FastAES - Simple but LOW security AES gem
This gem is a relic from 5 years ago, when libraries such as OpenSSL did not work correctly with Ruby. Use in new projects is strongly discouraged. The core Ruby OpenSSL library is faster and more secure.
Refer to the Ruby OpenSSL documentation for details on how to leverage AES in Ruby:
cipher = OpenSSL::Cipher.new 'AES-128-CBC' cipher.encrypt iv = cipher.random_iv pwd = 'some hopefully not too guessable password' salt = OpenSSL::Random.random_bytes 16 iter = 20000 key_len = cipher.key_len digest = OpenSSL::Digest::SHA256.new key = OpenSSL::PKCS5.pbkdf2_hmac(pwd, salt, iter, key_len, digest) cipher.key = key # Now encrypt the data: encrypted = cipher.update document encrypted << cipher.final
As mentioned, alot has changed in the 5+ years since this gem was written. Please do not use it anymore.
From the article:
The disadvantage [of ECB] is that identical plaintext blocks are encrypted into identical ciphertext blocks; thus, it does not hide data patterns well. In some senses, it doesn't provide serious message confidentiality, and it is not recommended for use in cryptographic protocols at all.
If you're concerned about security, you need take responsibility for verifying whether this gem meets your requirements. It probably does not.
This is a simple implementation of AES (the US government's Advanced Encryption Standard, aka "Rijndael"), written in C for speed. You can read more on the Wikipedia AES Page. The algorithm itself was extracted from work by Christophe Devine for the open source Netcat clone sbd.
This code supports the main features of AES, specifically:
- 128, 192, and 256-bit ciphers
- Electronic Codebook (ECB) mode only - see Security Note
- Encrypted blocks are padded at 16-bit boundaries (read more on padding)
You can read specifics about AES-ECB in the IPSec-related RFC 3602.
Basic encryption/decryption with this gem:
require 'fast-aes' # key can be 128, 192, or 256 bits key = '42#3b%c$dxyT,7a5=+5fUI3fa7352&^:' aes = .(key) text = "Hey there, how are you?" data = aes.encrypt(text) puts aes.decrypt(data) # "Hey there, how are you?"
SSL vs AES
I'm going to guess you're using Ruby with Rails, which means you're doing 90+% web development. In that case, if you need security, SSL is the obvious choice (and the right one).
But there will probably come a time, padawan, when you need a couple backend servers to talk - maybe job servers, or an admin port, or whatever. Maybe even a simple chat server.
You can setup SSL certificates for this but there's a good amount of maintenance overhead there. Or, you can directly use an encryption algorithm, such as AES. Setting up an SSH tunnel is another alternative, if you control both systems. I think it's easier to configure encryption as part of your application, rather than having to mess with each individual system, but that's me.
For more information on how SSL/AES/RC4/TLS all interact, read this article on SSL and AES
AES vs Other Encryption Standards
There are a bizillion (literally!) different encryption standards out there. If you have a PhD, and can't find a job, writing an encryption algorithm is a good thing to put on your resume - on the outside chance that someone will hire you and use it. If you don't possess the talent to write an encryption standard, you can spend hours trying to crack one - for similar reasons. As a result, of the many encryption alternatives, most are either (a) cracked or (b) covered by patents.
Personally, when it comes to encryption, I think choosing what the US government chooses is a decent choice. They tend to be "security conscious."
Original AES C reference code by Christophe Devine. Thanks Christophe!
This gem copyright (c) 2010-2011 Nate Wiger. Released under the MIT License.
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.