[Nitro] two way crypt function
interfecus at gmail.com
Sat Nov 10 17:23:15 EST 2007
HMAC is not appropriate for this! HMAC is for authentication over a network,
not for encryption. HMAC is not reversible. If you want to be able to store
data in cookies securely I would use a system like this:
In advance you need to select a constant global key for the application.
For each session:
1. Create a random session key, encrypt it with the global key. Store this in
a cookie with a constant name (e.g. NITRO_SESS_KEY).
2. For each cookie you want to store, encrypt it to the session key and put it
in a cookie. You could use one cookie for all the data or break it up in to
3. To recover a cookie, decrypt the session key using the global key. You can
then use the session key to decrypt the cookie contents. Sanity checks or an
included digest should be used to detect invalid data.
1. The separate session key is used to minimise the risk of somebody finding
the global key. If a person can compromise the session key then they can read
and alter the session data from that session. If they can get the global key
then they can read and alter the data from any session.
2. If the content of session data is predictable (size would be a good
predictor of this) it should probably have some random data prepended to make
it harder to use known plaintext attacks.
3. It is worth only decrypting the session when it is accessed to avoid
unnecessary CPU load.
For encryption in Ruby you want to use the OpenSSL library. The ruby bindings
are part of the standard library.
On Sunday 11 November 2007 00:42:50 Trans wrote:
> On Nov 10, 5:46 am, "George Moschovitis"
> <george.moschovi... at gmail.com> wrote:
> > Cool,
> > is this fast? This encryption/decrption will be done per request.
> Eeeewwww. I mean, I'm sure it's fairly quick. It's not that
> complicated, but it is Ruby. If you are going to be doing this per
> request, you should consider something C-based.
> Actually, a little more research reveals what's is probably the right
> See. http://kylekochis.com/2007/5/5/making-hmac-hashes-in-ruby
> Nitro-general mailing list
> Nitro-general at rubyforge.org
More information about the Nitro-general