{"id":4477,"date":"2018-09-12T18:35:55","date_gmt":"2018-09-12T23:35:55","guid":{"rendered":"http:\/\/neosmart.net\/blog\/?p=4477"},"modified":"2018-09-12T18:36:17","modified_gmt":"2018-09-12T23:36:17","slug":"transparent-encryption-and-decryption-in-rust-with-cryptostreams","status":"publish","type":"post","link":"https:\/\/neosmart.net\/blog\/transparent-encryption-and-decryption-in-rust-with-cryptostreams\/","title":{"rendered":"Transparent encryption and decryption in rust with cryptostreams"},"content":{"rendered":"

\"\"<\/a>C# developers have long been spoiled when it comes to quickly and easily getting up and running with encryption thanks to the .NET CryptoStream<\/code>\u00a0 class<\/a>, which wraps a Stream<\/code>\u00a0instance in a second Stream<\/code>\u00a0that automatically encrypts\/decrypts anything read\/written to\/from it before passing it along to the underlying Stream<\/code>. Long story short, it makes it ridiculously easy to add encryption or decryption facilities to an existing pipeline, as after setting up the CryptoStream<\/code>\u00a0instance you can just treat it like any other Stream<\/code>\u00a0object and read or write to it normally.<\/p>\n

Encryption has been somewhat of a sore spot in the rust ecosystem after a few false starts with “native” rust encryption libraries that went nowhere, but today the rust community has fortunately adopted the OpenSSL bindings as the approach of choice, and the rust-openssl crate<\/a>\u00a0makes it easy to both bundle and consume the openssl bindings from rust in a cross-platform manner. What it\u00a0doesn’t<\/em> do is make encryption and decryption any easier than OpenSSL itself does.<\/p>\n

<\/p>\n

Enter the cryptostream<\/code>\u00a0crate. Released on github<\/a> and on crates.io<\/a> under the MIT public license, cryptostream<\/code>\u00a0finally provides an easy and transparent way to add encryption and decryption to pipelines involving objects implementing\u00a0Read<\/code>\u00a0or\u00a0Write<\/code>, making encryption (or decryption) as easy as creating a new cryptostream<\/code>\u00a0object, passing in an existing Read<\/code>\/Write<\/code>\u00a0impl, and then reading\/writing from\/to the cryptostream<\/code>\u00a0instead.<\/p>\n

Here’s an example that highlights just how easy it makes the process:<\/p>\n

let src: Vec =\r\n\tdecode(\"vuU+0SXFWQLu8vl\/o1WzmPCmf7x\/O6ToGQ162Aq2CHxcnc\/ax\/Q8nTbRlNn0OSPrFuE3yDdOVC35RmwtUIlxKIkWbnxJpRF5yRJvVByQgWX1qLW8DfMjRp7gVaFNv4qr7G65M6hbSx6hGJXvQ6s1GiFwi91q0V17DI79yVrINHCXdBnUOqeLGfJ05Edu+39EQNYn4dky7VdgTP2VYZE7Vw==\").unwrap();\r\nlet key: Vec<_> = decode(\"kjtbxCPw3XPFThb3mKmzfg==\").unwrap();\r\nlet iv: Vec<_> = decode(\"dB0Ej+7zWZWTS5JUCldWMg==\").unwrap();\r\n\r\n\/\/ The source can be any object implementing `Read`. \r\n\/\/ In this case, a simple &[u8] slice.\r\nlet mut decryptor = read::Decryptor::new(src.as_slice(),\r\n\t\t\t\t\t\t\t\t\t\t Cipher::aes_128_cbc(),\r\n\t\t\t\t\t\t\t\t\t\t &key, &iv).unwrap();\r\n\/\/ `decryptor` implements `Read`\r\n\r\nlet mut decrypted = [0u8; 1024]; \/\/ a buffer to decrypt into\r\nlet mut bytes_decrypted = 0;\r\n\r\nloop {\r\n\t\/\/ Just read from the `Decryptor` as if it were\r\n\t\/\/ any other `Read` impl. Decryption is automatic.\r\n\tlet read_count = decryptor.read(&mut decrypted[bytes_decrypted..])\r\n                                  .unwrap();\r\n\tbytes_decrypted += read_count;\r\n\tif read_count == 0 {\r\n\t\tbreak;\r\n\t}\r\n}\r\n\r\nprintln!(\"{}\", String::from_utf8_lossy(&decrypted));\r\n<\/code><\/pre>\n
Cryptography just doesn’t get any easier than this.<\/p>\n
As rust doesn’t offer a native Stream<\/code>\u00a0type and instead relies on the Read<\/code>\u00a0and Write<\/code>\u00a0traits to provide stream-like functionality, cryptostream<\/code>\u00a0is split into two types, one class acting as a Read<\/code>\u00a0adapter (to “pull” encrypted or decrypted bytes from an existing Read<\/code>\u00a0resource), and the other as a Write<\/code>\u00a0adapter (to “push” plaintext into an encrypted file or ciphertext into a plaintext file). Furthermore, each of these cryptostream<\/code>\u00a0types is implemented as both a Encryptor<\/code>\u00a0and Decryptor<\/code>\u00a0class, so that it is possible to perform any [read\/write] operation involving on-the-fly [encryption|decryption] of an existing [Read<\/code>|Write<\/code>] resource.<\/p>\n
This design is inspired by the excellent flate2<\/code>\u00a0crate<\/a>, which provides similar on-the-fly transformation of Read<\/code>\/Write<\/code>\u00a0objects for purposes involving compression and decompression.<\/em><\/p>\n
So all you have to do is choose one of the four cryptostream<\/code>\u00a0variants:<\/p>\n