Skip to content

Add AEAD encryption#23

Merged
ioquatix merged 11 commits intorack:mainfrom
jcmfernandes:aead
Jun 9, 2023
Merged

Add AEAD encryption#23
ioquatix merged 11 commits intorack:mainfrom
jcmfernandes:aead

Conversation

@jcmfernandes
Copy link
Contributor

@jcmfernandes jcmfernandes commented Apr 9, 2023
edited
Loading

As explained in #22, I know I'm not the first bringing this up, but almost 6 years have passed since that thread was created, and, IMHO, the landscape has changed enough to consider once again adding AEAD encryption to rack-session.

Here's a benchmark I wrote:

#!/usr/bin/env ruby

require 'benchmark/ips'
require 'securerandom'

require_relative '../lib/rack/session'
require_relative '../lib/rack/session/encryptor'

DATA = SecureRandom.alphanumeric(4 * 2**10).slice!(0, 4096)

SECRET = SecureRandom.random_bytes(64)
CONFIG = {}

ENCRYPTOR_V1 = Rack::Session::Encryptor::V1.new(SECRET, CONFIG)
ENCRYPTOR_V2 = Rack::Session::Encryptor::V2.new(SECRET, CONFIG)

Benchmark.ips do |x|
  x.report('v1 encrypt') do
    ENCRYPTOR_V1.encrypt(DATA)
  end

  x.report('v2 encrypt') do
    ENCRYPTOR_V2.encrypt(DATA)
  end

  x.compare!
end

ENCRYPTED_DATA_V1 = ENCRYPTOR_V1.encrypt(DATA)
ENCRYPTED_DATA_V2 = ENCRYPTOR_V2.encrypt(DATA)

Benchmark.ips do |x|
  x.report('v1 decrypt') do
    ENCRYPTOR_V1.decrypt(ENCRYPTED_DATA_V1)
  end

  x.report('v2 decrypt') do
    ENCRYPTOR_V2.decrypt(ENCRYPTED_DATA_V2)
  end

  x.compare!
end

TARGET = -1
ENCRYPTED_DATA_V1[TARGET] = "\0"
ENCRYPTED_DATA_V2[TARGET] = "\0"

Benchmark.ips do |x|
  x.report('v1 decrypt tampered') do
    ENCRYPTOR_V1.decrypt(ENCRYPTED_DATA_V1)
  rescue Rack::Session::Encryptor::Error
    nil
  else
    raise "Shouldn't be here!"
  end

  x.report('v2 decrypt tampered') do
    ENCRYPTOR_V2.decrypt(ENCRYPTED_DATA_V2)
  rescue Rack::Session::Encryptor::Error
    nil
  else
    raise "Shouldn't be here!"
  end

  x.compare!
end

and got these results:

Warming up --------------------------------------
          v1 encrypt     2.991k i/100ms
          v2 encrypt     3.756k i/100ms
Calculating -------------------------------------
          v1 encrypt     29.661k (± 1.6%) i/s -    149.550k in   5.043342s
          v2 encrypt     37.928k (± 1.7%) i/s -    191.556k in   5.052004s

Comparison:
          v2 encrypt:    37927.9 i/s
          v1 encrypt:    29660.9 i/s - 1.28x  slower

Warming up --------------------------------------
          v1 decrypt     2.999k i/100ms
          v2 decrypt     4.857k i/100ms
Calculating -------------------------------------
          v1 decrypt     31.843k (± 0.9%) i/s -    161.946k in   5.086207s
          v2 decrypt     50.303k (± 3.1%) i/s -    252.564k in   5.025839s

Comparison:
          v2 decrypt:    50302.8 i/s
          v1 decrypt:    31842.9 i/s - 1.58x  slower

Warming up --------------------------------------
 v1 decrypt tampered    10.339k i/100ms
 v2 decrypt tampered    24.053k i/100ms
Calculating -------------------------------------
 v1 decrypt tampered    103.586k (± 0.6%) i/s -    527.289k in   5.090543s
 v2 decrypt tampered    240.950k (± 0.4%) i/s -      1.227M in   5.091206s

Comparison:
 v2 decrypt tampered:   240949.6 i/s
 v1 decrypt tampered:   103585.8 i/s - 2.33x  slower

@jcmfernandes
Copy link
Contributor Author

jcmfernandes commented Apr 14, 2023

Some tests are failing on jruby because, unlike cruby, OpenSSL::Cipher#auth_tag doesn't accept arguments. 😢

@ioquatix
Copy link
Member

ioquatix commented Apr 15, 2023

It would help a lot to split out cosmetic changes into separate PRs. i.e. the missing file, syntax/formatting changes, etc.

@ioquatix ioquatix enabled auto-merge (squash) June 9, 2023 12:57
@ioquatix ioquatix disabled auto-merge June 9, 2023 12:58
@ioquatix ioquatix merged commit d2f080c into rack:main Jun 9, 2023
@dentarg dentarg mentioned this pull request Jan 10, 2024
Closed
@dentarg
Copy link
Contributor

dentarg commented Jan 17, 2024

Unfortunately this PR brought jruby/jruby-openssl#290 for JRuby users

@dentarg dentarg mentioned this pull request Jan 17, 2024
Merged
@jcmfernandes jcmfernandes mentioned this pull request Jan 17, 2024
Merged
@jcmfernandes
Copy link
Contributor Author

jcmfernandes commented Jan 17, 2024

Unfortunately this PR brought jruby/jruby-openssl#290 for JRuby users

Thanks for reporting this. I opened #32.

ioquatix pushed a commit that referenced this pull request Jan 4, 2025
@jcmfernandes @ioquatix
Add AEAD encryption (#23)
9264560
ioquatix pushed a commit that referenced this pull request May 6, 2025
@jcmfernandes @ioquatix
Add AEAD encryption (#23)
ed44887
ioquatix pushed a commit that referenced this pull request May 9, 2025
@jcmfernandes @ioquatix
Add AEAD encryption (#23)
7727185
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jcmfernandes @ioquatix @dentarg