Using Symmetric Cryptography in Ruby

Transcript

1. Symmetric encryption Hash Passwords as keys Summary
   Using Symmetric Cryptography in Ruby
   Rzeszów Ruby User Group #3
   Wojciech Rząsa
   [email protected]
   @wrzasa
   Katedra Informatyki i Automatyki, Politechnika Rzeszowska
   http://www.kia.prz.edu.pl/
   16.12.2016
   Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 1/26
   

   View Slide

2. Symmetric encryption Hash Passwords as keys Summary
   Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 2/26
   

   View Slide

3. Symmetric encryption Hash Passwords as keys Summary
   Plan
   1 Symmetric encryption
   Cipher types
   Cipher modes
   Characteristics
   In Ruby
   2 Cryptographic hash functions
   3 Password based cryptography
   4 Summary
   Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 3/26
   

   View Slide

4. Symmetric encryption Hash Passwords as keys Summary
   Why use cryptography?
   Confidentiality (data privacy)
   Authenticity (who wrote it?)
   Integrity (was it changed along the way?)
   Non-repudiation
   . . .
   Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 4/26
   

   View Slide

5. Symmetric encryption Hash Passwords as keys Summary
   Bitwise XOR operation
   Frequently used in cryptography
   Simple
   Cheap
   Easily reversible
   a b a ⊕ b
   1 1 0
   0 0 0
   1 0 1
   0 1 1
   a ⊕ b ⊕ a = b (1)
   a ⊕ b ⊕ b = a (2)
   Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 5/26
   

   View Slide

6. Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby
   Symmetric cryptography
   Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 6/26
   

   View Slide

7. Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby
   Cipher types
   Stream cipher
   Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 7/26
   

   View Slide

8. Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby
   Cipher types
   Stream cipher
   Block cipher
   Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 7/26
   

   View Slide

9. Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby
   Cipher modes – Electronic Code Book (ECB)
   [https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation]
   Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 8/26
   

   View Slide

10. Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby
    Electronic Code Book (ECB) – example
    Original
    [https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation]
    Tux the Penguin, the Linux mascot. Created in 1996 by Larry Ewing with The GIMP.
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 9/26
    

    View Slide

11. Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby
    Electronic Code Book (ECB) – example
    Original ECB encrypted
    [https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation]
    Tux the Penguin, the Linux mascot. Created in 1996 by Larry Ewing with The GIMP.
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 9/26
    

    View Slide

12. Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby
    Electronic Code Book (ECB) – example
    Original ECB encrypted Securely encrypted
    [https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation]
    Tux the Penguin, the Linux mascot. Created in 1996 by Larry Ewing with The GIMP.
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 9/26
    

    View Slide

13. Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby
    Cipher modes – Cipher Block Chaining (CBC)
    [https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation]
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 10/26
    

    View Slide

14. Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby
    Cipher modes – Counter (CTR)
    [https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation]
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 11/26
    

    View Slide

15. Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby
    Characteristics
    Shared key
    Only the key must be kept secret
    Initialization vector (IV) required
    Never reuse IV with the same key!
    Check how to chose IV
    Consciously!
    Randomly?
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 12/26
    

    View Slide

16. Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby
    In Ruby – stream cipher
    §
    1 require ’openssl ’
    2
    3 c = OpenSSL :: Cipher.new ’AES -256 - CTR ’ # CTR makes stream cipher
    4 c.encrypt
    5
    6 #key = "Litwo Ojczyzno moja , ty jesteś jak zdrowie"
    7 key = "\x02\x9A\x04h\xED\xC1 |\ xAE\ xABTE9ZknO\x82\xB9\xD9W" +
    8 "\xD9\x9A\x03\x80\x9B\xC6 -\ xE1\xE3O -\ x1D"
    9 c.key = key
    10 #key = c. random_key
    11 iv = c.random_iv
    12
    13 message = "Był na Żmudzi ród możny Billewiczów, od Mendoga
    14 się wywodzący , wielce skoligacony i w całym Rosieńskiem nad
    15 wszystkie inne szanowany."
    16
    17 encrypted = c.update message
    18
    19 puts "ENCRYPTED :\n#{ encrypted}"
    
    ¦ ¥
    Symmetric encryption in Ruby
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 13/26
    

    View Slide

17. Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby
    In Ruby – stream cipher
    §
    21 d = OpenSSL :: Cipher.new(’AES -256 - CTR ’)
    22 d.decrypt
    23 d.iv = iv
    24 d.key = key
    25
    26 decrypted = d.update(encrypted)
    27 decrypted. force_encoding (’utf -8’)
    28
    29 puts "DECRYPTED :\n#{ decrypted}"
    
    ¦ ¥
    Symmetric decryption in Ruby
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 13/26
    

    View Slide

18. Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby
    In Ruby – block cipher
    §
    1 require ’openssl ’
    2
    3 c = OpenSSL :: Cipher.new ’AES -256 - CBC ’ # a block cipher
    4 c.encrypt
    5
    6 #key = "Litwo Ojczyzno moja , ty jesteś jak zdrowie"
    7 key = "\x02\x9A\x04h\xED\xC1 |\ xAE\ xABTE9ZknO\x82\xB9\xD9W" +
    8 "\xD9\x9A\x03\x80\x9B\xC6 -\ xE1\xE3O -\ x1D"
    9 c.key = key
    10 #key = c. random_key
    11 iv = c.random_iv
    12
    13 message = "Był na Żmudzi ród możny Billewiczów, od Mendoga
    14 się wywodzący , wielce skoligacony i w całym Rosieńskiem nad
    15 wszystkie inne szanowany."
    16
    17 encrypted = c.update message
    18 encrypted += c.final # rest of last ( incomplete ) block
    
    ¦ ¥
    Symmetric encryption in Ruby
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 14/26
    

    View Slide

19. Symmetric encryption Hash Passwords as keys Summary Cipher types Cipher modes Characteristics In Ruby
    In Ruby – block cipher
    §
    21
    22 d = OpenSSL :: Cipher.new(’AES -256 - CBC ’)
    23 d.decrypt
    24 d.iv = iv
    25 d.key = key
    26
    27 decrypted = d.update(encrypted)
    28 decrypted. force_encoding (’utf -8’)
    29
    30 puts "DECRYPTED :\n#{ decrypted}"
    
    ¦ ¥
    Symmetric decryption in Ruby
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 14/26
    

    View Slide

20. Symmetric encryption Hash Passwords as keys Summary
    Plan
    1 Symmetric encryption
    2 Cryptographic hash functions
    3 Password based cryptography
    4 Summary
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 15/26
    

    View Slide

21. Symmetric encryption Hash Passwords as keys Summary
    Cryptographic hash functions
    arbitrary-length message
    fixed-size result
    one-way function (hopefully ;-))
    e.g. MD5, SHA1, SHA2 (SHA256, SHA384, SHA512)
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 16/26
    

    View Slide

22. Symmetric encryption Hash Passwords as keys Summary
    In Ruby
    §
    1 require ’openssl ’
    2
    3 message = "Był na Żmudzi ród możny Billewiczów, od Mendoga
    4 się wywodzący , wielce skoligacony i w całym Rosieńskiem nad
    5 wszystkie inne szanowany."
    6
    7 h = OpenSSL :: Digest.digest(’SHA256 ’, message)
    8 puts h.inspect
    9
    10 puts OpenSSL :: Digest.hexdigest(’SHA256 ’, message)
    
    ¦ ¥
    Compute digest in Ruby
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 17/26
    

    View Slide

23. Symmetric encryption Hash Passwords as keys Summary
    In Ruby
    §
    1 require ’openssl ’
    2
    3 message = "Był na Żmudzi ród możny Billewiczów, od Mendoga
    4 się wywodzący , wielce skoligacony i w całym Rosieńskiem nad
    5 wszystkie inne szanowany."
    6
    7 h = OpenSSL :: Digest.digest(’SHA256 ’, message)
    8 puts h.inspect
    9
    10 puts OpenSSL :: Digest.hexdigest(’SHA256 ’, message)
    
    ¦ ¥
    Compute digest in Ruby
    "\xC0p\xB92O\x8F\xF4\x18\xFCn\x89k\x97\x9B\xEF5\"\xEC’|\x8A\x8F\xAE\xC4\xDF\xC6
    c070b9324f8ff418fc6e896b979bef3522ec277c8a8faec4dfc658a0efc9881f
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 17/26
    

    View Slide

24. Symmetric encryption Hash Passwords as keys Summary
    In Ruby
    §
    1 require ’openssl ’
    2
    3 digest = OpenSSL :: Digest.new(’SHA256 ’)
    4
    5 5. times do
    6 digest.update gets
    7 end
    8
    9 puts digest.hexdigest
    
    ¦ ¥
    Compute digest in Ruby
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 17/26
    

    View Slide

25. Symmetric encryption Hash Passwords as keys Summary
    In Ruby
    §
    1 require ’openssl ’
    2
    3 digest = OpenSSL :: Digest.new(’SHA256 ’)
    4
    5 5. times do
    6 digest.update gets
    7 end
    8
    9 puts digest.hexdigest
    
    ¦ ¥
    Compute digest in Ruby
    Litwo, Ojczyzno moja! ty jesteś jak zdrowie;
    Ile cię trzeba cenić, ten tylko się dowie,
    Kto cię stracił. Dziś piękność twą w całej ozdobie
    Widzę i opisuję, bo tęsknię po tobie.
    899b352ef6b61bd08a2872a912908c2a54837efc1853c5458c08e9b2f17550bf
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 17/26
    

    View Slide

26. Symmetric encryption Hash Passwords as keys Summary
    Plan
    1 Symmetric encryption
    2 Cryptographic hash functions
    3 Password based cryptography
    4 Summary
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 18/26
    

    View Slide

27. Symmetric encryption Hash Passwords as keys Summary
    Passwords as keys?
    §
    1 require ’openssl ’
    2
    3 c = OpenSSL :: Cipher.new ’AES -256 - CTR ’ # CTR makes stream cipher
    4 c.encrypt
    5
    6 #key = "Litwo Ojczyzno moja , ty jesteś jak zdrowie"
    7 key = "\x02\x9A\x04h\xED\xC1 |\ xAE\ xABTE9ZknO\x82\xB9\xD9W" +
    8 "\xD9\x9A\x03\x80\x9B\xC6 -\ xE1\xE3O -\ x1D"
    9 c.key = key
    10 #key = c. random_key
    11 iv = c.random_iv
    12
    13 message = "Był na Żmudzi ród możny Billewiczów, od Mendoga
    14 się wywodzący , wielce skoligacony i w całym Rosieńskiem nad
    15 wszystkie inne szanowany."
    16
    17 encrypted = c.update message
    18
    19 puts "ENCRYPTED :\n#{ encrypted}"
    
    ¦ ¥
    Symmetric encryption in Ruby
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 19/26
    

    View Slide

28. Symmetric encryption Hash Passwords as keys Summary
    Password-Based Key Derivation Function (PBKDF)
    Use password as input
    Generate binary (pseudorandom) key
    Use a lot of CPU time
    salt
    hash function
    XOR
    a lot of iterations (from 1000 in year 2000 to 10,000 in IOS 4,
    and even 100,000 now, serverside)
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 20/26
    

    View Slide

29. Symmetric encryption Hash Passwords as keys Summary
    PBKDF2 in Ruby
    §
    1 require ’openssl ’
    2
    3 password = "Litwo Ojczyzno moja , Ty jesteś jak zdrowie"
    4
    5 salt = OpenSSL :: Random. random_bytes (16) # save with ciphertext
    6 iter = 10 _000
    7 key_len = 32 # e.g. for AES -256
    8
    9 digest = OpenSSL :: Digest.new(’SHA512 ’)
    10 key = OpenSSL :: PKCS5. pbkdf2_hmac (password , salt , iter ,
    11 key_len , digest)
    
    ¦ ¥
    Generate password-based key
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 21/26
    

    View Slide

30. Symmetric encryption Hash Passwords as keys Summary
    PBKDF2 and symmetric encryption in Ruby
    §
    1 require ’openssl ’
    2
    3 message = "Był na Żmudzi ród możny Billewiczów, od Mendoga
    4 się wywodzący , wielce skoligacony i w całym Rosieńskiem nad
    5 wszystkie inne szanowany."
    6 password = "Litwo Ojczyzno moja , Ty jesteś jak zdrowie"
    7
    8 # Generate key from password
    9 salt = OpenSSL :: Random. random_bytes (16) # save with ciphertext
    10 iter = 10 _000
    11 key_len = 32 # e.g. for AES -256
    12 digest = OpenSSL :: Digest.new(’SHA512 ’)
    13 key = OpenSSL :: PKCS5. pbkdf2_hmac (password , salt , iter ,
    14 key_len , digest)
    15 # Encrypt message
    16 c = OpenSSL :: Cipher.new ’AES -256 - CTR ’ # CTR makes stream cipher
    17 c.encrypt
    18 c.key = key
    19 iv = c.random_iv
    20 encrypted = c.update message
    21 # deliver ciphertext with salt and IV
    22 puts "ENCRYPTED :\n#{ encrypted}"
    
    ¦ ¥
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 22/26
    

    View Slide

31. Symmetric encryption Hash Passwords as keys Summary
    PBKDF2 and symmetric decryption in Ruby
    §
    24 # Generate key from password
    25 # use salt delivered with ciphertext
    26 iter = 10 _000
    27 key_len = 32 # e.g. for AES -256
    28 digest = OpenSSL :: Digest.new(’SHA512 ’)
    29 key = OpenSSL :: PKCS5. pbkdf2_hmac (password , salt , iter ,
    30 key_len , digest)
    31
    32 # Decrypt message
    33 d = OpenSSL :: Cipher.new(’AES -256 - CTR ’)
    34 d.decrypt
    35 d.iv = iv # use IV delivered with ciphertext
    36 d.key = key
    37
    38 decrypted = d.update(encrypted)
    39 decrypted. force_encoding (’utf -8’)
    40
    41 puts "DECRYPTED :\n#{ decrypted}"
    
    ¦ ¥
    Secure use of password for decryption
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 23/26
    

    View Slide

32. Symmetric encryption Hash Passwords as keys Summary
    Summary
    Symmetric algorithms
    Cryptographic hashes
    Password-based cryptography
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 24/26
    

    View Slide

33. Symmetric encryption Hash Passwords as keys Summary
    Summary
    Hard topic
    Be sure to know what you do before you do it!
    No ”but it works... somehow...” approach!
    Next: asymmetric cryptography
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 24/26
    

    View Slide

34. Symmetric encryption Hash Passwords as keys Summary
    References
    Ruby OpenSSL rdoc
    Samolej, Rząsa, Rzońca, Sadolewski: Wprowadzenie do
    informatyki II – bezpieczeństwo systemów informatycznych,
    sieci komputerowe, systemy operacyjne i bazy danych, Oficyna
    Wyd. PRz., 2014.
    RFC 2898 PKCS #5: Password-Based Cryptography
    Specification Version 2.0
    https://tools.ietf.org/html/rfc2898#section-5.2
    https://en.wikipedia.org/wiki/Block_cipher_mode_
    of_operation
    Wojciech Rząsa, @wrzasa, KIiA PRz RRUG#3, Symmetric Cryptography in Ruby 25/26
    

    View Slide

35. Symmetric encryption Hash Passwords as keys Summary
    Questions?
    Wojciech Rząsa
    [email protected]
    @wrzasa
    Katedra Informatyki i Automatyki, Politechnika Rzeszowska
    http://www.kia.prz.edu.pl/
    Wojciech Rząsa, @wrzasa, KIiA PRz Questions? 26/26
    

    View Slide