wrzasa
December 16, 2016
160

# Using Symmetric Cryptography in Ruby

Presentation from my talk during RRUG (Rzeszów Ruby User Group, http://rrug.pl) meetup on 16 Dec. 2016.

## wrzasa

December 16, 2016

## Transcript

1. Symmetric encryption Hash Passwords as keys Summary
Using Symmetric Cryptography in Ruby
Rzeszów Ruby User Group #3
Wojciech Rząsa
[email protected]
@wrzasa
Katedra Informatyki i Automatyki, Politechnika Rzeszowska
http://www.kia.prz.edu.pl/
16.12.2016
Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 1/26

2. Symmetric encryption Hash Passwords as keys Summary
Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 2/26

3. Symmetric encryption Hash Passwords as keys Summary
Plan
1 Symmetric encryption
Cipher types
Cipher modes
Characteristics
In Ruby
2 Cryptographic hash functions
4 Summary
Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 3/26

4. Symmetric encryption Hash Passwords as keys Summary
Why use cryptography?
Conﬁdentiality (data privacy)
Authenticity (who wrote it?)
Integrity (was it changed along the way?)
Non-repudiation
. . .
Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 4/26

5. Symmetric encryption Hash Passwords as keys Summary
Bitwise XOR operation
Frequently used in cryptography
Simple
Cheap
Easily reversible
a b a ⊕ b
1 1 0
0 0 0
1 0 1
0 1 1
a ⊕ b ⊕ a = b (1)
a ⊕ b ⊕ b = a (2)
Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 5/26

6. Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby
Symmetric cryptography
Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 6/26

7. Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby
Cipher types
Stream cipher
Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 7/26

8. Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby
Cipher types
Stream cipher
Block cipher
Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 7/26

9. Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby
Cipher modes – Electronic Code Book (ECB)
[https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation]
Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 8/26

10. Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby
Electronic Code Book (ECB) – example
Original
[https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation]
Tux the Penguin, the Linux mascot. Created in 1996 by Larry Ewing with The GIMP.
Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 9/26

11. Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby
Electronic Code Book (ECB) – example
Original ECB encrypted
[https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation]
Tux the Penguin, the Linux mascot. Created in 1996 by Larry Ewing with The GIMP.
Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 9/26

12. Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby
Electronic Code Book (ECB) – example
Original ECB encrypted Securely encrypted
[https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation]
Tux the Penguin, the Linux mascot. Created in 1996 by Larry Ewing with The GIMP.
Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 9/26

13. Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby
Cipher modes – Cipher Block Chaining (CBC)
[https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation]
Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 10/26

14. Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby
Cipher modes – Counter (CTR)
[https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation]
Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 11/26

15. Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby
Characteristics
Shared key
Only the key must be kept secret
Initialization vector (IV) required
Never reuse IV with the same key!
Check how to chose IV
Consciously!
Randomly?
Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 12/26

16. Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby
In Ruby – stream cipher
§
1 require ’openssl ’
2
3 c = OpenSSL :: Cipher.new ’AES -256 - CTR ’ # CTR makes stream cipher
4 c.encrypt
5
6 #key = "Litwo Ojczyzno moja , ty jesteś jak zdrowie"
7 key = "\x02\x9A\x04h\xED\xC1 |\ xAE\ xABTE9ZknO\x82\xB9\xD9W" +
8 "\xD9\x9A\x03\x80\x9B\xC6 -\ xE1\xE3O -\ x1D"
9 c.key = key
10 #key = c. random_key
11 iv = c.random_iv
12
13 message = "Był na Żmudzi ród możny Billewiczów, od Mendoga
14 się wywodzący , wielce skoligacony i w całym Rosieńskiem nad
15 wszystkie inne szanowany."
16
17 encrypted = c.update message
18
19 puts "ENCRYPTED :\n#{ encrypted}"

¦ ¥
Symmetric encryption in Ruby
Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 13/26

17. Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby
In Ruby – stream cipher
§
21 d = OpenSSL :: Cipher.new(’AES -256 - CTR ’)
22 d.decrypt
23 d.iv = iv
24 d.key = key
25
26 decrypted = d.update(encrypted)
27 decrypted. force_encoding (’utf -8’)
28
29 puts "DECRYPTED :\n#{ decrypted}"

¦ ¥
Symmetric decryption in Ruby
Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 13/26

18. Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby
In Ruby – block cipher
§
1 require ’openssl ’
2
3 c = OpenSSL :: Cipher.new ’AES -256 - CBC ’ # a block cipher
4 c.encrypt
5
6 #key = "Litwo Ojczyzno moja , ty jesteś jak zdrowie"
7 key = "\x02\x9A\x04h\xED\xC1 |\ xAE\ xABTE9ZknO\x82\xB9\xD9W" +
8 "\xD9\x9A\x03\x80\x9B\xC6 -\ xE1\xE3O -\ x1D"
9 c.key = key
10 #key = c. random_key
11 iv = c.random_iv
12
13 message = "Był na Żmudzi ród możny Billewiczów, od Mendoga
14 się wywodzący , wielce skoligacony i w całym Rosieńskiem nad
15 wszystkie inne szanowany."
16
17 encrypted = c.update message
18 encrypted += c.final # rest of last ( incomplete ) block

¦ ¥
Symmetric encryption in Ruby
Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 14/26

19. Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby
In Ruby – block cipher
§
21
22 d = OpenSSL :: Cipher.new(’AES -256 - CBC ’)
23 d.decrypt
24 d.iv = iv
25 d.key = key
26
27 decrypted = d.update(encrypted)
28 decrypted. force_encoding (’utf -8’)
29
30 puts "DECRYPTED :\n#{ decrypted}"

¦ ¥
Symmetric decryption in Ruby
Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 14/26

20. Symmetric encryption Hash Passwords as keys Summary
Plan
1 Symmetric encryption
2 Cryptographic hash functions
4 Summary
Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 15/26

21. Symmetric encryption Hash Passwords as keys Summary
Cryptographic hash functions
arbitrary-length message
ﬁxed-size result
one-way function (hopefully ;-))
e.g. MD5, SHA1, SHA2 (SHA256, SHA384, SHA512)
Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 16/26

22. Symmetric encryption Hash Passwords as keys Summary
In Ruby
§
1 require ’openssl ’
2
3 message = "Był na Żmudzi ród możny Billewiczów, od Mendoga
4 się wywodzący , wielce skoligacony i w całym Rosieńskiem nad
5 wszystkie inne szanowany."
6
7 h = OpenSSL :: Digest.digest(’SHA256 ’, message)
8 puts h.inspect
9
10 puts OpenSSL :: Digest.hexdigest(’SHA256 ’, message)

¦ ¥
Compute digest in Ruby
Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 17/26

23. Symmetric encryption Hash Passwords as keys Summary
In Ruby
§
1 require ’openssl ’
2
3 message = "Był na Żmudzi ród możny Billewiczów, od Mendoga
4 się wywodzący , wielce skoligacony i w całym Rosieńskiem nad
5 wszystkie inne szanowany."
6
7 h = OpenSSL :: Digest.digest(’SHA256 ’, message)
8 puts h.inspect
9
10 puts OpenSSL :: Digest.hexdigest(’SHA256 ’, message)

¦ ¥
Compute digest in Ruby
"\xC0p\xB92O\x8F\xF4\x18\xFCn\x89k\x97\x9B\xEF5\"\xEC’|\x8A\x8F\xAE\xC4\xDF\xC6
c070b9324f8ff418fc6e896b979bef3522ec277c8a8faec4dfc658a0efc9881f
Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 17/26

24. Symmetric encryption Hash Passwords as keys Summary
In Ruby
§
1 require ’openssl ’
2
3 digest = OpenSSL :: Digest.new(’SHA256 ’)
4
5 5. times do
6 digest.update gets
7 end
8
9 puts digest.hexdigest

¦ ¥
Compute digest in Ruby
Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 17/26

25. Symmetric encryption Hash Passwords as keys Summary
In Ruby
§
1 require ’openssl ’
2
3 digest = OpenSSL :: Digest.new(’SHA256 ’)
4
5 5. times do
6 digest.update gets
7 end
8
9 puts digest.hexdigest

¦ ¥
Compute digest in Ruby
Litwo, Ojczyzno moja! ty jesteś jak zdrowie;
Ile cię trzeba cenić, ten tylko się dowie,
Kto cię stracił. Dziś piękność twą w całej ozdobie
Widzę i opisuję, bo tęsknię po tobie.
899b352ef6b61bd08a2872a912908c2a54837efc1853c5458c08e9b2f17550bf
Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 17/26

26. Symmetric encryption Hash Passwords as keys Summary
Plan
1 Symmetric encryption
2 Cryptographic hash functions
4 Summary
Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 18/26

27. Symmetric encryption Hash Passwords as keys Summary
§
1 require ’openssl ’
2
3 c = OpenSSL :: Cipher.new ’AES -256 - CTR ’ # CTR makes stream cipher
4 c.encrypt
5
6 #key = "Litwo Ojczyzno moja , ty jesteś jak zdrowie"
7 key = "\x02\x9A\x04h\xED\xC1 |\ xAE\ xABTE9ZknO\x82\xB9\xD9W" +
8 "\xD9\x9A\x03\x80\x9B\xC6 -\ xE1\xE3O -\ x1D"
9 c.key = key
10 #key = c. random_key
11 iv = c.random_iv
12
13 message = "Był na Żmudzi ród możny Billewiczów, od Mendoga
14 się wywodzący , wielce skoligacony i w całym Rosieńskiem nad
15 wszystkie inne szanowany."
16
17 encrypted = c.update message
18
19 puts "ENCRYPTED :\n#{ encrypted}"

¦ ¥
Symmetric encryption in Ruby
Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 19/26

28. Symmetric encryption Hash Passwords as keys Summary
Generate binary (pseudorandom) key
Use a lot of CPU time
salt
hash function
XOR
a lot of iterations (from 1000 in year 2000 to 10,000 in IOS 4,
and even 100,000 now, serverside)
Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 20/26

29. Symmetric encryption Hash Passwords as keys Summary
PBKDF2 in Ruby
§
1 require ’openssl ’
2
3 password = "Litwo Ojczyzno moja , Ty jesteś jak zdrowie"
4
5 salt = OpenSSL :: Random. random_bytes (16) # save with ciphertext
6 iter = 10 _000
7 key_len = 32 # e.g. for AES -256
8
9 digest = OpenSSL :: Digest.new(’SHA512 ’)
10 key = OpenSSL :: PKCS5. pbkdf2_hmac (password , salt , iter ,
11 key_len , digest)

¦ ¥
Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 21/26

30. Symmetric encryption Hash Passwords as keys Summary
PBKDF2 and symmetric encryption in Ruby
§
1 require ’openssl ’
2
3 message = "Był na Żmudzi ród możny Billewiczów, od Mendoga
4 się wywodzący , wielce skoligacony i w całym Rosieńskiem nad
5 wszystkie inne szanowany."
6 password = "Litwo Ojczyzno moja , Ty jesteś jak zdrowie"
7
8 # Generate key from password
9 salt = OpenSSL :: Random. random_bytes (16) # save with ciphertext
10 iter = 10 _000
11 key_len = 32 # e.g. for AES -256
12 digest = OpenSSL :: Digest.new(’SHA512 ’)
13 key = OpenSSL :: PKCS5. pbkdf2_hmac (password , salt , iter ,
14 key_len , digest)
15 # Encrypt message
16 c = OpenSSL :: Cipher.new ’AES -256 - CTR ’ # CTR makes stream cipher
17 c.encrypt
18 c.key = key
19 iv = c.random_iv
20 encrypted = c.update message
21 # deliver ciphertext with salt and IV
22 puts "ENCRYPTED :\n#{ encrypted}"

¦ ¥
Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 22/26

31. Symmetric encryption Hash Passwords as keys Summary
PBKDF2 and symmetric decryption in Ruby
§
24 # Generate key from password
25 # use salt delivered with ciphertext
26 iter = 10 _000
27 key_len = 32 # e.g. for AES -256
28 digest = OpenSSL :: Digest.new(’SHA512 ’)
29 key = OpenSSL :: PKCS5. pbkdf2_hmac (password , salt , iter ,
30 key_len , digest)
31
32 # Decrypt message
33 d = OpenSSL :: Cipher.new(’AES -256 - CTR ’)
34 d.decrypt
35 d.iv = iv # use IV delivered with ciphertext
36 d.key = key
37
38 decrypted = d.update(encrypted)
39 decrypted. force_encoding (’utf -8’)
40
41 puts "DECRYPTED :\n#{ decrypted}"

¦ ¥
Secure use of password for decryption
Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 23/26

32. Symmetric encryption Hash Passwords as keys Summary
Summary
Symmetric algorithms
Cryptographic hashes
Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 24/26

33. Symmetric encryption Hash Passwords as keys Summary
Summary
Hard topic
Be sure to know what you do before you do it!
No ”but it works... somehow...” approach!
Next: asymmetric cryptography
Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 24/26

34. Symmetric encryption Hash Passwords as keys Summary
References
Ruby OpenSSL rdoc
informatyki II – bezpieczeństwo systemów informatycznych,
sieci komputerowe, systemy operacyjne i bazy danych, Oﬁcyna
Wyd. PRz., 2014.
RFC 2898 PKCS #5: Password-Based Cryptography
Speciﬁcation Version 2.0
https://tools.ietf.org/html/rfc2898#section-5.2
https://en.wikipedia.org/wiki/Block_cipher_mode_
of_operation
Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 25/26

35. Symmetric encryption Hash Passwords as keys Summary
Questions?
Wojciech Rząsa
[email protected]
@wrzasa
Katedra Informatyki i Automatyki, Politechnika Rzeszowska
http://www.kia.prz.edu.pl/
Wojciech Rząsa, @wrzasa, KIiA PRz Questions? 26/26