Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Blowfish, unauthenticated, CBC, constant IV #6

Open
stouset opened this issue Feb 23, 2017 · 3 comments
Open

Blowfish, unauthenticated, CBC, constant IV #6

stouset opened this issue Feb 23, 2017 · 3 comments

Comments

@stouset
Copy link

stouset commented Feb 23, 2017

The cryptography behind this gem is far behind standards considered minimally acceptable for modern systems.

Far better would AES-128-GCM with a random IV. Best would be ChaCha20-Poly1305 on systems that support it. I am happy to provide a pull request if you are not opposed to merging it.
@copiousfreetime
Copy link
Collaborator

@stouset Sounds like a good idea. One thing that we'll definitely need is a way that automatically converts the encrypted file from the bf-cbc algorithm to aes-128-gcm. We'd be happy to see a pull request 😄 .

@kigster
Copy link

kigster commented Apr 28, 2017

For a similar tool, but with a more conventional symmetric encryption algorithm, please check out a gem called sym. It offers AES-256-CBC cipher with random iv for the data encryption, and can optionally use AES-128-CBC for encrypting the 256-bit encryption key with an arbitrary password.

While sym does not have as simple of a Rails integration as this gem does, it has a couple of neat features such as the ability to use OS-X Keychain to store the key locally on a Mac, as well as time-sensitive password caching for keys that are password-protected.

On the implementation side — when the data is encrypted, sym uses light-weight serialization around the encrypted data, which includes the serialization format version. This thin wrapper allows adding arbitrary metadata to the encrypted files, supporting various extensions and additional cipher types in the future.

I wrote sym (sorry for the shameless plug) after spending several days of painstakingly looking for a gem like sekrets or sym and — obviously — not finding it :)

But it is my hope that it is the community that ultimately benefits from having multiple solutions, with slightly different set of features, even if the overall intention can sometimes be similar.

@bak1an bak1an mentioned this issue May 8, 2024
Closed
@ahoward
Copy link
Owner

ahoward commented May 16, 2024

@stouset and @copiousfreetime see -> #18

i am working on this.

general idea is having a yaml formatted keyfile with the cipher and other metadata inside it. this will allow automatic key/cipher detection moving forward which should allow the gem to easily migrate people forward. my question to you both is:

what do you think is the the preferred setup wrt to keysize/cicpher, etc?

i am not a fan of system dependent preferences because debugging nightmare not to mention having different behavior in, for eg, production vs dev vs ci envs but..... love to hear more.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@stouset @ahoward @copiousfreetime @kigster