Patrick Hurley
8/27/2006 2:30:00 AM
On 8/26/06, Cliff Cyphers <cdc@cyphers.dns2go.com> wrote:
> Does anybody know of an existing C extension that interfaces with ruby
> code for the sole purpose of hiding important encryption info, such as
> the SALT? When users write encrypt/decrypt methods it would be nice to
> call a C interface to obtain the salt/iv. This way general users would
> have a harder chance of cracking the encryption. Using this method
> wouldn't about the only way to obtain the sensitive data by reading each
> RAM address and try to grab the value while that Ruby method executes
> while it's calling the C extension.
>
> If one doesn't exists is this something other users would take advantage
> of if one was written?
>
> Look forward to all the suggestions!
>
>
I would suggest just compressing your salt and using zlib to
decompress -- do the operations in two different places. You only
store the compressed version in your code. You could further hide the
salt by using a bit of some part of your code or other reflective
"stuff" and just using the compressed version as the salt. Wrapping it
in a so will not be much stronger.
pth