DEV Community: blu3blaze The latest articles on DEV Community by blu3blaze (@blu3blaze). https://dev.to/blu3blaze https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2179511%2F90c57008-f72f-4a6e-8efa-afd72c0b26f8.png DEV Community: blu3blaze https://dev.to/blu3blaze en Beyond AES — Modern Encryption for Laravel with XChaCha20 blu3blaze Tue, 08 Oct 2024 13:08:12 +0000 https://dev.to/blu3blaze/beyond-aes-modern-encryption-for-laravel-with-xchacha20-2d4g https://dev.to/blu3blaze/beyond-aes-modern-encryption-for-laravel-with-xchacha20-2d4g <p>In today’s digital landscape data encryption is an important part of every web application. This article explores why I developed a package, that leverages the power of Libsodium’s XChaCha20-Poly1305 encryption, and how it can supercharge your Laravel application’s security while minimizing overhead.</p> <h2> Motivation and requirements </h2> <p>Laravel’s framework Crypt Facade provides a convenient interface for the encryption and decryption of sensitive data, such as stateless authentication tokens or inter-service communication frames.</p> <p>The default framework’s encryption implementation, based on AES-256-CBC via OpenSSL, is a generally secure solid foundation, but there’s always room for improvement, especially when performance and usability are critical.</p> <h2> Modern Algorithm and Cipher </h2> <p>While AES-256-CBC via OpenSSL is still considered secure, is becoming dated. Furthermore, its reliance on OpenSSL can introduce potential vulnerabilities depending on the specific version and configuration.</p> <p>As of PHP 7.2, the Sodium extension is bundled with PHP Core. Libsodium prioritizes modern, well-vetted cryptographic primitives like XChaCha20-Poly1305 and Ed25519. While AES can be swift with hardware acceleration, XChaCha20-Poly1305, as software implementation, outperforms it without special hardware instructions.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// Default AES-256-CBC Encrypter</span> <span class="nv">$encrypter</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Illuminate\Encryption\Encrypter</span><span class="p">(</span><span class="nv">$key</span><span class="p">,</span> <span class="s1">'aes-256-cbc'</span><span class="p">);</span> <span class="nv">$start</span> <span class="o">=</span> <span class="nb">microtime</span><span class="p">(</span><span class="kc">true</span><span class="p">);</span> <span class="nv">$results</span> <span class="o">=</span> <span class="p">[];</span> <span class="k">for</span> <span class="p">(</span><span class="nv">$i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="nv">$i</span> <span class="o">&lt;</span> <span class="mi">1_000_000</span><span class="p">;</span> <span class="nv">$i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$results</span><span class="p">[]</span> <span class="o">=</span> <span class="nv">$encrypter</span><span class="o">-&gt;</span><span class="nf">encrypt</span><span class="p">([</span><span class="s1">'user_id'</span> <span class="o">=&gt;</span> <span class="nv">$i</span><span class="p">]);</span> <span class="p">}</span> <span class="nv">$elapsed</span> <span class="o">=</span> <span class="nb">microtime</span><span class="p">(</span><span class="kc">true</span><span class="p">)</span> <span class="o">-</span> <span class="nv">$start</span><span class="p">;</span> <span class="c1">// 4.08 seconds</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// Custom XChaCha20-Poly1305 Encrypter</span> <span class="nv">$encrypter</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Blu3blaze\Encrypter\Encrypter</span><span class="p">(</span><span class="nv">$key</span><span class="p">);</span> <span class="nv">$start</span> <span class="o">=</span> <span class="nb">microtime</span><span class="p">(</span><span class="kc">true</span><span class="p">);</span> <span class="nv">$results</span> <span class="o">=</span> <span class="p">[];</span> <span class="k">for</span> <span class="p">(</span><span class="nv">$i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="nv">$i</span> <span class="o">&lt;</span> <span class="mi">1_000_000</span><span class="p">;</span> <span class="nv">$i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$results</span><span class="p">[]</span> <span class="o">=</span> <span class="nv">$encrypter</span><span class="o">-&gt;</span><span class="nf">encrypt</span><span class="p">([</span><span class="s1">'user_id'</span> <span class="o">=&gt;</span> <span class="nv">$i</span><span class="p">]);</span> <span class="p">}</span> <span class="nv">$elapsed</span> <span class="o">=</span> <span class="nb">microtime</span><span class="p">(</span><span class="kc">true</span><span class="p">)</span> <span class="o">-</span> <span class="nv">$start</span><span class="p">;</span> <span class="c1">// 1.79 seconds</span> </code></pre> </div> <h2> Significant optimization of token length </h2> <p>Built-in encryption encodes ciphertext, initialization vector, and tag value as Base64 representation of JSON object, which significantly increases the length of the token.<br> Switching to XChaCha20 algorithm eliminates the need to encode JSON, nonce can be added to the ciphertext as a binary string.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// Default AES-256-CBC Encrypter</span> <span class="nv">$encrypter</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Illuminate\Encryption\Encrypter</span><span class="p">(</span><span class="nv">$key</span><span class="p">,</span> <span class="s1">'aes-256-cbc'</span><span class="p">);</span> <span class="nv">$token</span> <span class="o">=</span> <span class="nv">$encrypter</span><span class="o">-&gt;</span><span class="nf">encrypt</span><span class="p">([</span> <span class="s1">'user_id'</span> <span class="o">=&gt;</span> <span class="s1">'10296ab5-88b8-4dff-b7cf-2840b879e6dc'</span> <span class="p">]);</span> <span class="c1">// 312 characters</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// Custom XChaCha20-Poly1305 Encrypter</span> <span class="nv">$encrypter</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Blu3blaze\Encrypter\Encrypter</span><span class="p">(</span><span class="nv">$key</span><span class="p">);</span> <span class="nv">$token</span> <span class="o">=</span> <span class="nv">$encrypter</span><span class="o">-&gt;</span><span class="nf">encrypt</span><span class="p">([</span> <span class="s1">'user_id'</span> <span class="o">=&gt;</span> <span class="s1">'10296ab5-88b8-4dff-b7cf-2840b879e6dc'</span> <span class="p">]);</span> <span class="c1">// 139 characters</span> </code></pre> </div> <h2> Base64 in URL issue </h2> <p>The embedded library uses the original Base64 variant. Because of this, using a token as part of the URL or as one of GET parameters requires additional transformation from Base64 to Base64URLSafe.<br> Encoding ciphertext immediately in Base64URLSafe has no disadvantages and allows secure token transfer in any environment.</p> <h2> Getting Started </h2> <p>1) Install package via composer<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>composer require blu3blaze/laravel-xchacha20-encrypter </code></pre> </div> <p>2) Modify service providers list in bootstrap/providers.php<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="cp">&lt;?php</span> <span class="k">return</span> <span class="p">[</span> <span class="c1">// All other application providers, such as AppServiceProvider</span> <span class="nc">\Blu3blaze\Encrypter\EncrypterServiceProvider</span><span class="o">::</span><span class="n">class</span><span class="p">,</span> <span class="p">];</span> </code></pre> </div> <p>3) Enjoy Crypt facade with XChaCha20-Poly1305 algorithm<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kn">use</span> <span class="nc">Illuminate\Support\Facades\Crypt</span><span class="p">;</span> <span class="nv">$token</span> <span class="o">=</span> <span class="nc">Crypt</span><span class="o">::</span><span class="nf">encrypt</span><span class="p">([</span> <span class="s1">'user_id'</span> <span class="o">=&gt;</span> <span class="s1">'73d430f0-d39e-4642-a37e-9ef791b90d11'</span> <span class="p">]);</span> <span class="cm">/* TAl1Sz4DTspE8ZzTOC6Q.....Ug5t4XcWqoiB6CWRak9Y */</span> <span class="nv">$tokenData</span> <span class="o">=</span> <span class="nc">Crypt</span><span class="o">::</span><span class="nf">decrypt</span><span class="p">(</span><span class="nv">$token</span><span class="p">);</span> <span class="cm">/* ['user_id' =&gt; '73d430f0-d39e-4642-a37e-9ef791b90d11'] */</span> </code></pre> </div> <h2> Conclusion </h2> <p>By adopting <a href="https://github.com/blu3blaze/laravel-xchacha20-encrypter" rel="noopener noreferrer">blu3code/laravel-xchacha20-encrypter</a> package, you can leverage the benefits of modern encryption algorithm and unlock significant performance improvements in your Laravel applications. This translates to faster response times, reduced server load, and a more secure environment for your users’ data. Give it a try and see the difference for yourself!</p> webdev php laravel security