CryptoRuby 101

CryptoRuby 101 by [email protected] from A Professional Mobile Device Management
Company

CryptoRuby 101 very basic stuff in general cryptography (encypt/decript) featuring
Ruby Standard Library Extension (OpenSSL) what to expect from today's

(en|de)crypt symmetric encrypt with secret key decrypt with secret key
asymmetric ecrypt with public key decrypt with private key

• an open-source library, written in C • implements basic
cryptographic functions and SSL and TLS protocols • founded in 1998, used by 2/3 of all webservers • https://www.openssl.org

require 'openssl' • Ruby Standard Library Extension:  /ext/openssl/* • http://ruby-doc.org/stdlib-2.2.2/libdoc/openssl/rdoc/index.html

symmetric-key cryptography   a cipher (or cypher) is an algorithm
for   encryption or decryption OpenSSL::Cipher Chiper Block Chaining mode encryption

CBC = Chiper Block Chaining CBC mode encryption

source: http://en.wikipedia.org/wiki/Block_cipher_mode_of_operation CBC mode encryption

OpenSSL::Cipher Code Snippet

msg = 'hello secret world' cipher = OpenSSL::Cipher.new('AES-256-CBC').encrypt iv =
cipher.random_iv key = cipher.random_key encrypted = cipher.update(msg) + cipher.final # safe to share publicly: encrypted, alg, iv decipher = OpenSSL::Cipher.new('AES-256-CBC').decrypt dechiper.iv, dechiper.key = iv, key decrypted = decipher.update(encrypted) + decipher.final puts msg == decrypted #=> true

ActiveSupport::MessageEncryptor   a simple way to encrypt values which get
stored somewhere you don't trust

ActiveSupport::MessageEncryptor #encrypt_and_sign #decrypt_and_verify • implemented using OpenSSL::Cipher • https://github.com/rails/rails/blob/master/activesupport/ lib/active_support/message_encryptor.rb#L100
• default cipher algorythm is 'AES-256-CBC'

ActiveSupport::MessageEncryptor class EncryptedCookieJar def initialize(parent_jar, key_generator, options = {}) @parent_jar
= parent_jar @options = options secret = key_generator.generate_key(@options[:encrypted_cookie_salt]) sign_secret = key_generator.generate_key(@options[:encrypted_signed_cookie_salt]) @encryptor = ActiveSupport::MessageEncryptor.new(secret, sign_secret, digest: digest, ...) end # etc... used as @encryptor in ActionDispatch::EncryptedCookieJar https://github.com/rails/rails/blob/master/actionpack/lib/action_dispatch/ middleware/cookies.rb

ActiveSupport::MessageEncryptor Code Snippet

cookie = "user_id:1" key = Rails.application.secrets[:secret_key_base] chiper = ActiveSupport::MessageEncryptor.new(key) encrypted_cookie
= chiper.encrypt_and_sign(cookie)  # cookie: "#{base64_encrypted_data}--#{base_64_iv}" # read encrypted_cookie decrypted = chiper.decrypt_and_verify(encrypted_cookie) cookie == decrypted #=> true

cookie = "user_id:1" salt = SecureRandom.random_bytes(64)  pass = 'password'  key
= ActiveSupport::KeyGenerator.new(pass).generate_key(salt) chiper = ActiveSupport::MessageEncryptor.new(key) encrypted_cookie = chiper.encrypt_and_sign(cookie)  # cookie: "#{base64_encrypted_data}--#{base_64_iv}" # read encrypted_cookie decrypted = chiper.decrypt_and_verify(encrypted_cookie) cookie == decrypted #=> true

Re-cap • explore OpenSSL namespace  http://ruby-doc.org/stdlib-2.2.2/libdoc/openssl/rdoc/index.html • start with simple
OpenSSL::Cipher  http://ruby-doc.org/stdlib-2.2.2/libdoc/openssl/rdoc/OpenSSL/Cipher.html • dive into Asymmetric Public Key Algorithms: OpenSSL::PKey  http://ruby-doc.org/stdlib-2.2.2/libdoc/openssl/rdoc/OpenSSL/PKey.html   http://ruby-doc.org/stdlib-2.2.2/libdoc/openssl/rdoc/OpenSSL/PKey/RSA.html

Gems • ActiveSupport • SymmetricEncryption  provides encryption of data for
Ruby and Rails:  https://github.com/reidmorrison/symmetric-encryption • Strongbox  provides Public Key Encryption for ActiveRecord:  https://github.com/spikex/strongbox • etc: https://www.ruby-toolbox.com/categories/encryption

cryptofails.com “Be skeptical of everything you read and hear about
crypto”

CryptoRuby 101

CryptoRuby 101

Zoran Majstorovic

More Decks by Zoran Majstorovic

Other Decks in Programming

Featured

Transcript

CryptoRuby 101 by [email protected] from A Professional Mobile Device Management

CryptoRuby 101 very basic stuff in general cryptography (encypt/decript) featuring

(en|de)crypt symmetric encrypt with secret key decrypt with secret key

• an open-source library, written in C • implements basic

require 'openssl' • Ruby Standard Library Extension:  /ext/openssl/* • http://ruby-doc.org/stdlib-2.2.2/libdoc/openssl/rdoc/index.html

symmetric-key cryptography   a cipher (or cypher) is an algorithm

CBC = Chiper Block Chaining CBC mode encryption

CBC = Chiper Block Chaining CBC mode encryption

source: http://en.wikipedia.org/wiki/Block_cipher_mode_of_operation CBC mode encryption

OpenSSL::Cipher Code Snippet

msg = 'hello secret world' cipher = OpenSSL::Cipher.new('AES-256-CBC').encrypt iv =

ActiveSupport::MessageEncryptor   a simple way to encrypt values which get

ActiveSupport::MessageEncryptor #encrypt_and_sign #decrypt_and_verify • implemented using OpenSSL::Cipher • https://github.com/rails/rails/blob/master/activesupport/ lib/active_support/message_encryptor.rb#L100

ActiveSupport::MessageEncryptor class EncryptedCookieJar def initialize(parent_jar, key_generator, options = {}) @parent_jar

ActiveSupport::MessageEncryptor Code Snippet

cookie = "user_id:1" key = Rails.application.secrets[:secret_key_base] chiper = ActiveSupport::MessageEncryptor.new(key) encrypted_cookie

cookie = "user_id:1" salt = SecureRandom.random_bytes(64)  pass = 'password'  key

Re-cap • explore OpenSSL namespace  http://ruby-doc.org/stdlib-2.2.2/libdoc/openssl/rdoc/index.html • start with simple

Gems • ActiveSupport • SymmetricEncryption  provides encryption of data for

cryptofails.com “Be skeptical of everything you read and hear about