Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Ruby: file encryption/decryption with private/public keys

Tags:

I am searching for an algorithm for file encryption/decryption which satisfies the following requirements:

  • Algorithm must be reliable
  • Algorithm should be fast for rather big files
  • Private key can be generated by some parameter (for example, password)
  • Generated private key must be compatible with public key (public key is generated only once and stored in database)

Is there any Ruby implementation of suggested algorithms?

like image 993
tiktak Avatar asked Mar 27 '12 14:03

tiktak


2 Answers

Note Well: As emboss mentions in the comments, this answer is a poor fit for an actual system. Firstly, file encryption should not be carried out using this method (The lib provides AES, for example.). Secondly, this answer does not address any of the wider issues that will also affect how you engineer your solution.

The original source also goes into more details.

Ruby can use openssl to do this:

#!/usr/bin/env ruby  # ENCRYPT  require 'openssl' require 'base64'  public_key_file = 'public.pem'; string = 'Hello World!';  public_key = OpenSSL::PKey::RSA.new(File.read(public_key_file)) encrypted_string = Base64.encode64(public_key.public_encrypt(string)) 

And decrypt:

#!/usr/bin/env ruby  # DECRYPT  require 'openssl' require 'base64'  private_key_file = 'private.pem'; password = 'boost facile'  encrypted_string = %Q{ ... }  private_key = OpenSSL::PKey::RSA.new(File.read(private_key_file),password) string = private_key.private_decrypt(Base64.decode64(encrypted_string)) 

from here

like image 152
brice Avatar answered Jan 28 '23 00:01

brice


I'm afraid you are mixing two concepts here, authentication/authorization and confidentiality, trying to cover both aspects in one single step, and that won't work. You should never encrypt "real data" with asymmetric algorithms. a) they are way too slow for that, b) there are subtle issues that, if not done right, will severely weaken the security of your solution.

A good rule of thumb is that the only thing you should end up encrypting with private asymmetric keys is symmetric keys used by a much faster symmetric algorithm. But in almost all cases you shouldn't even be doing that, because in 90% of the cases what you actually want is TLS (SSL) in those cases - I tried to explain why here a while ago.

In your case, I assume the requirements are:

  • confidentiality of the data that is to be stored in the database: the general public shouldn't be able to read it (or even access it)

  • a selected few (probably just one person) should be able to access and read that data

The first goal is generally achieved by using symmetric encryption. The second goal is, albeit related, realized by quite different means. You want the user accessing the file to be authenticated (i.e. establish the identity) and on top of that you also want them to be authorized (i.e. check whether the established identity has the right to do what they intend to). This is where asymmetric cryptography may enter the stage, but not necessarily. Since your question is tagged with Rails I assume we are talking about a Rails application. You typically already have some means to authenticate and authorize users there (most likely involving the afore-mentioned TLS), you may simply reuse them in order to establish a symmetric key for actual file encryption/decryption. Password-based encryption would fit for this purpose, if you want to avoid asymmetric crypto at all. Things get even more complicated if you also want to ensure integrity of the already confidential data, that is, you want to give a kind of guarantee to the authenticated and authorized user in the sense that what they finally access has not been altered in any way in the meantime.

Developing a solution for this will be no trivial task and depend to a large extent on your given requirements, so I'm afraid there's no "golden way" that suits everyone. I would suggest to do some research, get a clearer picture of what you are trying to achieve and how, then try to get additional advice on subjects that you still feel uncertain/uncomfortable with.

like image 25
emboss Avatar answered Jan 28 '23 00:01

emboss