class Match::Encryption::EncryptionV2
The newer encryption mechanism, which features a more secure key and IV generation.
The IV is randomly generated and provided unencrypted. The salt should be randomly generated and provided unencrypted (like in the current implementation). The key is generated with OpenSSL::KDF::pbkdf2_hmac with properly chosen parameters.
Short explanation about salt and IV: stackoverflow.com/a/1950674/6324550
Constants
- ALGORITHM
Public Instance Methods
decrypt(encrypted_data:, password:, salt:, auth_tag:)
click to toggle source
# File match/lib/match/encryption/encryption.rb, line 65 def decrypt(encrypted_data:, password:, salt:, auth_tag:) cipher = ::OpenSSL::Cipher.new(ALGORITHM) cipher.decrypt keyivgen(cipher, password, salt) cipher.auth_tag = auth_tag data = cipher.update(encrypted_data) data << cipher.final end
encrypt(data:, password:, salt:)
click to toggle source
# File match/lib/match/encryption/encryption.rb, line 51 def encrypt(data:, password:, salt:) cipher = ::OpenSSL::Cipher.new(ALGORITHM) cipher.encrypt keyivgen(cipher, password, salt) encrypted_data = cipher.update(data) encrypted_data << cipher.final auth_tag = cipher.auth_tag { encrypted_data: encrypted_data, auth_tag: auth_tag } end
Private Instance Methods
keyivgen(cipher, password, salt)
click to toggle source
# File match/lib/match/encryption/encryption.rb, line 79 def keyivgen(cipher, password, salt) keyIv = ::OpenSSL::KDF.pbkdf2_hmac(password, salt: salt, iterations: 10_000, length: 32 + 12 + 24, hash: "sha256") key = keyIv[0..31] iv = keyIv[32..43] auth_data = keyIv[44..-1] cipher.key = key cipher.iv = iv cipher.auth_data = auth_data end