How to encrypt/decrypt data?

chillfox · August 26, 2020, 2:35am

Hi,

I am having trouble figuring out how to use OpenSSL::Cipher to decrypt data.
I keep getting this error:

Unhandled exception: EVP_CipherFinal_ex: Unknown or no error (OpenSSL::Cipher::Error)
  from ../../../../../snap/crystal/397/share/crystal/src/openssl/cipher.cr:70:7 in 'final'
  from src/crystal_encryption.cr:39:12 in 'decrypt'
  from src/crystal_encryption.cr:57:18 in '__crystal_main'
  from ../../../../../snap/crystal/397/share/crystal/src/crystal/main.cr:105:5 in 'main_user_code'
  from ../../../../../snap/crystal/397/share/crystal/src/crystal/main.cr:91:7 in 'main'
  from ../../../../../snap/crystal/397/share/crystal/src/crystal/main.cr:114:3 in 'main'
  from __libc_start_main
  from _start
  from ???

I would really appreciate it if someone could spare some time to look at the code and let me know what I am doing wrong.

github.com

chillfox/Crystal-encryption-example/blob/master/src/crystal_encryption.cr

require "random/secure"
require "openssl/pkcs5"
require "openssl/cipher"



def key_derivation(password, salt)
  OpenSSL::PKCS5.pbkdf2_hmac(password, salt, 100_000, OpenSSL::Algorithm::SHA256, 32)
end


def encrypt(data, key)
  iv = Random::Secure.random_bytes(32)

  cipher = OpenSSL::Cipher.new("aes-256-gcm")
  cipher.encrypt
  cipher.key = key
  cipher.iv = iv

  io = IO::Memory.new

This file has been truncated. show original

aravindavk · August 26, 2020, 10:17am

Similar example from here is working fine with Bytes size 16 and “aes-128-gcm” encryption.

But in your example, it is failing here

github.com

crystal-lang/crystal/blob/5999ae29b/src/openssl/cipher.cr#L69-L71


if LibCrypto.evp_cipherfinal_ex(@ctx, buffer, pointerof(buffer_length)) != 1
  raise Error.new "EVP_CipherFinal_ex"
end

aravindavk · August 26, 2020, 10:25am

Got it working by using single instance of cipher and passing it as parameter.

password = "password"
salt = Random::Secure.random_bytes(32)
data = "Secret data that needs to be encrypted"

key = key_derivation password, salt


cipher = OpenSSL::Cipher.new("aes-256-gcm")
encrypted_data = encrypt cipher, data, key
puts "Encrypted data: #{encrypted_data.to_s}"
puts "--------------------"
decrypted_data = decrypt cipher, encrypted_data, key
puts "Decrypted data: #{decrypted_data.to_s}"

jwoertink · August 26, 2020, 4:00pm

I recently had to do the same. Here’s a shard I made to help me out https://github.com/jwoertink/psst/blob/master/crystal/src/psst.cr Feel free to pull some ideas from that.

Also note that the Crystal OpenSSL::Cipher may be missing some methods https://github.com/crystal-lang/crystal/issues/9681 just in case you run in to that.

chillfox · August 27, 2020, 2:28am

Thanks,

@aravindavk,
A single instance of Cipher works because some state is being kept between encryption/decryption. Notably, it breaks if you do the encryption/decryption independently.

To demonstrate this I have separated the encryption/decryption into separate files that writes/reads the encrypted data to a file.

$ crystal src/encrypt.cr
$ cat encrypted_data
<gibberish>
$ crystal src/decrypt.cr
<same_error>

github.com

chillfox/Crystal-encryption-example/blob/master/src/encrypt.cr

require "random/secure"
require "openssl/pkcs5"
require "openssl/cipher"


password = "password"
salt = Random::Secure.random_bytes(32)
data = "Secret data that needs to be encrypted"
key = OpenSSL::PKCS5.pbkdf2_hmac(password, salt, 100_000, OpenSSL::Algorithm::SHA256, 32)


iv = Random::Secure.random_bytes(32)

# cipher = OpenSSL::Cipher.new("aes-256-cbc")
cipher = OpenSSL::Cipher.new("aes-256-gcm")
cipher.encrypt
cipher.key = key
cipher.iv = iv

io = IO::Memory.new

This file has been truncated. show original

github.com

chillfox/Crystal-encryption-example/blob/master/src/decrypt.cr

require "random/secure"
require "openssl/pkcs5"
require "openssl/cipher"


password = "password"
data = File.read("encrypted_data").to_slice
salt = data[0, 32]
key = OpenSSL::PKCS5.pbkdf2_hmac(password, salt, 100_000, OpenSSL::Algorithm::SHA256, 32)


data += 32
# cipher = OpenSSL::Cipher.new("aes-256-cbc")
cipher = OpenSSL::Cipher.new("aes-256-gcm")
cipher.decrypt
cipher.key = key
cipher.iv = data[0, 32]
data += 32

io = IO::Memory.new

This file has been truncated. show original

@jwoertink,
I noticed that you are using “aes-256-cbc” in your code, and that does indeed work whereas the “aes-256-gcm” that I was using does not. And yeah, looks like those missing methods are required for gcm.

The main difference between gcm and cbc as far as I understand is that gcm does data integrity checks and cbc does not.

Switching my example to use cbc the effect of data corruption can be seen like this:

encrypted_data[33] = 1 # data corruption
decrypted_data = decrypt encrypted_data, key
puts "Decrypted data: #{decrypted_data.to_s}"

Could you explain why you picked the numbers that you did for the salt/iv (8/16 bytes)?
I thought that the iv needed to match the key length.

aravindavk · August 27, 2020, 2:57am

A single instance of Cipher works because some state is being kept between encryption/decryption. Notably, it breaks if you do the encryption/decryption independently.

Totally makes sense. They should not depend on each other.

jwoertink · August 27, 2020, 3:32pm

I was trying to port this lib https://github.com/mdp/gibberish/blob/master/lib/gibberish/aes.rb#L137 which uses the gcm, and those missing methods. It also uses 12 bytes for the iv, but when I used 12 with cbc, Crystal throws an error and said it had to be 16.

I don’t know anything about cryptography, or encryption. So I can’t say that my was is a good way of doing, but it works for what I needed (for now). It seems like the Crystal Crypto stuff needs a lot of love. I’m finding a few instances where there’s some missing areas like the Crystal version of ecdsa, elliptic and rsa. So if you find a better way to handle this, then I’m all ears!

chillfox · August 28, 2020, 1:44am

Yeah, the crypto stuff is a bit rough compared to the rest of Crystal.

I do wish there were a simple to use API for encryption built in, something like this.

text = "secret stuff..."

key, salt = Crypto::PBKDF2.key_derivation "password" #(optional) provide salt : Bytes

encrypted_bytes = text.bytes.encrypt key #(optional), algorithm: Crypto::AES256CBC
# encrypted_text, iv = ...  (maybe return the iv, but I think I  would prefer it to just be baked in to the result)

decrypted_bytes = encrypted_bytes.decrypt key #(optional), provide the algorithm
decrypted_text = decrypted_bytes.to_s

I don’t know, just would be nice if crypto was easy to use and hard to get wrong by default instead of the other way around. Also good examples in the documentation would be great.

Guess I will use cbc for now so I can get on with finishing this application.

nico · November 9, 2020, 8:04am

Hello,

I also broke my teeth a bit with the crypto in Crystal. But the std is rather well provided at low level. I just published this shard to simplify the Crypto in Crystal: https://github.com/Nicolab/crystal-crypt

Also, other crypto algo in Crystal:

ecdsa: https://github.com/Axentro/crystal-ecdsa
argon2: https://github.com/Axentro/crystal-argon2

chillfox · November 9, 2020, 11:50pm

Thanks, @nico,
Thats awesome!

Didactic.Drunk · March 18, 2021, 5:57pm

That’s what sodium/nacl were designed for. “The design choices emphasize security and ease of use. But despite the emphasis on high security, primitives are faster across-the-board than most implementations.”

There are crystal bindings which I maintain and a list of questions to help you decide which API to use.

The encrypted data is cross language/platform and validated against the python/ruby sodium bindings so you can pass the data to other applications easily.

Internally it uses ECDSA & argon2 as recommended by @nico. Argon2 is a big step up from PBKDF2. There’s even a program to help you choose security parameters. Or just look at the table.

There are several other features like using mlocked memory so keys don’t get paged to disk, wiping the keys when no longer used and nonce reuse detection. All of it tested with -Dpreview_mt.

Many cryptographers recommend not rolling your own crypto unless very experienced and even then having it validated.

Didactic.Drunk · March 18, 2021, 6:00pm

From the gibberish project page:

Note: It’s 2017 and if you’re looking for a modern and actively maintained Ruby encryption library you should do yourself a favor and check out RbNaCl. Gibberish was started in 2011 when encryption on Ruby was not a trivial matter, however thanks to projects like NaCl and LibSodium that’s no longer the case.

chillfox · March 19, 2021, 2:57pm

Thanks @Didactic.Drunk, I will have to try it out.
I tend to write CLI apps that automate things across multiple systems so my use case is basically an integrated password manager.

Didactic.Drunk · March 23, 2021, 11:14pm

There 3 classes are designed with your use case in mind:

All of them fit together to encrypt a password database.

Create helps you choose encryption strength by timing the users system.
Key takes the params from Create with the users password and derives a unique key.
Kdf is used to derive subkeys. This class produces the encryption keys used by SecretBox or XChaCha20Poly1305Ietf (recommended).
`

`Password::Create`

Helps you choose parameters. There are several strategies in choosing key strength. Some recommendations:

Use fixed parameters after timing them on the slowest system likely to be used (easy)
Let Create choose them based on a given time estimate. (easy)
Display different values to the user letting them decide by using Create or copying one of the examples (harder)

When choosing max mem be sure you take multiple systems and other programs in to account. Don’t set it to the systems max memory. Maybe use the lesser of 1/4, 1/8 system memory with a max of 256M-1024M.

It’s ok to use the defaults. They have fairly conservative values.

Password::Key

Takes the password with the provided params and gives a high quality master key. Only use this key to derive subkeys. Never store it.

Password can directly give you a Kdf so you never need to touch this.

Kdf

Derives subkeys from a master key. Use this to create individual encryption keys for each file or possibly each database record.

If you encrypt your password database as a single file you probably need 1 subkey.
If you want different databases or each entry to have it’s own encryption key then you’ll need multiple subkeys.

Convenience methods exist to create CryptoBox, Sign or other Sodium objects. Prefer these methods to using subkeys directly. It’s less effort.

Example

# First use - creating a password key and saving an initial database
pwkc = Sodium::Password::Key::Create.new
pwkc.tcost = 0.5 # Up to 1/2 second to create key.
kdf, params = pwkc.create_kdf password

save params for later

# use unique values for each file/record
# string portion must be 8 chars and may be a fixed value or possibly table name
# the int portion may be a fixed value for single file, db record id or other
cipher = kdf.aead_xchacha20poly_ietf "8charsub", 0
data = cipher.encrypt database.to_json
File.write("db", data)

# Loading a password database
pwkey = Sodium::Password::Key.from_params hash
kdf = pwkey.derive_kdf pass
cipher = kdf.aead_xchacha20poly_ietf "8charsub", 0
database = cipher.decrypt File.read("db").from_json

See examples for further information