opensecret 0.0.962 → 0.0.988

data/lib/keytools/doc.using.pbkdf2.pkcs.ruby

@@ -0,0 +1,266 @@
+# coding: utf-8
+
+### @@@@@@@@@@@@@@@@@@@@@@@@@@
+### Creating a Key
+### @@@@@@@@@@@@@@@@@@@@@@@@@@
+
+This example creates a 2048 bit RSA keypair and writes it to the current directory.
+
+key = OpenSSL::PKey::RSA.new 2048
+
+open 'private_key.pem', 'w' do |io| io.write key.to_pem end
+open 'public_key.pem', 'w' do |io| io.write key.public_key.to_pem end
+
+
+### @@@@@@@@@@@@@@@@@@@@@@@@@@
+### Exporting a Key
+### @@@@@@@@@@@@@@@@@@@@@@@@@@
+
+Keys saved to disk without encryption are not secure as anyone who gets ahold of the key may use it unless it is encrypted. In order to securely export a key you may export it with a pass phrase.
+
+cipher = OpenSSL::Cipher.new 'AES-128-CBC'
+pass_phrase = 'my secure pass phrase goes here'
+
+key_secure = key.export cipher, pass_phrase
+
+open 'private.secure.pem', 'w' do |io|
+  io.write key_secure
+end
+OpenSSL::Cipher.ciphers returns a list of available ciphers.
+
+
+### @@@@@@@@@@@@@@@@@@@@@@@@@@
+### Loading a Key
+### @@@@@@@@@@@@@@@@@@@@@@@@@@
+
+A key can also be loaded from a file.
+
+key2 = OpenSSL::PKey::RSA.new File.read 'private_key.pem'
+key2.public? # => true
+key2.private? # => true
+or
+
+key3 = OpenSSL::PKey::RSA.new File.read 'public_key.pem'
+key3.public? # => true
+key3.private? # => false
+
+
+### @@@@@@@@@@@@@@@@@@@@@@@@@@
+### Loading an Encrypted Key
+### @@@@@@@@@@@@@@@@@@@@@@@@@@
+
+OpenSSL will prompt you for your pass phrase when loading an encrypted key. If you will not be able to type in the pass phrase you may provide it when loading the key:
+
+key4_pem = File.read 'private.secure.pem'
+pass_phrase = 'my secure pass phrase goes here'
+key4 = OpenSSL::PKey::RSA.new key4_pem, pass_phrase
+
+
+### @@@@@@@@@@@@@@@@@@@@@@@@@@
+### RSA Encryption
+### @@@@@@@@@@@@@@@@@@@@@@@@@@
+
+RSA provides encryption and decryption using the public and private keys. You can use a variety of padding methods depending upon the intended use of encrypted data.
+
+
+### @@@@@@@@@@@@@@@@@@@@@@@@@@
+### Encryption & Decryption
+### @@@@@@@@@@@@@@@@@@@@@@@@@@
+
+Asymmetric public/private key encryption is slow and victim to attack in cases where it is used without padding or directly to encrypt larger chunks of data. Typical use cases for RSA encryption involve wrapping a symmetric key with the public key of the recipient who would unwrap that symmetric key again using their private key. The following illustrates a simplified example of such a key transport scheme. It shouldnt be used in practice, though, standardized protocols should always be preferred.
+
+wrapped_key = key.public_encrypt key
+A symmetric key encrypted with the public key can only be decrypted with the corresponding private key of the recipient.
+
+original_key = key.private_decrypt wrapped_key
+By default PKCS#1 padding will be used, but it is also possible to use other forms of padding, see PKey::RSA for further details.
+
+### @@@@@@@@@@@@@@@@@@@@@@@@@@
+### Signatures
+### @@@@@@@@@@@@@@@@@@@@@@@@@@
+
+
+Using “private_encrypt” to encrypt some data with the private key is equivalent to applying a digital signature to the data. A verifying party may validate the signature by comparing the result of decrypting the signature with “public_decrypt” to the original data. However, OpenSSL::PKey already has methods “sign” and “verify” that handle digital signatures in a standardized way - “private_encrypt” and “public_decrypt” shouldnt be used in practice.
+
+To sign a document, a cryptographically secure hash of the document is computed first, which is then signed using the private key.
+
+digest = OpenSSL::Digest::SHA256.new
+signature = key.sign digest, document
+To validate the signature, again a hash of the document is computed and the signature is decrypted using the public key. The result is then compared to the hash just computed, if they are equal the signature was valid.
+
+digest = OpenSSL::Digest::SHA256.new
+if key.verify digest, signature, document
+  puts 'Valid'
+else
+  puts 'Invalid'
+end
+
+
+### @@@@@@@@@@@@@@@@@@@@@@@@@@
+### PBKDF2 Password-based Encryption
+### @@@@@@@@@@@@@@@@@@@@@@@@@@
+
+If supported by the underlying OpenSSL version used, Password-based Encryption should use the features of PKCS5. If not supported or if required by legacy applications, the older, less secure methods specified in RFC 2898 are also supported (see below).
+
+PKCS5 supports PBKDF2 as it was specified in PKCS#5 v2.0. It still uses a password, a salt, and additionally a number of iterations that will slow the key derivation process down. The slower this is, the more work it requires being able to brute-force the resulting key.
+
+
+### @@@@@@@@@@@@@@@@@@@@@@@@@@
+### Encryption
+### @@@@@@@@@@@@@@@@@@@@@@@@@@
+
+The strategy is to first instantiate a Cipher for encryption, and then to generate a random IV plus a key derived from the password using PBKDF2. PKCS #5 v2.0 recommends at least 8 bytes for the salt, the number of iterations largely depends on the hardware being used.
+
+cipher = OpenSSL::Cipher.new 'AES-128-CBC'
+cipher.encrypt
+iv = cipher.random_iv
+
+pwd = 'some hopefully not to easily guessable password'
+salt = OpenSSL::Random.random_bytes 16
+iter = 20000
+key_len = cipher.key_len
+digest = OpenSSL::Digest::SHA256.new
+
+key = OpenSSL::PKCS5.pbkdf2_hmac(pwd, salt, iter, key_len, digest)
+cipher.key = key
+
+Now encrypt the data:
+
+encrypted = cipher.update document
+encrypted << cipher.final
+
+
+### @@@@@@@@@@@@@@@@@@@@@@@@@@
+### Decryption
+### @@@@@@@@@@@@@@@@@@@@@@@@@@
+
+Use the same steps as before to derive the symmetric AES key, this time setting the Cipher up for decryption.
+
+cipher = OpenSSL::Cipher.new 'AES-128-CBC'
+cipher.decrypt
+cipher.iv = iv # the one generated with #random_iv
+
+pwd = 'some hopefully not to easily guessable password'
+salt = ... # the one generated above
+iter = 20000
+key_len = cipher.key_len
+digest = OpenSSL::Digest::SHA256.new
+
+key = OpenSSL::PKCS5.pbkdf2_hmac(pwd, salt, iter, key_len, digest)
+cipher.key = key
+
+Now decrypt the data:
+
+decrypted = cipher.update encrypted
+decrypted << cipher.final
+
+
+### @@@@@@@@@@@@@@@@@@@@@@@@@@
+### PKCS #5 Password-based Encryption
+### @@@@@@@@@@@@@@@@@@@@@@@@@@
+
+PKCS #5 is a password-based encryption standard documented at RFC2898. It allows a short password or passphrase to be used to create a secure encryption key. If possible, PBKDF2 as described above should be used if the circumstances allow it.
+
+PKCS #5 uses a Cipher, a pass phrase and a salt to generate an encryption key.
+
+pass_phrase = 'my secure pass phrase goes here'
+salt = '8 octets'
+
+
+### @@@@@@@@@@@@@@@@@@@@@@@@@@
+### Encryption
+### @@@@@@@@@@@@@@@@@@@@@@@@@@
+
+First set up the cipher for encryption
+
+encryptor = OpenSSL::Cipher.new 'AES-128-CBC'
+encryptor.encrypt
+encryptor.pkcs5_keyivgen pass_phrase, salt
+Then pass the data you want to encrypt through
+
+encrypted = encryptor.update 'top secret document'
+encrypted << encryptor.final
+
+
+### @@@@@@@@@@@@@@@@@@@@@@@@@@
+### Decryption
+### @@@@@@@@@@@@@@@@@@@@@@@@@@
+
+Use a new Cipher instance set up for decryption
+
+decryptor = OpenSSL::Cipher.new 'AES-128-CBC'
+decryptor.decrypt
+decryptor.pkcs5_keyivgen pass_phrase, salt
+Then pass the data you want to decrypt through
+
+plain = decryptor.update encrypted
+plain << decryptor.final
+
+
+
+### @@@@@@@@@@@@@@@@@@@@@@@@@@ ### @@@@@@@@@@@@@@@@@@@@@@@@@@ ### @@@@@@@@@@@@@@@@@@@@@@@@@@
+### @@@@@@@@@@@@@@@@@@@@@@@@@@ ### @@@@@@@@@@@@@@@@@@@@@@@@@@ ### @@@@@@@@@@@@@@@@@@@@@@@@@@
+### @@@@@@@@@@@@@@@@@@@@@@@@@@ ### @@@@@@@@@@@@@@@@@@@@@@@@@@ ### @@@@@@@@@@@@@@@@@@@@@@@@@@
+### @@@@@@@@@@@@@@@@@@@@@@@@@@ ### @@@@@@@@@@@@@@@@@@@@@@@@@@ ### @@@@@@@@@@@@@@@@@@@@@@@@@@
+### @@@@@@@@@@@@@@@@@@@@@@@@@@ ### @@@@@@@@@@@@@@@@@@@@@@@@@@ ### @@@@@@@@@@@@@@@@@@@@@@@@@@
+
+
+### @@@@@@@@@@@@@@@@@@@@@@@@@@
+### OpenSSL::PKCS5
+### @@@@@@@@@@@@@@@@@@@@@@@@@@
+
+Provides password-based encryption functionality based on PKCS#5. Typically used for securely deriving arbitrary length symmetric keys to be used with an OpenSSL::Cipher from passwords. Another use case is for storing passwords: Due to the ability to tweak the effort of computation by increasing the iteration count, computation can be slowed down artificially in order to render possible attacks infeasible.
+
+PKCS5 offers support for PBKDF2 with an OpenSSL::Digest::SHA1-based HMAC, or an arbitrary Digest if the underlying version of OpenSSL already supports it (>= 0.9.4).
+
+### @@@@@@@@@@@@@@@@@@@@@@@@@@
+### Parameters
+### @@@@@@@@@@@@@@@@@@@@@@@@@@
+
+
+1 - Password - Typically an arbitrary String that represents the password to be used for deriving a key.
+
+2 - Salt - Prevents attacks based on dictionaries of common passwords. It is a public value that can be safely stored along with the password (e.g. if PBKDF2 is used for password storage). For maximum security, a fresh, random salt should be generated for each stored password. According to PKCS#5, a salt should be at least 8 bytes long.
+
+3 - Iteration Count - Allows to tweak the length that the actual computation will take. The larger the iteration count, the longer it will take.
+
+4 - Key Length - Specifies the length in bytes of the output that will be generated. Typically, the key length should be larger than or equal to the output length of the underlying digest function, otherwise an attacker could simply try to brute-force the key. According to PKCS#5, security is limited by the output length of the underlying digest function, i.e. security is not improved if a key length strictly larger than the digest output length is chosen. Therefore, when using PKCS5 for password storage, it suffices to store values equal to the digest output length, nothing is gained by storing larger values.
+
+### @@@@@@@@@@@@@@@@@@@@@@@@@@
+### Generating a 128 bit key for a Cipher (e.g. AES)
+### @@@@@@@@@@@@@@@@@@@@@@@@@@
+
+pass = "secret"
+salt = OpenSSL::Random.random_bytes(16)
+iter = 20000
+key_len = 16
+key = OpenSSL::PKCS5.pbkdf2_hmac_sha1(pass, salt, iter, key_len)
+
+### @@@@@@@@@@@@@@@@@@@@@@@@@@
+### Storing Passwords
+### @@@@@@@@@@@@@@@@@@@@@@@@@@
+
+pass = "secret"
+salt = OpenSSL::Random.random_bytes(16) #store this with the generated value
+iter = 20000
+digest = OpenSSL::Digest::SHA256.new
+len = digest.digest_length
+#the final value to be stored
+value = OpenSSL::PKCS5.pbkdf2_hmac(pass, salt, iter, len, digest)
+Important Note on Checking Passwords¶ ↑
+When comparing passwords provided by the user with previously stored values, a common mistake made is comparing the two values using "==". Typically, "==" short-circuits on evaluation, and is therefore vulnerable to timing attacks. The proper way is to use a method that always takes the same amount of time when comparing two values, thus not leaking any information to potential attackers. To compare two values, the following could be used:
+
+def eql_time_cmp(a, b)
+  unless a.length == b.length
+    return false
+  end
+  cmp = b.bytes.to_a
+  result = 0
+  a.bytes.each_with_index {|c,i|
+    result |= c ^ cmp[i]
+  }
+  result == 0
+end
+
+
+Please note that the premature return in case of differing lengths typically does not leak valuable information - when using PKCS#5, the length of the values to be compared is of fixed size.

data/lib/keytools/kdf.bcrypt.rb

@@ -0,0 +1,180 @@
+#!/usr/bin/ruby
+# coding: utf-8
+
+module OpenKey
+
+
+  # BCrypt is a <b>Blowfish based Key Derivation Function (KDF)</b> that exists to
+  # convert <b>low entropy</b> human created passwords into a high entropy key that
+  # is computationally infeasible to acquire through brute force.
+  #
+  # As human generated passwords have a relatively small key space, key derivation
+  # functions must be slow to compute with any implementation.
+  #
+  # BCrypt offers a <b>cost parameter</b> that determines (via the powers of two)
+  # the number of iterations performed.
+  #
+  # If the cost parameter is 12, then 4096 iterations (two to the power of 12) will
+  # be enacted.
+  #
+  # == A Cost of 16 is 65,536 iterations
+  #
+  # The <b>minimum cost</b> is 4 (16 iterations) and the maximum is 31.
+  #
+  # <b>A cost of 16 will result in 2^16 = 65,536 iterations</b>.
+  #
+  #    This is a safe default and will slow the derivation time
+  #    to about a second on a powerful 2020 laptop.
+  #
+  class BCryptKeyGen
+
+    require "bcrypt"
+
+    # The iteration count is determined using the powers of
+    # two so if the iteration integer is 12 there will be two
+    # to the power of 12 ( 2^12 ) giving 4096 iterations.
+    # The minimum number is 4 (16 iterations) and the max is 31.
+    # @example
+    #    Configuring 16 into this directive results in
+    #       2^16 = 65,536 iterations
+    #
+    #    This is a safe default and will slow the derivation time
+    #    to about a second on a powerful 2020 laptop.
+    BCRYPT_ITERATION_INTEGER = 16
+
+    # The bcrypt algorithm produces a key that is 181 bits in
+    # length. The algorithm then converts the binary 181 bits
+    # into a (6-bit) Radix64 character.
+    #
+    # 181 / 6 = 30 remainder 1 (so 31 characters are needed).
+    BCRYPT_KEY_LENGTH = 31
+    
+
+    # When the key is transported using a 64 character set where
+    # each character is represented by 6 bits - the BCrypt key
+    # expands to 186 bits rather than the original 181 bits.
+    #
+    # This expansion is because of the remainder.
+    #
+    #    181 bits divided by 6 is 30 characters plus 1 character
+    #    for the extra bit.
+    #
+    #    The 31 transported characters then appear as
+    #    31 times 6 which equals 186 bits.
+    BCRYPT_KEY_TRANSPORT_LENGTH = 186
+    
+    # The bcrypt algorithm salt string should be 22 characters
+    # and may include forward slashes and periods.
+    BCRYPT_SALT_LENGTH = 22
+
+    # BCrypt outputs a single line of text that holds the prefix
+    # then the Radix64 encoded salt and finally the Radix64
+    # encoded hash key.
+    #
+    # The prefix consists of <b>two sections</b> sandwiched within
+    # two dollar <b>$</b> signs at the extremeties and a third dollar
+    # separating them.
+    #
+    # The two sections are the
+    # - BCrypt algorithm <b>version number</b> (2a or 2b) and
+    # - a power of 2 integer defining the no. of interations
+    BCRYPT_OUTPUT_TEXT_PREFIX = "$2a$#{BCRYPT_ITERATION_INTEGER}$"
+
+
+    # Key generators should use this method to create a BCrypt salt
+    # string and then call the {generate_key} method passing in the
+    # salt together with a human generated password in order to derive
+    # a key.
+    #
+    # The salt can be persisted and then resubmitted in order to
+    # regenerate the same key in the future.
+    #
+    # For the BCrypt algorithm this method depends on the constant
+    # {BCRYPT_ITERATION_INTEGER} so that two to the power of the
+    # integer is the number of iterations.
+    #
+    # A generated salt looks like this assuming the algorithm version
+    # is 2a and the interation integer is 16.
+    #
+    # <b>$2a$16$nkyYKCwljFRtcif6FCXn3e</b>
+    #
+    # This method removes the $2a$16$ preamble string and stores only
+    # the actual salt string whose length should be 22 characters.
+    #
+    # @return [String]
+    #    the salt in a printable format like base64, hex or a string
+    #    of ones and zeroes. This salt should be submitted in the exact
+    #    same form to the {generate_key} method.
+    def self.generate_salt
+      the_salt_str = BCrypt::Engine.generate_salt( BCRYPT_ITERATION_INTEGER )
+      bcrypt_salt = the_salt_str[ BCRYPT_OUTPUT_TEXT_PREFIX.length .. -1 ]
+      assert_bcrypt_salt bcrypt_salt
+      return bcrypt_salt
+    end
+
+
+
+    # Key generators should first use the {generate_salt} method to create
+    # a BCrypt salt string and then submit it to this method together with
+    # a human generated password in order to derive a key.
+    #
+    # The salt can be persisted and then resubmitted again to this method
+    # in order to regenerate the same key at any time in the future.
+    #
+    # Generate a binary key from the bcrypt password derivation function.
+    #
+    # This differs from a server side password to hash usage in that we
+    # are interested in the 186bit key that bcrypt produces. This method
+    # returns this reproducible key for use during symmetric encryption and
+    # decryption.
+    #
+    # @param human_secret [String]
+    #    a robust human generated password with as much entropy as can
+    #    be mustered. Remember that 40 characters spread randomly over
+    #    the key space of about 90 characters and not relating to any
+    #    dictionary word or name is the way to generate a powerful key
+    #    that has embedded a near 100% entropy rating.
+    #
+    # @param bcrypt_salt [String]
+    #    the salt string that has either been recently generated via the
+    #    {generate_salt} method or read from a persistence store and
+    #    resubmitted here (in the future) to regenerate the same key.
+    #
+    # @return [Key]
+    #    a key holder containing the key which can then be accessed via
+    #    many different formats.
+    def self.generate_key human_secret, bcrypt_salt
+
+      hashed_secret = BCrypt::Engine.hash_secret( human_secret, to_bcrypt_salt(bcrypt_salt) )
+      encoded64_key = BCrypt::Password.new( hashed_secret ).to_s
+
+      key_begin_index = BCRYPT_OUTPUT_TEXT_PREFIX.length + BCRYPT_SALT_LENGTH
+      radix64_key_str = encoded64_key[ key_begin_index .. -1 ]
+      key_length_mesg = "The bcrypt key length should have #{BCRYPT_KEY_LENGTH} characters."
+      raise RuntimeError, key_length_mesg unless radix64_key_str.length == BCRYPT_KEY_LENGTH
+
+      return Key.new(radix64_key_str)
+
+    end
+
+
+
+    private
+
+
+
+    def self.to_bcrypt_salt the_salt
+      return BCRYPT_OUTPUT_TEXT_PREFIX + the_salt
+    end
+
+    def self.assert_bcrypt_salt the_salt
+      raise RuntimeError, "bcrypt salt not expected to be nil." if the_salt.nil?
+      salt_length_msg = "A bcrypt salt is expected to contain #{BCRYPT_SALT_LENGTH} characters."
+      raise RuntimeError, salt_length_msg unless the_salt.length == BCRYPT_SALT_LENGTH
+    end
+
+
+  end
+
+
+end

data/lib/keytools/kdf.pbkdf2.rb

@@ -0,0 +1,164 @@
+#!/usr/bin/ruby
+# coding: utf-8
+
+module OpenKey
+
+
+  # PBKDF2 is a powerful leading <b>Key Derivation Function (KDF)</b> that exists to
+  # convert <b>low entropy</b> human created passwords into a high entropy key that
+  # is computationally infeasible to acquire through brute force.
+  #
+  # As human generated passwords have a relatively small key space, key derivation
+  # functions must be slow to compute with any implementation.
+  #
+  # PBKDF2 offers an <b>iteration count</b> that configures the number of iterations
+  # performed to create the key.
+  #
+  # <b>One million (1,000,000) should be the iteration count's lower bound.</b>
+  class Pbkdf2KeyGen
+
+
+    # <b>One million iterations</b> is necessary due to the
+    # growth of <b>GPU driven cloud based computing</b> power
+    # that is curently being honed by mining BitCoin and training
+    # neural networks.
+    PBKDF2_ITERATION_COUNT = 1000000
+
+
+    # The current output key length needed is 96 bits which is
+    # 12 bytes. However the algorithm's minimum byte length is
+    # 16 so that is what we must use.
+    PBKDF2_OUTPUT_KEY_LENGTH = 16
+    
+
+    # The documented recommended salt length in bytes is in between
+    # 16 and 24 bytes. The setting here is at the upper bound of
+    # that range.
+    PBKDF2_SALT_LENGTH_BITS = 24 * 8
+
+
+    # When the key is transported using a 64 character set where
+    # each character is represented by 6 bits - the PBKDF2 key
+    # expands to 132 bits rather than the original 128 bits.
+    #
+    # This expansion is because of the remainder.
+    #
+    #    128 bits divided by 6 is 21 characters plus a remainder of two
+    #    (2) bits which must be transported one extra base64 character.
+    #
+    #    Hence the 22 transported characters are then observed to
+    #    be 132 bits in length (22 times 6).
+    PBKDF2_KEY_TRANSPORT_LENGTH = 132
+
+    
+
+    # Retun a random cryptographic salt generated from twenty-four
+    # random bytes produced by a secure random number generator. The
+    # returned salt is Base64 encoded.
+    #
+    # @return [String]
+    #    a base64 encoded representation of a twenty-four (24) randomly
+    #    and securely generated bytes.
+    def self.generate_salt
+      return Base64.urlsafe_encode64( SecureRandom.random_bytes( 24 ) )
+    end
+
+
+
+    # Generate a 128 bit binary key from the PBKDF2 password derivation
+    # function. The most important input to this function is the human
+    # generated key. The best responsibly sourced key with at least 95%
+    # entropy will contain about 40 characters spread randomly over the
+    # set of 95 typable characters.
+    #
+    # Aside from the human password the other inputs are
+    #
+    # - a base64 encoded randomly generated salt of 16 to 24 bytes
+    # - an iteration count of at least 1 million (due to GPU advances)
+    # - an output key length that is at least 16 bytes (128 bits)
+    # - a digest algorithm implementation (we use SHA512K)
+    #
+    # The {Key} returned by this method encapsulates the derived
+    # key of the byte (bit) length specified.
+    #
+    # @param human_secret [String]
+    #    a robust human generated password with as much entropy as can
+    #    be mustered. Remember that 40 characters spread randomly over
+    #    the key space of about 95 characters and not relating to any
+    #    dictionary word or name is the way to generate a powerful key
+    #    that has embedded a near 100% entropy rating.
+    #
+    # @param pbkdf2_salt [String]
+    #    the salt string that has either been recently generated via the
+    #    {generate_salt} method or read from a persistence store and
+    #    resubmitted here in order to regenerate the same key.
+    #
+    # @return [Key]
+    #    a key holder containing the key which can then be accessed via
+    #    many different formats. The {Key} returned by this method
+    #    encapsulates the derived key with the specified byte count.
+    def self.generate_key human_secret, pbkdf2_salt
+
+      pbkdf2_key = OpenSSL::PKCS5.pbkdf2_hmac(
+        human_secret,
+        Base64.urlsafe_decode64( pbkdf2_salt ),
+        PBKDF2_ITERATION_COUNT,
+        PBKDF2_OUTPUT_KEY_LENGTH,
+        OpenSSL::Digest::SHA512.new
+      )
+
+      return Key.new ( Base64.urlsafe_encode64( pbkdf2_key ) )
+
+
+# ----> -----------------------------------------------------
+# ----> -----------------------------------------------------
+# ----> ruby --version
+# ----> ruby 2.3.1p112 (2016-04-26) [x86_64-linux-gnu]
+# ----> -----------------------------------------------------
+# ----> -----------------------------------------------------
+
+########### If Condition => IF is Ruby 2.4.1 or greater Use this else use one above
+########### If Condition => IF is Ruby 2.4.1 or greater Use this else use one above
+########### If Condition => IF is Ruby 2.4.1 or greater Use this else use one above
+########### If Condition => IF is Ruby 2.4.1 or greater Use this else use one above
+########### If Condition => IF is Ruby 2.4.1 or greater Use this else use one above
+########### If Condition => IF is Ruby 2.4.1 or greater Use this else use one above
+########### If Condition => IF is Ruby 2.4.1 or greater Use this else use one above
+########### If Condition => IF is Ruby 2.4.1 or greater Use this else use one above
+########### If Condition => IF is Ruby 2.4.1 or greater Use this else use one above
+########### If Condition => IF is Ruby 2.4.1 or greater Use this else use one above
+########### If Condition => IF is Ruby 2.4.1 or greater Use this else use one above
+########### If Condition => IF is Ruby 2.4.1 or greater Use this else use one above
+########### If Condition => IF is Ruby 2.4.1 or greater Use this else use one above
+########### If Condition => IF is Ruby 2.4.1 or greater Use this else use one above
+########### If Condition => IF is Ruby 2.4.1 or greater Use this else use one above
+########### If Condition => IF is Ruby 2.4.1 or greater Use this else use one above
+########### If Condition => IF is Ruby 2.4.1 or greater Use this else use one above
+########### If Condition => IF is Ruby 2.4.1 or greater Use this else use one above
+########### If Condition => IF is Ruby 2.4.1 or greater Use this else use one above
+########### If Condition => IF is Ruby 2.4.1 or greater Use this else use one above
+########### If Condition => IF is Ruby 2.4.1 or greater Use this else use one above
+########### If Condition => IF is Ruby 2.4.1 or greater Use this else use one above
+########### If Condition => IF is Ruby 2.4.1 or greater Use this else use one above
+########### If Condition => IF is Ruby 2.4.1 or greater Use this else use one above
+########### If Condition => IF is Ruby 2.4.1 or greater Use this else use one above
+########### If Condition => IF is Ruby 2.4.1 or greater Use this else use one above
+########### If Condition => IF is Ruby 2.4.1 or greater Use this else use one above
+
+      pbkdf2_key = OpenSSL::KDF.pbkdf2_hmac(
+        human_secret,
+        Base64.urlsafe_decode64( @crypt_salt ),
+        PBKDF2_ITERATION_COUNT,
+        PBKDF2_OUTPUT_KEY_LENGTH,
+        OpenSSL::Digest::SHA512.new
+      )
+
+      return Key.new ( Base64.urlsafe_encode64( pbkdf2_key ) )
+
+    end
+
+
+  end
+
+
+end