How to resolve deprecation warnings for OpenSSL :: Cipher :: Cipher encryption #

Question

How to resolve deprecation warnings for OpenSSL :: Cipher :: Cipher encryption #

I just upgraded my Mac to Snow Leopard and got the Rails environment up and running. The only difference - OSX aside - with my previous installation I am now running ruby 1.8.7 (2008-08-11 patchlevel 72) [universal-darwin10.0]

(Snow Leopard default) rather than 1.8.6.

Now I see deprecation warnings related to OpenSSL when I run my code:

warning: argumtents for OpenSSL::Cipher::Cipher#encrypt and OpenSSL::Cipher::Cipher#decrypt were deprecated; use OpenSSL::Cipher::Cipher#pkcs5_keyivgen to derive key and IV

An example of my code causing these warnings (it decodes the encrypted string) on line 4:

1. def decrypt(data)
2.  encryptor = OpenSSL::Cipher::Cipher.new('DES-EDE3-CBC')
3.  key = "my key"
4.  encryptor.decrypt(key)
5.  text = encryptor.update(data)
6.  text << encryptor.final
7. end

I am struggling to figure out how I can solve this and google is not really helping. Should I try to downgrade to Ruby 1.8.6 (and if so, what's the best way to do this?), Should I try to just hide the warnings (bury my head in the sand ?!) or is there an easy solution I can apply in code?

+2

ruby ruby-on-rails openssl encryption osx-snow-leopard

Olly 28 Aug 09 at 21:13

source to share

2 answers

ZZ Coder was close, but not cigars. In fact, you should never call Cipher # pkcs5_keyivgen before #decrypt or #encrypt. In practice, it will generally encrypt fine, but decryption will be interrupted frequently. So the code should be:

puts "--Encrypting--"
des = OpenSSL::Cipher::Cipher.new(alg)
des.encrypt
des.pkcs5_keyivgen(pass, salt)
cipher =  des.update(text)
cipher << des.final
puts %(encrypted text: #{cipher.inspect})
puts

and

puts "--Decrypting--"
des = OpenSSL::Cipher::Cipher.new(alg)
des.decrypt
des.pkcs5_keyivgen(pass, salt)  
out =  des.update(cipher)
out << des.final
puts %(decrypted text: "#{out}")
puts

+1

stderr 03 Apr 10 at 2:04

source to share

ZZ Coder · Accepted Answer · 2009-08-29T00:07:21+0000

Due to the implicit type conversion in Ruby, old Ruby allows people to use PBE (password-based encryption) completely wrong. What's new is that warning is good.

This example shows exactly the problem. Triple-DES requires 24 byte key material (including parity), but you only provided 6 bytes. Your key material will be repeated to fill the deficit resulting in a less secure key.

The correct way to do this is to generate the key and IV (seed vector) with PKCS5, which use complex hashing and iteration to make the key much more secure.

Ruby provides the following code example. pass

is your key and you can use any hard value for salt

.

puts "--Encrypting--"
des = OpenSSL::Cipher::Cipher.new(alg)
des.pkcs5_keyivgen(pass, salt)
des.encrypt
cipher =  des.update(text)
cipher << des.final
puts %(encrypted text: #{cipher.inspect})
puts

puts "--Decrypting--"
des = OpenSSL::Cipher::Cipher.new(alg)
des.pkcs5_keyivgen(pass, salt)
des.decrypt
out =  des.update(cipher)
out << des.final
puts %(decrypted text: "#{out}")
puts

How to resolve deprecation warnings for OpenSSL :: Cipher :: Cipher encryption #

More articles: