gurpartap / aescrypt Goto Github PK

bro please help me.. Im using AES online encryption to encrypt the data.
after data encrypted, Im try to use your lib to decrypt, but got error "pad block corrupted". very much appreciate if u can help me.

Great idea for a pair of modules, thanks.

In my use case, I'm encoding a message in iOS, sending the encoded version to rails, and then in rails encoding the same message and seeing if the two agree. And oddly, they don't, by three spaces.

Here is the iOS code:

    NSString *text = @"8954302B-3291-42D8-A52F-EF1023F78AA3d115f8c31c33a6a70f60fe0ec0830fac2012-08-19T05:04:01Z";
    NSString *sharedSecret = @"ef7468fe8e05ad22fa0d4a5554205b65";
    NSString *signature = [AESCrypt encrypt:text password:sharedSecret];
    NSLog(@"Signature: %@", signature);

    // Outputs: Signature: I1rougkuUGC/9Tu+uv7e8vpT975ca6rCZueCQTe3pq0aY6XtBcre1Qd6AokZ3d0NAZPqxxGYwPe5aXQHy4Cef4m59fVgglYawKnRwA5e3ZhouQrcWUBixjyU4rUk8/yP

Here is the Rails code:

text = "8954302B-3291-42D8-A52F-EF1023F78AA3d115f8c31c33a6a70f60fe0ec0830fac2012-08-19T05:04:01Z";
shared_secret = "ef7468fe8e05ad22fa0d4a5554205b65"
reference_signature = AESCrypt.encrypt(text, shared_secret)

reference_signature in debugger is: "I1rougkuUGC/9Tu+uv7e8vpT975ca6rCZueCQTe3pq0aY6XtBcre1Qd6AokZ 3d0NAZPqxxGYwPe5aXQHy4Cef4m59fVgglYawKnRwA5e3ZhouQrcWUBixjyU 4rUk8/yP "

Note the spaces in reference_signature: between the Z and 3, the U and the 4, and at the end of the string.

This is rails Rails 3.2.3, ruby 1.9.3p194, iOS 5.1.

Hi
It would seem that in ruby 2.2.x

a require 'base64' is needed to satisfy the Base64 dependency.

Regards

example

irb(main):008:0> str = "√"
=> "√"
irb(main):014:0> str.encoding
=> #<Encoding:UTF-8>

irb(main):009:0> e = AESCrypt.encrypt(str)
=> "ia\xF5k\x8CA\xED\xD5\v\xCB?O\x16\x9C\xA0M"
irb(main):011:0* e.encoding
=> #<Encoding:ASCII-8BIT>

irb(main):012:0> d = AESCrypt.decrypt(e)
=> "\xE2\x88\x9A"

Please retire this gem. It contains multiple, extremely severe security vulnerabilities:

• Fixed all zero IV: #4
• No MAC/unauthenticated encryption: #12

Either of these vulnerabilities can, depending on the circumstances, lead to full plaintext recovery.

I opened #12 nearly 4 months ago. The extremely severe issue in #4 is approaching 4 years old.

This gem is broken, insecure, and unsuitable for use, and yet it is also the top hit for "ruby aes gem". Please retire it and point people at something safer, like ActiveSupport::MessageEncryptor:

http://api.rubyonrails.org/classes/ActiveSupport/MessageEncryptor.html

Hi Gurpartap,
Currently I am facing below issue-

-[NSConcreteMutableData SHA256Hash]: unrecognized selector sent to instance

while encrypting the message. Please suggest me any changes.

I created an encrypted message using the iOS client and ended each line of data with '\r\n'. The data displayed on the iOS client with a line feed as expected.

After decrypting in a simple rails app, the line feeds were missing.

See http://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Cipher-block_chaining_.28CBC.29

I can only assume that the ruby openssl wrapper uses null bytes for the IV in your use-case, which is not secure.

This gem is using an unauthenticated encryption mode (CBC) which is vulnerable to chosen ciphertext attacks (i.e. it is not IND-CCA secure)

This is a serious issue which can allow active attackers to completely recover message plaintexts. It also allows attackers to make undetectable alterations to the plaintext.

At the very minimum you should add HMAC in an encrypt-then-MAC construction.