Encryption library

I could've sworn that I saw some Ruby library for encrypting stuff
like credit cards. But my google fu fails me. Any ideas?

Joe

OpenSSL?

Joe Van Dyk wrote:

···

I could've sworn that I saw some Ruby library for encrypting stuff
like credit cards. But my google fu fails me. Any ideas?

Joe

Here is an example of one way to use public key (asymmetric)
encryption using openssl. Requires an ssl certificate/key pair, but
only the certificate is required to encrypt.

require 'openssl'

keyfile = 'test.key'
certfile = 'test.crt'
data = "this is a test"

cert = OpenSSL::X509::Certificate.new(File.read(certfile))
key = OpenSSL::PKey::RSA.new(File.read(keyfile))
cipher = OpenSSL::Cipher::AES.new("128-CBC")

tmp = OpenSSL::PKCS7.encrypt([cert], data, cipher, OpenSSL::PKCS7::BINARY)
p7 = OpenSSL::PKCS7::PKCS7.new(tmp.to_der)

## Data will be stored as string so emulate that here
p7s = p7.to_s

## Create pkcs7 object out of pkcs7 data
p7 = OpenSSL::PKCS7::PKCS7.new(p7s)
dec = p7.decrypt(key,cert)
print dec

Timothy Goddard wrote:

OpenSSL?

I think he actually means for -storing- credit cards. I highly
reccommend you do NOT do this. Or at least tell me what the website is,
so I never shop there.

Is this what you are looking for? http://rubyforge.org/projects/crypt/

···

--
Posted via http://www.ruby-forum.com/.

OpenSSL can be used as a general-purpose crypto lib. Theres a good
example of using a plain symmetric cipher in the ruby 1.8.4 source, in
samples/openssl/crypt.rb:

···

************************
#!/usr/bin/env ruby
require 'openssl'

text = "abcdefghijklmnopqrstuvwxyz"
key = "key"
alg = "DES-EDE3-CBC"
#alg = "AES-128-CBC"

puts "--Setup--"
puts %(clear text: "#{text}")
puts %(symmetric key: "#{key}")
puts %(cipher alg: "#{alg}")
puts

puts "--Encrypting--"
des = OpenSSL::Cipher::Cipher.new(alg)
des.encrypt(key) #, "iv12345678")
cipher = des.update(text)
cipher << des.final
puts %(encrypted text: #{cipher.inspect})
puts

puts "--Decrypting--"
des = OpenSSL::Cipher::Cipher.new(alg)
des.decrypt(key) #, "iv12345678")
out = des.update(cipher)
out << des.final
puts %(decrypted text: "#{out}")
puts
***************************

On 8/30/06, William Crawford <wccrawford@gmail.com> wrote:

Timothy Goddard wrote:
> OpenSSL?

I think he actually means for -storing- credit cards. I highly
reccommend you do NOT do this. Or at least tell me what the website is,
so I never shop there.

Is this what you are looking for? http://rubyforge.org/projects/crypt/

--
Posted via http://www.ruby-forum.com/.

This example clearly shows why in the other thread the question was raised regarding hiding the key in a C extention. As-is anybody would easily be able to decrypt. And if you have an algoritm that builds the key into part of the encrypted string somebody could easily digest the algorithm and extract the key from the encrypted string. Am I missing something in general about cryptography? I admit I need to read up more in this area.

Aleks Kissinger wrote:

···

OpenSSL can be used as a general-purpose crypto lib. Theres a good
example of using a plain symmetric cipher in the ruby 1.8.4 source, in
samples/openssl/crypt.rb:

************************
#!/usr/bin/env ruby
require 'openssl'

text = "abcdefghijklmnopqrstuvwxyz"
key = "key"
alg = "DES-EDE3-CBC"
#alg = "AES-128-CBC"

puts "--Setup--"
puts %(clear text: "#{text}")
puts %(symmetric key: "#{key}")
puts %(cipher alg: "#{alg}")
puts

puts "--Encrypting--"
des = OpenSSL::Cipher::Cipher.new(alg)
des.encrypt(key) #, "iv12345678")
cipher = des.update(text)
cipher << des.final
puts %(encrypted text: #{cipher.inspect})
puts

puts "--Decrypting--"
des = OpenSSL::Cipher::Cipher.new(alg)
des.decrypt(key) #, "iv12345678")
out = des.update(cipher)
out << des.final
puts %(decrypted text: "#{out}")
puts
***************************

On 8/30/06, William Crawford <wccrawford@gmail.com> wrote:

Timothy Goddard wrote:
> OpenSSL?

I think he actually means for -storing- credit cards. I highly
reccommend you do NOT do this. Or at least tell me what the website is,
so I never shop there.

Is this what you are looking for? http://rubyforge.org/projects/crypt/

--
Posted via http://www.ruby-forum.com/.

IMO, if you are going to use encryption for sensitive data then you
should read up a bit on asymmetric (publik key) versus symmetric
cryptography and at least have a basic understanding of how this stuff
works. Ruby openssl works great, but unless you are already familiar
with openssl in general the docs probably won't do you much good. The
test suite in the ruby source though has a lot of examples.

Chris

What do you do in the situation where the key is in a store protected by a passphrase? And one's application needs to run in the background and can't accept user input. Aren't you still in the same position? Need a way to hide the key/passphrase.

snacktime wrote:

···

IMO, if you are going to use encryption for sensitive data then you
should read up a bit on asymmetric (publik key) versus symmetric
cryptography and at least have a basic understanding of how this stuff
works. Ruby openssl works great, but unless you are already familiar
with openssl in general the docs probably won't do you much good. The
test suite in the ruby source though has a lot of examples.

Chris

Right. Cryptography is a tricky thing, and if your effort should bring
any results, it is necessary to know what you're doing. That's why
it's better to stick with the standard schemes, if possible. Omit one
little step, and your super secure encryption might degrade to
something a child will break.

Good intro book is Schneier's Applied Cryptography, and maybe the
newer Practical Cryptography, although I haven't read the latter.

Good 'encyclopedic' book is Handbook of applied cryptography by
Menezes et al., You can even download it from the web. It lists most
common-used algorithms, along with their usage and drawbacks. Beware:
It contains lots of math :wink:

···

On 8/30/06, snacktime <snacktime@gmail.com> wrote:

IMO, if you are going to use encryption for sensitive data then you
should read up a bit on asymmetric (publik key) versus symmetric
cryptography and at least have a basic understanding of how this stuff
works. Ruby openssl works great, but unless you are already familiar
with openssl in general the docs probably won't do you much good. The
test suite in the ruby source though has a lot of examples.

Chris

It depends on several factors:
- what are your target criteria for security
  - what attack do you want to prevent by encryption - i.e. up to what
level of reverse engineering (looking at ruby sources, debugging
executable code,...)
  - what access has the attacker to the machine and/or to the code
  - etc.
then:
- it's hard to keep the password on the computer where attacker has
access to. From that point, it's just a matter of who of you is
willing to put more effort.

possible solutions:
- ask the password when the thing starts, and keep in the memory;
- use closed C module to do the encryption/decryption (and try to
prevent running the module by the attacker) with memory locking,
permissions etc.
- use hardware crypto device (aka smartcard. you can pull it off the
system, and you can assume the keys in it are safe, and it is not
duplicable)
- forget sesions keys asap
- make key exchanges unrepeatable

···

On 8/30/06, Cliff Cyphers <cdc@cyphers.dns2go.com> wrote:

What do you do in the situation where the key is in a store protected by
a passphrase? And one's application needs to run in the background and
can't accept user input. Aren't you still in the same position? Need a
way to hide the key/passphrase.

I have done some search but could not find a place where I could get the
downloadable version. Could you provide a link please?

Greetings,
JS

···

On Thu, 2006-08-31 at 05:11 +0900, Jan Svitok wrote:

Good 'encyclopedic' book is Handbook of applied cryptography by
Menezes et al., You can even download it from the web. It lists most
common-used algorithms, along with their usage and drawbacks. Beware:
It contains lots of math :wink:

Google "Handbook of applied cryptography" & click "I'm feeling lucky"

PGP.sig (186 Bytes)

···

On 30 Aug , 2006, at 9:01 PM, Srinivas JONNALAGADDA wrote:

On Thu, 2006-08-31 at 05:11 +0900, Jan Svitok wrote:

Good 'encyclopedic' book is Handbook of applied cryptography by
Menezes et al., You can even download it from the web. It lists most
common-used algorithms, along with their usage and drawbacks. Beware:
It contains lots of math :wink:

I have done some search but could not find a place where I could get the
downloadable version. Could you provide a link please?

Greetings,
JS

--
Matt Long mlong@acm.org / mtlong@csee.usf.edu
University of South Florida, CRASAR
GnuPG public key: http://www.robothor.com/key.gpgkey

"If you have to ask what jazz is, you'll never know" --Louis Armstrong

Great!

Greetings,
JS

···

On Thu, 2006-08-31 at 10:44 +0900, Matt Long wrote:

Google "Handbook of applied cryptography" & click "I'm feeling lucky"