[Nitro] two way crypt function

Timothy interfecus at gmail.com
Sat Nov 10 17:23:15 EST 2007


HMAC is not appropriate for this! HMAC is for authentication over a network, 
not for encryption. HMAC is not reversible. If you want to be able to store 
data in cookies securely I would use a system like this:

In advance you need to select a constant global key for the application.

For each session:

1. Create a random session key, encrypt it with the global key. Store this in 
a cookie with a constant name (e.g. NITRO_SESS_KEY).

2. For each cookie you want to store, encrypt it to the session key and put it 
in a cookie. You could use one cookie for all the data or break it up in to 
related groups.

3. To recover a cookie, decrypt the session key using the global key. You can 
then use the session key to decrypt the cookie contents. Sanity checks or an 
included digest should be used to detect invalid data.

Notes:

1. The separate session key is used to minimise the risk of somebody finding 
the global key. If a person can compromise the session key then they can read 
and alter the session data from that session. If they can get the global key 
then they can read and alter the data from any session.

2. If the content of session data is predictable (size would be a good 
predictor of this) it should probably have some random data prepended to make 
it harder to use known plaintext attacks.

3. It is worth only decrypting the session when it is accessed to avoid 
unnecessary CPU load.

For encryption in Ruby you want to use the OpenSSL library. The ruby bindings 
are part of the standard library.

Cheers,

Tim

On Sunday 11 November 2007 00:42:50 Trans wrote:
> On Nov 10, 5:46 am, "George Moschovitis"
>
> <george.moschovi... at gmail.com> wrote:
> > Cool,
> >
> > is this fast? This encryption/decrption will be done per request.
>
> Eeeewwww. I mean, I'm sure it's fairly quick. It's not that
> complicated, but it is Ruby. If you are going to be doing this per
> request, you should consider something C-based.
>
> Actually, a little more research reveals what's is probably the right
> answer:
>
>   OpenSSL::HMAC
>
> See. http://kylekochis.com/2007/5/5/making-hmac-hashes-in-ruby
>
> T.
>
> _______________________________________________
> Nitro-general mailing list
> Nitro-general at rubyforge.org
> http://rubyforge.org/mailman/listinfo/nitro-general


More information about the Nitro-general mailing list