class Match::Encryption::EncryptionV2

The newer encryption mechanism, which features a more secure key and IV generation.

The IV is randomly generated and provided unencrypted. The salt should be randomly generated and provided unencrypted (like in the current implementation). The key is generated with OpenSSL::KDF::pbkdf2_hmac with properly chosen parameters.

Short explanation about salt and IV: stackoverflow.com/a/1950674/6324550

Constants

ALGORITHM

Public Instance Methods

decrypt(encrypted_data:, password:, salt:, auth_tag:) click to toggle source
# File match/lib/match/encryption/encryption.rb, line 65
def decrypt(encrypted_data:, password:, salt:, auth_tag:)
  cipher = ::OpenSSL::Cipher.new(ALGORITHM)
  cipher.decrypt

  keyivgen(cipher, password, salt)

  cipher.auth_tag = auth_tag

  data = cipher.update(encrypted_data)
  data << cipher.final
end
encrypt(data:, password:, salt:) click to toggle source
# File match/lib/match/encryption/encryption.rb, line 51
def encrypt(data:, password:, salt:)
  cipher = ::OpenSSL::Cipher.new(ALGORITHM)
  cipher.encrypt

  keyivgen(cipher, password, salt)

  encrypted_data = cipher.update(data)
  encrypted_data << cipher.final

  auth_tag = cipher.auth_tag

  { encrypted_data: encrypted_data, auth_tag: auth_tag }
end

Private Instance Methods

keyivgen(cipher, password, salt) click to toggle source
# File match/lib/match/encryption/encryption.rb, line 79
def keyivgen(cipher, password, salt)
  keyIv = ::OpenSSL::KDF.pbkdf2_hmac(password, salt: salt, iterations: 10_000, length: 32 + 12 + 24, hash: "sha256")
  key = keyIv[0..31]
  iv = keyIv[32..43]
  auth_data = keyIv[44..-1]
  cipher.key = key
  cipher.iv = iv
  cipher.auth_data = auth_data
end