Beyond AES — Modern Encryption for Laravel with XChaCha20

blu3blaze

blu3blaze

Posted on October 8, 2024

Beyond AES — Modern Encryption for Laravel with XChaCha20

In today’s digital landscape data encryption is an important part of every web application. This article explores why I developed a package, that leverages the power of Libsodium’s XChaCha20-Poly1305 encryption, and how it can supercharge your Laravel application’s security while minimizing overhead.

Motivation and requirements

Laravel’s framework Crypt Facade provides a convenient interface for the encryption and decryption of sensitive data, such as stateless authentication tokens or inter-service communication frames.

The default framework’s encryption implementation, based on AES-256-CBC via OpenSSL, is a generally secure solid foundation, but there’s always room for improvement, especially when performance and usability are critical.

Modern Algorithm and Cipher

While AES-256-CBC via OpenSSL is still considered secure, is becoming dated. Furthermore, its reliance on OpenSSL can introduce potential vulnerabilities depending on the specific version and configuration.

As of PHP 7.2, the Sodium extension is bundled with PHP Core. Libsodium prioritizes modern, well-vetted cryptographic primitives like XChaCha20-Poly1305 and Ed25519. While AES can be swift with hardware acceleration, XChaCha20-Poly1305, as software implementation, outperforms it without special hardware instructions.

// Default AES-256-CBC Encrypter
$encrypter = new Illuminate\Encryption\Encrypter($key, 'aes-256-cbc');

$start = microtime(true);
$results = [];

for ($i = 0; $i < 1_000_000; $i++) {
  $results[] = $encrypter->encrypt(['user_id' => $i]);
}

$elapsed = microtime(true) - $start;
// 4.08 seconds
Enter fullscreen mode Exit fullscreen mode
// Custom XChaCha20-Poly1305 Encrypter
$encrypter = new Blu3blaze\Encrypter\Encrypter($key);

$start = microtime(true);
$results = [];

for ($i = 0; $i < 1_000_000; $i++) {
  $results[] = $encrypter->encrypt(['user_id' => $i]);
}

$elapsed = microtime(true) - $start;
// 1.79 seconds
Enter fullscreen mode Exit fullscreen mode

Significant optimization of token length

Built-in encryption encodes ciphertext, initialization vector, and tag value as Base64 representation of JSON object, which significantly increases the length of the token.
Switching to XChaCha20 algorithm eliminates the need to encode JSON, nonce can be added to the ciphertext as a binary string.

// Default AES-256-CBC Encrypter
$encrypter = new Illuminate\Encryption\Encrypter($key, 'aes-256-cbc');

$token = $encrypter->encrypt([
   'user_id' => '10296ab5-88b8-4dff-b7cf-2840b879e6dc'
]);
// 312 characters
Enter fullscreen mode Exit fullscreen mode
// Custom XChaCha20-Poly1305 Encrypter
$encrypter = new Blu3blaze\Encrypter\Encrypter($key);

$token = $encrypter->encrypt([
   'user_id' => '10296ab5-88b8-4dff-b7cf-2840b879e6dc'
]);
// 139 characters
Enter fullscreen mode Exit fullscreen mode

Base64 in URL issue

The embedded library uses the original Base64 variant. Because of this, using a token as part of the URL or as one of GET parameters requires additional transformation from Base64 to Base64URLSafe.
Encoding ciphertext immediately in Base64URLSafe has no disadvantages and allows secure token transfer in any environment.

Getting Started

1) Install package via composer

composer require blu3blaze/laravel-xchacha20-encrypter
Enter fullscreen mode Exit fullscreen mode

2) Modify service providers list in bootstrap/providers.php

<?php

return [
  // All other application providers, such as AppServiceProvider
  \Blu3blaze\Encrypter\EncrypterServiceProvider::class,
];
Enter fullscreen mode Exit fullscreen mode

3) Enjoy Crypt facade with XChaCha20-Poly1305 algorithm

use Illuminate\Support\Facades\Crypt;

$token = Crypt::encrypt([
  'user_id' => '73d430f0-d39e-4642-a37e-9ef791b90d11'
]);

/* TAl1Sz4DTspE8ZzTOC6Q.....Ug5t4XcWqoiB6CWRak9Y */

$tokenData = Crypt::decrypt($token);

/* ['user_id' => '73d430f0-d39e-4642-a37e-9ef791b90d11'] */
Enter fullscreen mode Exit fullscreen mode

Conclusion

By adopting blu3code/laravel-xchacha20-encrypter package, you can leverage the benefits of modern encryption algorithm and unlock significant performance improvements in your Laravel applications. This translates to faster response times, reduced server load, and a more secure environment for your users’ data. Give it a try and see the difference for yourself!

💖 💪 🙅 🚩
blu3blaze
blu3blaze

Posted on October 8, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related