gurpartap / aescrypt Goto Github PK
View Code? Open in Web Editor NEWA simple and opinionated AES encrypt / decrypt Ruby gem that just works.
License: MIT License
A simple and opinionated AES encrypt / decrypt Ruby gem that just works.
License: MIT License
Great idea for a pair of modules, thanks.
In my use case, I'm encoding a message in iOS, sending the encoded version to rails, and then in rails encoding the same message and seeing if the two agree. And oddly, they don't, by three spaces.
Here is the iOS code:
NSString *text = @"8954302B-3291-42D8-A52F-EF1023F78AA3d115f8c31c33a6a70f60fe0ec0830fac2012-08-19T05:04:01Z";
NSString *sharedSecret = @"ef7468fe8e05ad22fa0d4a5554205b65";
NSString *signature = [AESCrypt encrypt:text password:sharedSecret];
NSLog(@"Signature: %@", signature);
// Outputs: Signature: I1rougkuUGC/9Tu+uv7e8vpT975ca6rCZueCQTe3pq0aY6XtBcre1Qd6AokZ3d0NAZPqxxGYwPe5aXQHy4Cef4m59fVgglYawKnRwA5e3ZhouQrcWUBixjyU4rUk8/yP
Here is the Rails code:
text = "8954302B-3291-42D8-A52F-EF1023F78AA3d115f8c31c33a6a70f60fe0ec0830fac2012-08-19T05:04:01Z";
shared_secret = "ef7468fe8e05ad22fa0d4a5554205b65"
reference_signature = AESCrypt.encrypt(text, shared_secret)
reference_signature in debugger is: "I1rougkuUGC/9Tu+uv7e8vpT975ca6rCZueCQTe3pq0aY6XtBcre1Qd6AokZ 3d0NAZPqxxGYwPe5aXQHy4Cef4m59fVgglYawKnRwA5e3ZhouQrcWUBixjyU 4rUk8/yP "
Note the spaces in reference_signature: between the Z and 3, the U and the 4, and at the end of the string.
This is rails Rails 3.2.3, ruby 1.9.3p194, iOS 5.1.
Hi
It would seem that in ruby 2.2.x
a require 'base64' is needed to satisfy the Base64 dependency.
Regards
example
irb(main):008:0> str = "√"
=> "√"
irb(main):014:0> str.encoding
=> #<Encoding:UTF-8>
irb(main):009:0> e = AESCrypt.encrypt(str)
=> "ia\xF5k\x8CA\xED\xD5\v\xCB?O\x16\x9C\xA0M"
irb(main):011:0* e.encoding
=> #<Encoding:ASCII-8BIT>
irb(main):012:0> d = AESCrypt.decrypt(e)
=> "\xE2\x88\x9A"
Please retire this gem. It contains multiple, extremely severe security vulnerabilities:
Either of these vulnerabilities can, depending on the circumstances, lead to full plaintext recovery.
I opened #12 nearly 4 months ago. The extremely severe issue in #4 is approaching 4 years old.
This gem is broken, insecure, and unsuitable for use, and yet it is also the top hit for "ruby aes gem". Please retire it and point people at something safer, like ActiveSupport::MessageEncryptor
:
http://api.rubyonrails.org/classes/ActiveSupport/MessageEncryptor.html
Hi Gurpartap,
Currently I am facing below issue-
-[NSConcreteMutableData SHA256Hash]: unrecognized selector sent to instance
while encrypting the message. Please suggest me any changes.
I created an encrypted message using the iOS client and ended each line of data with '\r\n'. The data displayed on the iOS client with a line feed as expected.
After decrypting in a simple rails app, the line feeds were missing.
See http://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Cipher-block_chaining_.28CBC.29
I can only assume that the ruby openssl wrapper uses null bytes for the IV in your use-case, which is not secure.
This gem is using an unauthenticated encryption mode (CBC) which is vulnerable to chosen ciphertext attacks (i.e. it is not IND-CCA secure)
This is a serious issue which can allow active attackers to completely recover message plaintexts. It also allows attackers to make undetectable alterations to the plaintext.
At the very minimum you should add HMAC in an encrypt-then-MAC construction.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.