In today’s digital landscape data encryption is an important part of every web application. This article explores why I developed a package, that leverages the power of Libsodium’s XChaCha20-Poly1305 encryption, and how it can supercharge your Laravel application’s security while minimizing overhead.
Motivation and requirements
Laravel’s framework Crypt Facade provides a convenient interface for the encryption and decryption of sensitive data, such as stateless authentication tokens or inter-service communication frames.
The default framework’s encryption implementation, based on AES-256-CBC via OpenSSL, is a generally secure solid foundation, but there’s always room for improvement, especially when performance and usability are critical.
Modern Algorithm and Cipher
While AES-256-CBC via OpenSSL is still considered secure, is becoming dated. Furthermore, its reliance on OpenSSL can introduce potential vulnerabilities depending on the specific version and configuration.
As of PHP 7.2, the Sodium extension is bundled with PHP Core. Libsodium prioritizes modern, well-vetted cryptographic primitives like XChaCha20-Poly1305 and Ed25519. While AES can be swift with hardware acceleration, XChaCha20-Poly1305, as software implementation, outperforms it without special hardware instructions.
// Default AES-256-CBC Encrypter
$encrypter = new Illuminate\Encryption\Encrypter($key, 'aes-256-cbc');
$start = microtime(true);
$results = [];
for ($i = 0; $i < 1_000_000; $i++) {
$results[] = $encrypter->encrypt(['user_id' => $i]);
}
$elapsed = microtime(true) - $start;
// 4.08 seconds
// Custom XChaCha20-Poly1305 Encrypter
$encrypter = new Blu3blaze\Encrypter\Encrypter($key);
$start = microtime(true);
$results = [];
for ($i = 0; $i < 1_000_000; $i++) {
$results[] = $encrypter->encrypt(['user_id' => $i]);
}
$elapsed = microtime(true) - $start;
// 1.79 seconds
Significant optimization of token length
Built-in encryption encodes ciphertext, initialization vector, and tag value as Base64 representation of JSON object, which significantly increases the length of the token.
Switching to XChaCha20 algorithm eliminates the need to encode JSON, nonce can be added to the ciphertext as a binary string.
// Default AES-256-CBC Encrypter
$encrypter = new Illuminate\Encryption\Encrypter($key, 'aes-256-cbc');
$token = $encrypter->encrypt([
'user_id' => '10296ab5-88b8-4dff-b7cf-2840b879e6dc'
]);
// 312 characters
// Custom XChaCha20-Poly1305 Encrypter
$encrypter = new Blu3blaze\Encrypter\Encrypter($key);
$token = $encrypter->encrypt([
'user_id' => '10296ab5-88b8-4dff-b7cf-2840b879e6dc'
]);
// 139 characters
Base64 in URL issue
The embedded library uses the original Base64 variant. Because of this, using a token as part of the URL or as one of GET parameters requires additional transformation from Base64 to Base64URLSafe.
Encoding ciphertext immediately in Base64URLSafe has no disadvantages and allows secure token transfer in any environment.
Getting Started
1) Install package via composer
composer require blu3blaze/laravel-xchacha20-encrypter
2) Modify service providers list in bootstrap/providers.php
<?php
return [
// All other application providers, such as AppServiceProvider
\Blu3blaze\Encrypter\EncrypterServiceProvider::class,
];
3) Enjoy Crypt facade with XChaCha20-Poly1305 algorithm
use Illuminate\Support\Facades\Crypt;
$token = Crypt::encrypt([
'user_id' => '73d430f0-d39e-4642-a37e-9ef791b90d11'
]);
/* TAl1Sz4DTspE8ZzTOC6Q.....Ug5t4XcWqoiB6CWRak9Y */
$tokenData = Crypt::decrypt($token);
/* ['user_id' => '73d430f0-d39e-4642-a37e-9ef791b90d11'] */
Conclusion
By adopting blu3code/laravel-xchacha20-encrypter package, you can leverage the benefits of modern encryption algorithm and unlock significant performance improvements in your Laravel applications. This translates to faster response times, reduced server load, and a more secure environment for your users’ data. Give it a try and see the difference for yourself!
Top comments (0)