Byzantine Reality

Searching for Byzantine failures in the world around us

Multi-Language Encryption Sucks

While toiling over encrypting data between Ruby and Python via SOAP, I am hopelessly reminded of theLaw of Leaky Abstractions:

All non-trivial abstractions, to some degree, are leaky.

For those not familiar with the original article, the idea is something like this: abstractions are great and wonderful and hide enough complexity from you that you can actually get some useful work done. But since nothing is perfect, every abstraction has some point where it breaks down and can become a pain in the ass. For example…

The Ruby AES library is amazing for encrypting and decrypting data in simple programs. Whereas Python forces you to use strings that are multiples of 16 in length, Ruby just let’s you do as you like. But that’s where the Law of Leaky Abstractions comes in.

Since you aren’t forced to pad your strings to multiples of 16 in length, the library does it for you. But now when you try to communicate with Python over AES, you start seeing your string with a load of garbage characters on the end. And here’s where the abstraction breaks down. Since AES requires you to put data in multiples of 128-bits (16 bytes), the library pads your strings for you.

This would possibly be fine if they happened to mention it (the rubyforge page has pretty low traffic and no real readme files), but now it requires you to break the abstraction, pad your strings when you send them, and chop them off when you get them back. And now you need an extra parameter for each parameter you want to encrypt since you need to know the length of the thing you’re encrypting. Arg!

Getting SOAP to work with SSL is also a pain in the ass in Ruby. I guess everyone assumes Rails is the only thing needing SSL so it gets first-class treatment and everyone else gets put to the curb. In fact, I apparently have had enough trouble with it that my StackOverflow question on it is the first response on Google to ‘ruby soap ssl’. So since I’ve already bitched about that there, I’ll keep it to a minimum here.

The error messages are vague and unhelpful, and since not that many people online have apparently tried this, it’s a huge pain in the ass. So for you at home, read this code snippet and make sure you include this:

require 'webrick/https'

And in the client, don’t verify the server’s certificate (probably not a good long-time idea)


Anywho, hopefully that saves someone a ton of grief (likely me) down the line.