slosilo 1.1.0 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 19532fb817cc0d993257331452fd6fc36be49da8
-  data.tar.gz: 63c9b867b4e125aff0e5680e21a9a31605629716
+  metadata.gz: 761d6e24aaa95427bbc3d7449bc980b29b602bca
+  data.tar.gz: 79950d2ab62c71a6f9ebdb1f68afdfd13c53894e
 SHA512:
-  metadata.gz: 799000b32ea19b4b5ca3fb63901007e16c659af8ea383f3d469ed4a91a1c23b10529eeffda3167b73e0bf67043258622c997b68fefd110cf5fb96cedc8b3769c
-  data.tar.gz: c017465fd76fd4aa9812924ead3c3342d66d3f87f222cd94c0f08c0eadd2dd66c7088e3bc5333ae6d4a83f165c2329456cc38158b2de5d17e76dd1fe0d098449
+  metadata.gz: de1ab282bd0067317a21e2d40dbb0668c737e487bc2e29e25120f460191d2c8a550b25ec98719a4d99d72176a73f0b47007703733ad5a0e77077a13c1fc54d6d
+  data.tar.gz: e7444706c7f1af27f3a7eebf350252b37a033ca4b225a5d8ea6d24afbf49f40d42e6613187f8f0fe2322c9bf73dc1b54d5e36796ba7ef10aa8c95ff54f5aa8b3

data/README.md

@@ -2,7 +2,7 @@
 
 Slosilo is providing a ruby interface to some cryptographic primitives:
 - symmetric encryption,
-- a mixin for easy encryption of object attributes (WARNING: unauthenticated, see below),
+- a mixin for easy encryption of object attributes,
 - asymmetric encryption and signing,
 - a keystore in a postgres sequel db -- it allows easy storage and retrieval of keys,
 - a keystore in files.
@@ -17,6 +17,20 @@ And then execute:
 
     $ bundle
 
+## Compatibility
+
+Version 2.0 introduced new symmetric encryption scheme using AES-256-GCM
+for authenticated encryption. It allows you to provide AAD on all symmetric
+encryption primitives. It's also **NOT COMPATIBLE** with CBC used in version <2.
+
+This means you'll have to migrate all your existing data. There's no easy way to
+do this currently provided; it's recommended to create a database migration and
+put relevant code fragments in it directly. (This will also have the benefit of making
+the migration self-contained.)
+
+Since symmetric encryption is used in processing asymetrically encrypted messages,
+this incompatibility extends to those too.
+
 ## Usage
 
 ### Symmetric encryption
@@ -24,12 +38,14 @@ And then execute:
 ```ruby
 sym = Slosilo::Symmetric.new
 key = sym.random_key
-ciphertext = sym.encrypt "secret message", key: key
+# additional authenticated data
+message_id = "message 001"
+ciphertext = sym.encrypt "secret message", key: key, aad: message_id
 ```
 
 ```ruby
 sym = Slosilo::Symmetric.new
-message = sym.decrypt ciphertext, key: key
+message = sym.decrypt ciphertext, key: key, aad: message_id
 ```
 
 ### Encryption mixin
@@ -39,11 +55,15 @@ require 'slosilo'
 
 class Foo
   attr_accessor :foo
-  attr_encrypted :foo
+  attr_encrypted :foo, aad: :id
 
   def raw_foo
     @foo
   end
+
+  def id
+    "unique record id"
+  end
 end
 
 Slosilo::encryption_key = Slosilo::Symmetric.new.random_key
@@ -56,13 +76,6 @@ obj.foo # => "bar"
 
 You can safely use it in ie. ActiveRecord::Base or Sequel::Model subclasses.
 
-#### Warning
-
-The encrypted data is not authenticated; it's intended to prevent
-opportunistic access to secrets by a third party which gets hold of a database
-dump. *IT DOES NOT prevent tampering.* If your threat model includes an attacker
-which can modify the database, `attr_encrypted` by itself IS NOT SECURE.
-
 ### Asymmetric encryption and signing
 
 ```ruby

data/lib/slosilo/adapters/sequel_adapter.rb

@@ -14,7 +14,7 @@ module Slosilo
       def create_model
         model = Sequel::Model(:slosilo_keystore)
         model.unrestrict_primary_key
-        model.attr_encrypted :key if secure?
+        model.attr_encrypted(:key, aad: :id) if secure?
         model
       end
       

data/lib/slosilo/attr_encrypted.rb

@@ -5,21 +5,44 @@ module Slosilo
   # so we encrypt sensitive attributes before storing them
   module EncryptedAttributes
     module ClassMethods
+
+      # @param options [Hash]
+      # @option :aad [#to_proc, #to_s]  Provide additional authenticated data for
+      #   encryption.  This should be something unique to the instance having
+      #   this attribute, such as a primary key; this will ensure that an attacker can't swap
+      #   values around -- trying to decrypt value with a different auth data will fail.
+      #   This means you have to be able to recover it in order to decrypt attributes.
+      #   The following values are accepted:
+      #
+      #   * Something proc-ish: will be called with self each time auth data is needed.
+      #   * Something stringish: will be to_s-d and used for all instances as auth data.
+      #     Note that this will only prevent swapping in data using another string.
+      #
+      #   The recommended way to use this option is to pass a proc-ish that identifies the record.
+      #   Note the proc-ish can be a simple method name; for example in case of a Sequel::Model:
+      #       attr_encrypted :secret, aad: :pk
       def attr_encrypted *a
+        options = a.last.is_a?(Hash) ? a.pop : {}
+        aad = options[:aad]
+        # note nil.to_s is "", which is exactly the right thing
+        auth_data = aad.respond_to?(:to_proc) ? aad.to_proc : proc{ |_| aad.to_s }
+        raise ":aad proc must take one argument" unless auth_data.arity.abs == 1 # take abs to allow *args arity, -1
+
         # push a module onto the inheritance hierarchy
         # this allows calling super in classes
         include(accessors = Module.new)
         accessors.module_eval do 
           a.each do |attr|
             define_method "#{attr}=" do |value|
-              super(EncryptedAttributes.encrypt value)
+              super(EncryptedAttributes.encrypt(value, aad: auth_data[self]))
             end
             define_method attr do
-              EncryptedAttributes.decrypt(super())
+              EncryptedAttributes.decrypt(super(), aad: auth_data[self])
             end
           end
         end
       end
+
     end
     
     def self.included base
@@ -27,14 +50,14 @@ module Slosilo
     end
 
     class << self
-      def encrypt value
+      def encrypt value, opts={}
         return nil unless value
-        cipher.encrypt value, key: key
+        cipher.encrypt value, key: key, aad: opts[:aad]
       end
       
-      def decrypt ctxt
+      def decrypt ctxt, opts={}
         return nil unless ctxt
-        cipher.decrypt ctxt, key: key
+        cipher.decrypt ctxt, key: key, aad: opts[:aad]
       end
 
       def key

data/lib/slosilo/symmetric.rb

@@ -1,25 +1,40 @@
 module Slosilo
   class Symmetric
+    VERSION_MAGIC = 'G'
+    TAG_LENGTH = 16
+
     def initialize
-      @cipher = OpenSSL::Cipher.new 'AES-256-CBC'
+      @cipher = OpenSSL::Cipher.new 'aes-256-gcm' # NB: has to be lower case for whatever reason.
     end
-    
+
+    # This lets us do a final sanity check in migrations from older encryption versions
+    def cipher_name
+      @cipher.name
+    end
+
     def encrypt plaintext, opts = {}
       @cipher.reset
       @cipher.encrypt
-      @cipher.key = opts[:key]
+      @cipher.key = (opts[:key] or raise("missing :key option"))
       @cipher.iv = iv = random_iv
-      ctxt = @cipher.update(plaintext)
-      iv + ctxt + @cipher.final
+      @cipher.auth_data = opts[:aad] || "" # Nothing good happens if you set this to nil, or don't set it at all
+      ctext = @cipher.update(plaintext) + @cipher.final
+      tag = @cipher.auth_tag(TAG_LENGTH)
+      "#{VERSION_MAGIC}#{tag}#{iv}#{ctext}"
     end
-    
+
     def decrypt ciphertext, opts = {}
+      version, tag, iv, ctext = unpack ciphertext
+
+      raise "Invalid version magic: expected #{VERSION_MAGIC} but was #{version}" unless version == VERSION_MAGIC
+
       @cipher.reset
       @cipher.decrypt
       @cipher.key = opts[:key]
-      @cipher.iv, ctxt = ciphertext.unpack("a#{@cipher.iv_len}a*")
-      ptxt = @cipher.update(ctxt)
-      ptxt + @cipher.final
+      @cipher.iv = iv
+      @cipher.auth_tag = tag
+      @cipher.auth_data = opts[:aad] || ""
+      @cipher.update(ctext) + @cipher.final
     end
     
     def random_iv
@@ -29,5 +44,11 @@ module Slosilo
     def random_key
       @cipher.random_key
     end
+
+    private
+    # return tag, iv, ctext
+    def unpack msg
+      msg.unpack "aa#{TAG_LENGTH}a#{@cipher.iv_len}a*"
+    end
   end
 end

data/lib/slosilo/version.rb

@@ -1,3 +1,3 @@
 module Slosilo
-  VERSION = "1.1.0"
+  VERSION = "2.0.0"
 end

data/spec/encrypted_attributes_spec.rb

@@ -0,0 +1,114 @@
+require 'spec_helper'
+require 'slosilo/attr_encrypted'
+
+describe Slosilo::EncryptedAttributes do
+  before(:all) do
+    Slosilo::encryption_key = OpenSSL::Cipher.new("aes-256-gcm").random_key
+  end
+
+  let(:aad) { proc{ |_| "hithere" } }
+
+  let(:base){
+    Class.new do
+      attr_accessor :normal_ivar,:with_aad
+      def stupid_ivar
+        side_effect!
+        @_explicit
+      end
+      def stupid_ivar= e
+        side_effect!
+        @_explicit = e
+      end
+      def side_effect!
+
+      end
+    end
+  }
+
+  let(:sub){
+    Class.new(base) do
+      attr_encrypted :normal_ivar, :stupid_ivar
+    end
+  }
+
+  subject{ sub.new  }
+
+  context "when setting a normal ivar" do
+    let(:value){ "some value" }
+    it "stores an encrypted value in the ivar" do
+      subject.normal_ivar = value
+      expect(subject.instance_variable_get(:"@normal_ivar")).to_not eq(value)
+    end
+
+    it "recovers the value set" do
+      subject.normal_ivar = value
+      expect(subject.normal_ivar).to eq(value)
+    end
+  end
+
+  context "when setting an attribute with an implementation" do
+    it "calls the base class method" do
+      expect(subject).to receive_messages(:side_effect! => nil)
+      subject.stupid_ivar = "hi"
+      expect(subject.stupid_ivar).to eq("hi")
+    end
+  end
+
+  context "when given an :aad option" do
+
+    let(:cipher){ Slosilo::EncryptedAttributes.cipher }
+    let(:key){ Slosilo::EncryptedAttributes.key}
+    context "that is a string" do
+      let(:aad){ "hello there" }
+      before{ sub.attr_encrypted :with_aad, aad: aad }
+      it "encrypts the value with the given string  for auth data" do
+        expect(cipher).to receive(:encrypt).with("hello", key: key, aad: aad)
+        subject.with_aad = "hello"
+      end
+
+      it "decrypts the encrypted value" do
+        subject.with_aad = "foo"
+        expect(subject.with_aad).to eq("foo")
+      end
+    end
+
+    context "that is nil" do
+      let(:aad){ nil }
+      before{ sub.attr_encrypted :with_aad, aad: aad }
+      it "encrypts the value with an empty string for auth data" do
+        expect(cipher).to receive(:encrypt).with("hello",key: key, aad: "").and_call_original
+        subject.with_aad = "hello"
+      end
+
+      it "decrypts the encrypted value" do
+        subject.with_aad = "hello"
+        expect(subject.with_aad).to eq("hello")
+      end
+    end
+
+    context "that is a proc" do
+      let(:aad){
+        proc{ |o| "x" }
+      }
+
+      before{ sub.attr_encrypted :with_aad, aad: aad }
+
+      it "calls the proc with the object being encrypted" do
+        expect(aad).to receive(:[]).with(subject).and_call_original
+        subject.with_aad = "hi"
+      end
+
+      it "encrypts the value with the string returned for auth data" do
+        expect(cipher).to receive(:encrypt).with("hello", key: key, aad: aad[subject]).and_call_original
+        subject.with_aad = "hello"
+      end
+      it "decrypts the encrypted value" do
+        subject.with_aad = "hello"
+        expect(subject.with_aad).to eq("hello")
+      end
+    end
+
+  end
+
+
+end

data/spec/key_spec.rb

@@ -77,8 +77,8 @@ describe Slosilo::Key do
     end
   end
   
-  let(:ciphertext) { "\x8B\xE6\xEC\x8C\xAB\xA4\xC0\x8EF\"\x0F\xD5Yh\xA1\aq\x00\xF5\xAC\xAB\v\a\xEC\xF6G\xA6\e\x14N\xFF\x11\x98\xDA\x19\xB5\x8994_:\xA0\xF8\x06l\xDC\x9B\xB1\xE8z\x83\xCC\x9A\x02E\x02tOhu\x92F]h".force_encoding("ASCII-8BIT") }
-  let(:skey) { "\x15\xFF\xD4>\x9C\xF4\x0F\xB6\x04C\x18\xC1\x96\xC3\xE0T\xA3\xF5\xE8\x17\xA6\xE0\x86~rrw\xC3\xDF\x11)$\x9B\r@\x0E\xE4Zv\rw-\xFC\x1C\x84\x17\xBD\xDB\x12u\xCD\r\xFEo\xD5\xC8[\x8FEA\\\xA9\xA2F#\x8BH -\xFA\xF7\xA9\xEBf\x97\xAAT}\x8E*\xC0r\x944p\xD0\x9A\xE7\xBD\a;O\f\xEF\xE4B.y\xFA\xB4e@O\xBB\x15>y\xC9\t=\x01\xE1J\xF3X\xA9\x9E3\x04^H\x1F\xFF\x19C\x93ve)@\xF7\t_\xCF\xDE\xF1\xB7]\x83lL\xB8%A\x93p{\xE9Y\xBAu\xCE\x99T\xDC\xDF\xE7\x0FD%\xB9AXb\x1CW\x94$P\xBB\xE1g\xDEE\t\xC4\x92\x9E\xFEt\xDF\xD0\xEA\x03\xC4\x12\xA9\x02~u\xF4\x92 ;\xA0\xCE.\b+)\x05\xEDo\xA5cF\xF8\x12\xD7F\x97\xE44\xBF\xF1@\xA5\xC5\xA8\xE5\a\xE8ra<\x04\xB5\xA2\f\t\xF7T\x97\e\xF5(^\xAB\xA5%84\x10\xD1\x13e<\xCA/\xBF}%\xF6\xB1%\xB2".force_encoding("ASCII-8BIT") }
+  let(:ciphertext){ "G\xAD^\x17\x11\xBBQ9-b\x14\xF6\x92#Q0x\xF4\xAD\x1A\x92\xC3VZW\x89\x8E\x8Fg\x93\x05B\xF8\xD6O\xCFGCTp\b~\x916\xA3\x9AN\x8D\x961\x1F\xA3mSf&\xAD\xA77/]z\xA89\x01\xA7\xA9\x92\f".force_encoding('ASCII-8BIT') }
+  let(:skey){  "\x82\x93\xFAA\xA6wQA\xE1\xB5\xA6b\x8C.\xCF#I\x86I\x83u\x99\rTA\xEF\xC4\x91\xC5)-\xEBQ\xB1\xC0\xC6\xFF\x90L\xFE\x1E\x15\x81\x12\x16\xDD:A\xC5d\xE1B\xD2f@\xB8o\xB7+N\xB7\n\x92\xDC\x9E\xE3\x83\xB8>h\a\xC7\xCC\xCF\xD0t\x06\x8B\xA8\xBF\xEFe\xA4{\x88\f\xDD\roF\xEB.\xDA\xBF\x9D_0>\xF03c'\x1F!)*-\x19\x97\xAC\xD2\x1F(,6h\a\x93\xDB\x8E\x97\xF9\x1A\x11\x84\x11t\xD9\xB2\x85\xB0\x12\x7F\x03\x00O\x8F\xBE#\xFFb\xA5w\xF3g\xCF\xB4\xF2\xB7\xDBiA=\xA8\xFD1\xEC\xBF\xD7\x8E\xB6W>\x03\xACNBa\xBF\xFD\xC6\xB32\x8C\xE2\xF1\x87\x9C\xAE6\xD1\x12\vkl\xBB\xA0\xED\x9A\xEE6\xF2\xD9\xB4LL\xE2h/u_\xA1i=\x11x\x8DGha\x8EG\b+\x84[\x87\x8E\x01\x0E\xA5\xB0\x9F\xE9vSl\x18\xF3\xEA\xF4NH\xA8\xF1\x81\xBB\x98\x01\xE8p]\x18\x11f\xA3K\xA87c\xBB\x13X~K\xA2".force_encoding('ASCII-8BIT') }
   describe '#decrypt' do
     it "decrypts the symmetric key and then uses it to decrypt the ciphertext" do
       expect(subject.decrypt(ciphertext, skey)).to eq(plaintext)

data/spec/symmetric_spec.rb

@@ -3,34 +3,56 @@ require 'spec_helper'
 describe Slosilo::Symmetric do
   # TODO transform it to class methods only?
   let(:plaintext) { "quick brown fox jumped over the lazy dog" }
+  let(:auth_data) { "some record id" }
   let(:key) { "^\xBAIv\xDB1\x0Fi\x04\x11\xFD\x14\xA7\xCD\xDFf\x93\xFE\x93}\v\x01\x11\x98\x14\xE0;\xC1\xE2 v\xA5".force_encoding("ASCII-8BIT") }
-  let(:iv) { "\xA1\xFA#z\x16\x80R\xCC|\x0Fyc\xB7j\x17\xED".force_encoding("ASCII-8BIT") }
-  let(:ciphertext) { "\xA1\xFA#z\x16\x80R\xCC|\x0Fyc\xB7j\x17\xED\x15\xC9r\xC9\xEE\xB9\xBC5\xB7\ni\x0F\f\xC8X\x80 h\a\xF4\xA6\xE3\x15\x9D\xF1-\xE5\bs\xF6\x02Z\x0F\xCD|S\x1A\xAA\x9At\xEFT\x17\xA5lT\x8C\xF3".force_encoding("ASCII-8BIT") }
+  let(:iv) { "\xD9\xABn\x01b\xFA\xBD\xC2\xE5\xEA\x01\xAC".force_encoding("ASCII-8BIT") }
+  let(:ciphertext) { "G^W1\x9C\xD4\xCC\x87\xD3\xFF\x86[\x0E3\xC0\xC8^\xD9\xABn\x01b\xFA\xBD\xC2\xE5\xEA\x01\xAC\x9E\xB9:\xF7\xD4ebeq\xDC \xC0sG\xA4\xAE,\xB8A|\x97\xBC\xFD\x85\xE1\xB93\x95>\xBD\n\x05\xFB\x15\x1F\x06#3M9".force_encoding('ASCII-8BIT') }
+
   describe '#encrypt' do
-    it "encrypts with AES-256-CBC" do
+    it "encrypts with AES-256-GCM" do
       allow(subject).to receive_messages random_iv: iv
-      expect(subject.encrypt(plaintext, key: key)).to eq(ciphertext)
+      expect(subject.encrypt(plaintext, key: key, aad: auth_data)).to eq(ciphertext)
     end
   end
   
   describe '#decrypt' do
-    it "decrypts with AES-256-CBC" do
-      expect(subject.decrypt(ciphertext, key: key)).to eq(plaintext)
+    it "decrypts with AES-256-GCM" do
+      expect(subject.decrypt(ciphertext, key: key, aad: auth_data)).to eq(plaintext)
+    end
+
+
+    context "when the ciphertext has been messed with" do
+      let(:ciphertext) {  "pwnd!" } # maybe we should do something more realistic like add some padding?
+      it "raises an exception" do
+        expect{ subject.decrypt(ciphertext, key: key, aad: auth_data)}.to raise_exception
+      end
+      context "by adding a trailing 0" do
+        let(:new_ciphertext){ ciphertext + '\0' }
+        it "raises an exception" do
+          expect{ subject.decrypt(new_ciphertext, key: key, aad: auth_data) }.to raise_exception
+        end
+      end
     end
-    
-    context "when ciphertext happens to end in a zero" do
-      let(:ciphertext) { "\x7F\xD6\xEAb\xE56\a\xD3\xC5\xF2J\n\x8C\x8Fg\xB7-\\\x8A\fh\x18\xC8\x91\xB9 \x97\xC9\x12\xE6\xA6\xAE\xB1I\x1E\x80\xAB\xD8\xDC\xBD\xB6\xCD\x9A\xA3MH\xA8\xB0\xC7\xDA\x87\xA7c\xD75,\xD2A\xB8\x9E\xE3o\x04\x00" }
-      let(:key) { "4pSuk1rAQyuHA5uUYaj0X0BsiPCFb9Nc8J03XA6V5/Y" }
-      it "works correctly" do
-        expect(subject.decrypt(ciphertext, key: key)).to eq("R6KNTQ4aUivojbaqhgAqj1I4PaF8h/5/YcENy4uNbfk=")
+
+    context "when no auth_data is given" do
+      let(:auth_data){""}
+      let(:ciphertext){ "Gm\xDAT\xE8I\x9F\xB7\xDC\xBB\x84\xD3Q#\x1F\xF4\x8C\aV\x93\x8F_\xC7\xBC87\xC9U\xF1\xAF\x8A\xD62\x1C5H\x86\x17\x19=B~Y*\xBC\x9D\eJeTx\x1F\x02l\t\t\xD3e\xA4\x11\x13y*\x95\x9F\xCD\xC4@\x9C"}
+
+      it "decrypts the message" do
+        expect(subject.decrypt(ciphertext, key: key, aad: auth_data)).to eq(plaintext)
+      end
+
+      context "and the ciphertext has been messed with" do
+        it "raises an exception" do
+          expect{ subject.decrypt(ciphertext + "\0\0\0", key: key, aad: auth_data)}.to raise_exception
+        end
       end
     end
 
-    context "when the iv ends in space" do
-      let(:ciphertext) { "\xC0\xDA#\xE9\xE1\xFD\xEDJ\xADs4P\xA9\xD6\x92 \xF7\xF8_M\xF6\x16\xC2i$\x8BT^\b\xA1\xB2L&\xE9\x80\x02[]6i\x9B\xD3\xC3\xED\xA9\xD1\x94\xE8\x15\xFD\xDA\xFEUj\xC5upH*\xBF\x82\x15le" }
-      let(:key) { "4pSuk1rAQyuHA5uUYaj0X0BsiPCFb9Nc8J03XA6V5/Y" }
-      it "works correctly" do
-        expect(subject.decrypt(ciphertext, key: key)).to eq("zGptmL3vd4obi1vqSiWHt/Ias2k+6qDtuq9vdow8jNA=")
+    context "when the auth data doesn't match" do
+      let(:auth_data){ "asdf" }
+      it "raises an exception" do
+        expect{ subject.decrypt(ciphertext, key: key, aad: auth_data)}.to raise_exception
       end
     end
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: slosilo
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 2.0.0
 platform: ruby
 authors:
 - Rafał Rzepecki
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-10-20 00:00:00.000000000 Z
+date: 2014-11-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -138,6 +138,7 @@ files:
 - lib/slosilo/version.rb
 - lib/tasks/slosilo.rake
 - slosilo.gemspec
+- spec/encrypted_attributes_spec.rb
 - spec/file_adapter_spec.rb
 - spec/key_spec.rb
 - spec/keystore_spec.rb
@@ -166,11 +167,12 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.2.2
+rubygems_version: 2.0.14
 signing_key: 
 specification_version: 4
 summary: Store SSL keys in a database
 test_files:
+- spec/encrypted_attributes_spec.rb
 - spec/file_adapter_spec.rb
 - spec/key_spec.rb
 - spec/keystore_spec.rb