Project

General

Profile

CryptoProject

Current specification and documentation: https://github.com/emboss/krypt/wiki

A project for new ruby crypto library.

Status: project building

Motivation

From implementation point of view.

  • crypto primitives independence of OpenSSL
  • more code in Ruby for flexibility

Martin Boßlet is going to talk about this project as a part of his presentation at RubyConf 2011. http://rubyconf.org/presentations/38

Ruby OpenSSL: Present, Future and why it matters
30 Sep 11:15 (2nd day)

Goals

  • keep the good parts, improve the rest
  • specification for the "minimal API"
  • documentation
  • ideally just replace 'OpenSSL::' by 'Crypto::'
  • security by default
  • K I S S - simple default, but fully configurable
  • forbid dangerous configuration (well, not really)

other useful additions (if-possible)

  • integration of “secure storage”
  • engine integration (PKCS#11, ...)

Strategy

  • Take existing implementation
    • Iterate API (API for user) design through 2 implementations
    • An implementation based on ossl+OpenSSL
    • An implementation based on jruby-ossl+JCE (for JRuby)
    • Design SPI (API for engine; NSS, PKCS#11) later
    • Make it work and release as soon as possible
  • Replace it step by step
    • Graceful migration from ossl
    • Existing scripts which use basic ossl feature should work with just replacing OpenSSL -> Crypto
    • [1] is what I and gotoyuzo talked about the hierarchy in August.
  • Using DER as universal serialization format
  • release as a gem first
    • gem name? (crypt and crypto are not available on rubygems.org)

Implementation

  • Asn1::Template
    • > 50% of current ext/openssl is about ASN.1
    • use Asn1::Template by emboss
    • more code in Ruby
  • crypto primitives

    • flesh out minimal API to support crypto primitives: Cipher / Digest / ASN1 / RSA / DSA / ECC class ASN1 def self.decode(der) end

    def self.to_der
    end

    ...
    end
    * multiple implementations of this minimal API possible
    * OpenSSL
    * jruby-ossl/JCE
    * Mozilla NSS ?
    * GNU gcrypt ?
    * CAPI (Windows) ?
    * CommonCrypto (OS X) ?

  • use Asn1::Template and the minimal API to implement the rest

Class hierarchy

  • Crypto
    • ASN1
    • Cipher
    • CMS
    • EncryptedData
    • SignedData
    • Digest
    • HMAC
    • OCSP
    • PKey
    • RSA
    • DSA
    • DH
    • PKCS7 (-> CMS::SignedData)
    • PKCS12
    • Random
    • SSL
    • SSLSocket
    • SSLServer
    • Timestamp
    • X509
    • Certificate
    • CRL
    • Name
    • Request

Who?

Those who are interested in participating, please contact us.