Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Authenticated Encryption with Associated Data

branch: master

Merge pull request #3 from AKoetsier/master

Added AES-128-GCM cipher with some extra options
latest commit eaa4f7ddbc
Ben Lordnibbler authored
README.md

aead

Ruby library for generating AEAD (authenticated encryption with associated data) ciphertexts.

Description

Modern encryption best practices encourage the use of authenticated encryption: ciphertext contents should be authenticated during the decryption process, preventing either malicious or unintentional silent corruption.

This library provides an extension to the Ruby OpenSSL bindings that allows access to the GCM mode supported by OpenSSL (in versions higher than 1.0.0). For Rubies linked against older versions of OpenSSL, a mode is provided to perform AES-256-CTR with HMAC-SHA-256, as encouraged by Colin Percival.

Getting Started

require 'aead'

# currently, AES-256-GCM and AES-256-CTR-HMAC-SHA-256 are supported
mode   = AEAD::Cipher.new('AES-256-GCM')
key    = mode.generate_key
nonce  = mode.generate_nonce

cipher    = mode.new(key)
aead      = cipher.encrypt(nonce, 'authentication data', 'plaintext')
plaintext = cipher.decrypt(nonce, 'authentication data', aead)

If any of the key, nonce, authentication data, or ciphertext has been altered, the ciphertext will fail to decrypt and an exception will be raised.

cipher.decrypt(nonce, 'authentication data', aead.succ) # => ArgumentError

Security Guidelines

Nonces should never be used to encrypt more than one plaintext with the same key.

Nonces generated through the API provided by this gem are guaranteed to be unique as long as the state file is not corrupted or removed. The state file is located in /var/tmp/ruby-aead.

Nonce generation is thread-safe and tolerates being performed simultaneously in separate processes.

If you believe you have discovered a security vulnerability in this gem, please email security@onelogin.com with a description. We follow responsible disclosure guidelines, and will work with you to quickly find a resolution.

Something went wrong with that request. Please try again.