Re: openssl for general purpose data encryption in Ruby

< ^ > P N |<>|^_>< --- | ~ ...Help
"It's easy to get crypto wrong, and useless)"

Yes, it is.  I wrote a blog entry that discusses the various factors involving
portability w/ block symmetric encryption algorithms (specifically AES, but it
applies to any block encryption algoritm).  In a nutshell, you have 
these things
which must match:

(1) Algorithm (Blowfish, AES, Twofish, etc.)
(2) Mode (CBC, ECB)
(3) Key Length (128-bit, 192-bit, 256-bit)
(4) Initialization Vector
(5) Secret Key
(6) Padding Scheme (but only last block will differ if mismatched).
(7) Byte ordering issues?
(8) Charset encoding if encrypting text (are you encrypting Unicode, 
ANSI, utf-8, etc?)

The blog entry is here: http://blog.chilkatsoft.com/?p=123
I wrote it because I get so many emails that read like: "I'm 
encrypting in PHP, but need to
decrypt in ASP..."  The general problem is that you're encrypting in 
one programming
language, or with one tool/sdk, but need to decrypt on something 
entirely different.
Or worse, you have a database full of encrypted data and a few years 
down the road
you want to re-design your systems in some other programming language.

I wrote another blog entry about data expansion with block encryption 
algorithms:
http://blog.chilkatsoft.com/?p=119

The common question is: "How big should my database field be when 
encrypting strings
that are no longer than N?"  The factors involved are:
(1) Algorithm block size
(2) Padding scheme
(3) Output encoding, such as hex or base64 if encrypted output is a string
(4) Character encoding -- again, are you encrypting 2 byte/char 
Unicode, utf-8, iso-8859-1, etc...?

I think the info in these blog posts apply to any programming 
language or API...

Best Regards,
Matt


At 08:08 AM 11/4/2006, you wrote:

>On 11/4/06, Brad Tilley <rtilley / vt.edu> wrote:
>>Does anyone use openssl within Ruby to encrypt data? I want to use a hosted
>>MySQL database, but most of the hosting companies do not support 
>>MySQL with the
>>aes_encrypt() or aes_decrypt() functions.
>>
>>Most have Ruby bindings to MySQL and they support Rails. So, I 
>>thought I could
>>use openssl to encrypt data within Ruby and then store that data in the
>>database. I don't know if others are doing this. I thought I'd ask 
>>the list to
>>see if others do this.
>>
>>Thank you,
>>Brad
>
>I'm not doing it ('cause I just don't need it ;-). Anyway I think it
>should work. However please note some possible problems:
>
>1. you'll want o have your records independent - therefore either
>using ECB mode or special IV for each record.
>
>2. you don't want to have the same data in different places encrypted
>into the same ciphertexts - therefore you'll need either IV or some
>kind of salt, that you'll need to store somewhere (it depends on the
>data you store, maybe a per row IV would be enough)
>
>3. most probably you can't encrypt the index fields, and search will
>not work as usual on encrypted fields.
>
>Taking this into consideration, it should be possible to create a
>schema that will work.
>
>(If you don't know what these IV, ECB and salt things are, I recommend
>reading something on cryptography, e.g. [1]. It's easy to get crypto
>wrong, and useless)
>
>[1] http://www.cacr.math.uwaterloo.ca/hac/
>
>
>
>
>--
>No virus found in this incoming message.
>Checked by AVG Free Edition.
>Version: 7.1.409 / Virus Database: 268.13.27/517 - Release Date: 11/3/2006


-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.409 / Virus Database: 268.13.27/517 - Release Date: 11/3/2006