I’ve started working on a simple credentials manager app that runs on the console and I wanted the credentials that are kept on file to be encrypted for obvious reasons. The app is written in C++ and I needed to find and work with an appropriate encryption library.
I’ve tried using two libraries: OpenSSL and Tiny-AES-C. OpenSSL is meant to be a hardened production ready library and it’s trusted by many. Using the libCrypto API that comes with OpenSSL proved to be a challenge to get working with though. I guess with such a powerful library you need to understand all setup and config it provides and I didn’t have the time and energy to dig too deep on that.
Giving up on OpenSSL, I tried my luck with Tiny-AES-C as it’s a far simpler C library that implements just the AES encryption algorithm. AES seems to be the “most” secure algorithm at this time (2020) so seems like a good option to go with. You can find the Tiny-AES-C project on GitHub: https://github.com/kokke/tiny-AES-c. You’d need to compile the library to use it in your project. Reading the Makefile in the project indicates various build options one of which is to build the lib target:
Using Tiny-AES-C took an attempt or two but I’ve managed to create a sample app that handles the following:
- Padding plain text to block length of 16
- Encrypting plain text
- Decrypting plain text
- Identifying and removing padding from decrypted text
My example Tiny-AES-C usage project can be found here https://github.com/AdhirRamjiawan/Tiny-AES-C-Example
Some considerations to have after getting my example app working:
- You need to ensure that the buffer size used for encryption/decryption is a multiple of 16 else you’ll get strange buffer overrun issues.
- With AES CBC algorithm you need to employ some padding mechanism. Padding should be done to ensure block size of 16, so the total length of the text to be encrypted should be a multiple of 16.
- The Key and IV (Initial Vector) parameters should NOT be kept in your code. I’ve kept it in the example app as a frame of reference going forward. Ideally you should consider using an environment variable or maybe another file containing this info.
- Ideally the Key should be derived from a passphrase or similar (need to expand on this)
- Ideally the IV should be generated using a psuedorandom number generator. (need to expand on this)