic hash functions
    arbitrary-length message
    fixed-size result
    one-way function (hopefully ;-))
    e.g. MD5, SHA1, SHA2 (SHA256, SHA384, SHA512)
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 16/26

    View Slide

  22. Symmetric encryption Hash Passwords as keys Summary
    In Ruby
    §
    1 require ’openssl ’
    2
    3 message = "Był na Żmudzi ród możny Billewiczów, od Mendoga
    4 się wywodzący , wielce skoligacony i w całym Rosieńskiem nad
    5 wszystkie inne szanowany."
    6
    7 h = OpenSSL :: Digest.digest(’SHA256 ’, message)
    8 puts h.inspect
    9
    10 puts OpenSSL :: Digest.hexdigest(’SHA256 ’, message)

    ¦ ¥
    Compute digest in Ruby
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 17/26

    View Slide

  23. Symmetric encryption Hash Passwords as keys Summary
    In Ruby
    §
    1 require ’openssl ’
    2
    3 message = "Był na Żmudzi ród możny Billewiczów, od Mendoga
    4 się wywodzący , wielce skoligacony i w całym Rosieńskiem nad
    5 wszystkie inne szanowany."
    6
    7 h = OpenSSL :: Digest.digest(’SHA256 ’, message)
    8 puts h.inspect
    9
    10 puts OpenSSL :: Digest.hexdigest(’SHA256 ’, message)

    ¦ ¥
    Compute digest in Ruby
    "\xC0p\xB92O\x8F\xF4\x18\xFCn\x89k\x97\x9B\xEF5\"\xEC’|\x8A\x8F\xAE\xC4\xDF\xC6
    c070b9324f8ff418fc6e896b979bef3522ec277c8a8faec4dfc658a0efc9881f
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 17/26

    View Slide

  24. Symmetric encryption Hash Passwords as keys Summary
    In Ruby
    §
    1 require ’openssl ’
    2
    3 digest = OpenSSL :: Digest.new(’SHA256 ’)
    4
    5 5. times do
    6 digest.update gets
    7 end
    8
    9 puts digest.hexdigest

    ¦ ¥
    Compute digest in Ruby
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 17/26

    View Slide

  25. Symmetric encryption Hash Passwords as keys Summary
    In Ruby
    §
    1 require ’openssl ’
    2
    3 digest = OpenSSL :: Digest.new(’SHA256 ’)
    4
    5 5. times do
    6 digest.update gets
    7 end
    8
    9 puts digest.hexdigest

    ¦ ¥
    Compute digest in Ruby
    Litwo, Ojczyzno moja! ty jesteś jak zdrowie;
    Ile cię trzeba cenić, ten tylko się dowie,
    Kto cię stracił. Dziś piękność twą w całej ozdobie
    Widzę i opisuję, bo tęsknię po tobie.
    899b352ef6b61bd08a2872a912908c2a54837efc1853c5458c08e9b2f17550bf
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 17/26

    View Slide

  26. Symmetric encryption Hash Passwords as keys Summary
    Plan
    1 Symmetric encryption
    2 Cryptographic hash functions
    3 Password based cryptography
    4 Summary
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 18/26

    View Slide

  27. Symmetric encryption Hash Passwords as keys Summary
    Passwords as keys?
    §
    1 require ’openssl ’
    2
    3 c = OpenSSL :: Cipher.new ’AES -256 - CTR ’ # CTR makes stream cipher
    4 c.encrypt
    5
    6 #key = "Litwo Ojczyzno moja , ty jesteś jak zdrowie"
    7 key = "\x02\x9A\x04h\xED\xC1 |\ xAE\ xABTE9ZknO\x82\xB9\xD9W" +
    8 "\xD9\x9A\x03\x80\x9B\xC6 -\ xE1\xE3O -\ x1D"
    9 c.key = key
    10 #key = c. random_key
    11 iv = c.random_iv
    12
    13 message = "Był na Żmudzi ród możny Billewiczów, od Mendoga
    14 się wywodzący , wielce skoligacony i w całym Rosieńskiem nad
    15 wszystkie inne szanowany."
    16
    17 encrypted = c.update message
    18
    19 puts "ENCRYPTED :\n#{ encrypted}"

    ¦ ¥
    Symmetric encryption in Ruby
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 19/26

    View Slide

  28. Symmetric encryption Hash Passwords as keys Summary
    Password-Based Key Derivation Function (PBKDF)
    Use password as input
    Generate binary (pseudorandom) key
    Use a lot of CPU time
    salt
    hash function
    XOR
    a lot of iterations (from 1000 in year 2000 to 10,000 in IOS 4,
    and even 100,000 now, serverside)
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 20/26

    View Slide

  29. Symmetric encryption Hash Passwords as keys Summary
    PBKDF2 in Ruby
    §
    1 require ’openssl ’
    2
    3 password = "Litwo Ojczyzno moja , Ty jesteś jak zdrowie"
    4
    5 salt = OpenSSL :: Random. random_bytes (16) # save with ciphertext
    6 iter = 10 _000
    7 key_len = 32 # e.g. for AES -256
    8
    9 digest = OpenSSL :: Digest.new(’SHA512 ’)
    10 key = OpenSSL :: PKCS5. pbkdf2_hmac (password , salt , iter ,
    11 key_len , digest)

    ¦ ¥
    Generate password-based key
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 21/26

    View Slide

  30. Symmetric encryption Hash Passwords as keys Summary
    PBKDF2 and symmetric encryption in Ruby
    §
    1 require ’openssl ’
    2
    3 message = "Był na Żmudzi ród możny Billewiczów, od Mendoga
    4 się wywodzący , wielce skoligacony i w całym Rosieńskiem nad
    5 wszystkie inne szanowany."
    6 password = "Litwo Ojczyzno moja , Ty jesteś jak zdrowie"
    7
    8 # Generate key from password
    9 salt = OpenSSL :: Random. random_bytes (16) # save with ciphertext
    10 iter = 10 _000
    11 key_len = 32 # e.g. for AES -256
    12 digest = OpenSSL :: Digest.new(’SHA512 ’)
    13 key = OpenSSL :: PKCS5. pbkdf2_hmac (password , salt , iter ,
    14 key_len , digest)
    15 # Encrypt message
    16 c = OpenSSL :: Cipher.new ’AES -256 - CTR ’ # CTR makes stream cipher
    17 c.encrypt
    18 c.key = key
    19 iv = c.random_iv
    20 encrypted = c.update message
    21 # deliver ciphertext with salt and IV
    22 puts "ENCRYPTED :\n#{ encrypted}"

    ¦ ¥
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 22/26

    View Slide

  31. Symmetric encryption Hash Passwords as keys Summary
    PBKDF2 and symmetric decryption in Ruby
    §
    24 # Generate key from password
    25 # use salt delivered with ciphertext
    26 iter = 10 _000
    27 key_len = 32 # e.g. for AES -256
    28 digest = OpenSSL :: Digest.new(’SHA512 ’)
    29 key = OpenSSL :: PKCS5. pbkdf2_hmac (password , salt , iter ,
    30 key_len , digest)
    31
    32 # Decrypt message
    33 d = OpenSSL :: Cipher.new(’AES -256 - CTR ’)
    34 d.decrypt
    35 d.iv = iv # use IV delivered with ciphertext
    36 d.key = key
    37
    38 decrypted = d.update(encrypted)
    39 decrypted. force_encoding (’utf -8’)
    40
    41 puts "DECRYPTED :\n#{ decrypted}"

    ¦ ¥
    Secure use of password for decryption
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 23/26

    View Slide

  32. Symmetric encryption Hash Passwords as keys Summary
    Summary
    Symmetric algorithms
    Cryptographic hashes
    Password-based cryptography
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 24/26

    View Slide

  33. Symmetric encryption Hash Passwords as keys Summary
    Summary
    Hard topic
    Be sure to know what you do before you do it!
    No ”but it works... somehow...” approach!
    Next: asymmetric cryptography
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 24/26

    View Slide

  34. Symmetric encryption Hash Passwords as keys Summary
    References
    Ruby OpenSSL rdoc
    Samolej, Rząsa, Rzońca, Sadolewski: Wprowadzenie do
    informatyki II – bezpieczeństwo systemów informatycznych,
    sieci komputerowe, systemy operacyjne i bazy danych, Oficyna
    Wyd. PRz., 2014.
    RFC 2898 PKCS #5: Password-Based Cryptography
    Specification Version 2.0
    https://tools.ietf.org/html/rfc2898#section-5.2
    https://en.wikipedia.org/wiki/Block_cipher_mode_
    of_operation
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 25/26

    View Slide

  35. Symmetric encryption Hash Passwords as keys Summary
    Questions?
    Wojciech Rząsa
    [email protected]
    @wrzasa
    Katedra Informatyki i Automatyki, Politechnika Rzeszowska
    http://www.kia.prz.edu.pl/
    Wojciech Rząsa, @wrzasa, KIiA PRz Questions? 26/26

    View Slide