如何在Rails中使用AES-128-GCM加密?

时间:2017-03-13 22:56:25

标签: ruby-on-rails fedora-25

我一直使用ActiveSupport::MessageEncryptor进行一些用户数据加密,使用默认的AES-256-CBC密码。看到Rails Issue #28135后,我想将AES-128-GCM转换为Rails has done for its secrets feature。我开始获得ActiveSupport::MessageEncryptor::InvalidMessage个例外,因此我根据MessageEncryptor example创建了一个简单的测试用例:

["aes-256-cbc", "aes-128-gcm"].each do |cipher|
  puts "Cipher: #{cipher}"
  salt  = SecureRandom.random_bytes(64)
  key   = ActiveSupport::KeyGenerator.new('password').generate_key(salt, 32)
  crypt = ActiveSupport::MessageEncryptor.new(key, cipher: cipher)
  encrypted_data = crypt.encrypt_and_sign('my secret data')
  puts crypt.decrypt_and_verify(encrypted_data)
end

输出:

Cipher: aes-256-cbc
my secret data
Cipher: aes-128-gcm
ActiveSupport::MessageEncryptor::InvalidMessage: ActiveSupport::MessageEncryptor::InvalidMessage
        from /home/kevin/.gem/ruby/gems/activesupport-5.0.2/lib/active_support/message_encryptor.rb:103:in `rescue in _decrypt'
        from /home/kevin/.gem/ruby/gems/activesupport-5.0.2/lib/active_support/message_encryptor.rb:91:in `_decrypt'
        from /home/kevin/.gem/ruby/gems/activesupport-5.0.2/lib/active_support/message_encryptor.rb:66:in `decrypt_and_verify'
        from /work/myplaceonline/src/src/myplaceonline_rails/app/lib/myp.rb:2287:in `block in play'
        from /work/myplaceonline/src/src/myplaceonline_rails/app/lib/myp.rb:2281:in `each'
        from /work/myplaceonline/src/src/myplaceonline_rails/app/lib/myp.rb:2281:in `play'
        from (irb):3
        from /home/kevin/.gem/ruby/gems/railties-5.0.2/lib/rails/commands/console.rb:65:in `start'
        from /home/kevin/.gem/ruby/gems/railties-5.0.2/lib/rails/commands/console_helper.rb:9:in `start'
        from /home/kevin/.gem/ruby/gems/railties-5.0.2/lib/rails/commands/commands_tasks.rb:78:in `console'
        from /home/kevin/.gem/ruby/gems/railties-5.0.2/lib/rails/commands/commands_tasks.rb:49:in `run_command!'
        from /home/kevin/.gem/ruby/gems/railties-5.0.2/lib/rails/commands.rb:18:in `<top (required)>'
        from bin/rails:4:in `require'
        from bin/rails:4:in `<main>'

我在Fedora 25 64位上使用Rails 5.0.2和openssl-1.0.2k-1(上面提到的Rails pull请求表明openssl 1.0.1应该支持AES-128-GCM)。我的openssl密码列表似乎支持GCM:

$ openssl ciphers
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:DES-CBC3-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:PSK-AES256-CBC-SHA:PSK-AES128-CBC-SHA:PSK-3DES-EDE-CBC-SHA

ruby​​ 2.3.3p222(2016-11-21修订版56859)[x86_64-linux]

1 个答案:

答案 0 :(得分:1)

示例中generate_key的第二个参数(key_size)对于aes-256-cbc必须为32字节,对于aes-128-gcm必须为16字节。