Extract iv from ciphertext

vectordotdev / vrl

Vector Remap Language

Mozilla Public License 2.0

126 stars 57 forks source link

Extract iv from ciphertext #941

Open vaboston opened 2 months ago

vaboston commented 2 months ago

Based on what the following Logstash plugin does: https://github.com/logstash-plugins/logstash-filter-cipher/blob/main/lib/logstash/filters/cipher.rb#L179

  def do_decrypt(ciphertext_with_iv)
    ciphertext_with_iv = Base64.strict_decode64(ciphertext_with_iv) if @base64 == true
    encoded_iv = ciphertext_with_iv.byteslice(0..@iv_random_length)
    ciphertext = ciphertext_with_iv.byteslice(@iv_random_length..-1)

    with_cipher do |cipher|
      cipher.iv = encoded_iv
      plaintext = cipher.update(ciphertext) + cipher.final
      plaintext.force_encoding("UTF-8")
      plaintext
    end
  end

Would it be possible to add an option to specify the IV size, and do the extraction in the code? Currently, I am extracting via slices, but it would be much more convenient to have a dedicated option. Thanks !

jszwedko commented 2 months ago

Hi @vaboston ! Can you provide an example of the VRL code you would like to write but can't currently? I think that'll help me understand the request better.

vaboston commented 2 months ago

Hi, i can decrypt my cipher text, but i need to use slice with bytes manipulation on a raw data, it's not very intuitive. Before i used logstash and there was a dedicated field for the size of the IV, it seemed more logical to me that the extraction operation was done in the code. My code in vector :

      base64_decoded = decode_base64!(.my.data)
      iv = slice!(base64_decoded, 0, 16)
      .encrypted_message = slice!(base64_decoded, 16)
      .test = decrypt!(.encrypted_message, "AES-128-CBC-PKCS7", "my_key", iv)

It's more an improvement proposal than en issue.

jszwedko commented 2 months ago

Thanks @vaboston . I appreciate you sharing the code you currently have. Could you share the code you want to write? That is, what would your example look like, ideally?

vaboston commented 2 months ago

Ideally, something like :

iv_key_size = 16
.test = decrypt!(.encrypted_message, "AES-128-CBC-PKCS7", "my_key")

or in a env var or somtehing like that. I don't know the vector configuration well enough to propose something consistent with the rest of the configuration.

jszwedko commented 2 months ago

Thanks! I think I see. It would need to be a parameter to the decrypt function to indicate that the iv should be extracted from the ciphertext (and what its size is).

Let me move this to the VRL repository.