Migrate from rust-openssl to *ring* for 'secure' functionality.

[frewsxcv]

This also changes the encrypted' strategy from AES 256 CBC with an HMAC to AEAD ChaCha20 Poly1305.

#50

[breaking-change]

[frewsxcv]

cc @SergioBenitez

[Philipp91]

nit: If you eliminate dosign(), you can replace the second of its only two usages with verify() instead of another sign()
https://briansmith.org/rustdoc/ring/hmac/fn.verify.html

[frewsxcv]

Great idea! Implemented in cae8d23

[Philipp91]

I think ring could benefit from a helper function that handles lines 443-464 in a single call.

[frewsxcv]

For reference, here are the lines @Philipp91 mentioned.

cc @briansmith in case you find this helpful.

[SergioBenitez]

This generate_keys call does two 10k PBKDF2 each time a cookie jar is created. A cookie jar is typically created once per request based on the incoming headers. As such, this is an unacceptable performance regression.

Why do we need to generate keys in this manner? The typical way to do this is to use SHA256/512 to pad the randomness coming in, or demand randomness of a certain length so that it suffices for use as the key. For instance, you could require 512 bits as an input.

[briansmith]

If secret is a random value already then HKDF (ring::hkdf) should be used to derive the two keys if you insist on still using HMAC for the authentication-only case.

If secret is a password then something like PBKDF2 needs to be used to stretch the key material once. Then use HKDF to derive the two keys.

[frewsxcv]

Regarding the expensive operation, @sfackler had a suggestion to design a struct Secret and have it be constructed once where it does the PBKDF2 during construction. Then that structure can be passed into CookieJar whenever secrets are needed.

[briansmith]

To be honest, PBKDF2 doesn't make much sense in this application. PBKDF2 is for converting a password into a key. But nobody should be using a password for this stuff. instead, they should be randomly generating a key.

Once you have one key, you can derive multiple keys from it using a KDF such as ring::hkdf. This is much faster than PBKDF2 but still not so fast that you want to do it more than necessary. Thus, it is good to create an object for holding the outputs of HKDF.

However, if you go with my suggestion to just use a nonce-misuse-resistant AEAD for both encrypt-and-authenticate and for authenticate-only, then you only need one key, and you can skip using a KDF completely, if you are given a key.

And, again, don't support the mode where one is given a password instead of a key, if you can avoid it.

[SergioBenitez]

Why do we need two keys of different lengths?

[frewsxcv]

The key size for AEAD ChaCha20 Poly1305 is 256 bits. The key size for HMAC SHA1 is 512 bits.

[SergioBenitez]

Sure, but why not have a 512-bit key and truncate to 256-bits for ChaCha? We're not gaining anything by having two keys here, as far as I can tell; they're both derived from one key.

[frewsxcv]

I wasn't sure if truncating a 512-bit KDF-derived key would be secure, but people online are telling me it's fine. I'll do that then.

[SergioBenitez]

It looks like this line and the following few could be chained into something like .ok().map().

[frewsxcv]

It's possible I could do that, but I think the way I wrote it is easier to follow.

[SergioBenitez]

I disagree, especially because .ok().map() is very idiomatic.

[frewsxcv]

Can you share a concrete example of what you're proposing?

[SergioBenitez]

hmac::verify(&verification_key, text.as_bytes(), &signature).ok()
    .map(move |_| {
        cookie.value = text.to_owned();
        cookie
    });

The following also works:

if let Ok(_) = hmac::verify(&verification_key, text.as_bytes(), &signature) {
    cookie.value = text.to_owned();
    Some(cookie)
} else {
    None
} 

or even:

match hmac::verify(&verification_key, text.as_bytes(), &signature) {
    Ok(_) => {
        cookie.value = text.to_owned();
        Some(cookie)
    }
    Err(_) => None
} 

[frewsxcv]

None of those look marginally better to me, but I'll do it anyways.

[SergioBenitez]

Why is this clone and not copy?

[frewsxcv]

Accident. Fixed in e60534d.

[alexcrichton]

Could the crypto stay the same? This is all modeled after Rails is which quite tried and true and I'd prefer to stick to that if possible.

[dreid]

@alexcrichton Are you actually concerned about compatibility with existing encrypted cookies? Or do you just want a more familiar set of algorithms?

[sfackler]

@alexcrichton I believe the main motivation here is the switch from OpenSSL to ring, which is a less painful dependency to deal with particularly on Windows.

However, ring doesn't support AES-CBC, but only AES-GCM and ChaCha20-Poly1305, so we'd need to switch to one of those. One nice property of both of these is that they're AEAD ciphers, meaning that they self-authenticate so we don't have to separately HMAC. They're both well regarded, and are actually the preferred ciphers in Mozilla's Server Side TLS recommendations: https://wiki.mozilla.org/Security/Server_Side_TLS.

@frewsxcv I think AES-256-GCM will be faster than ChaCha20 on hardware with AES-NI. I wonder if it'd make more sense to use that since ~all server hardware will support those?

[briansmith]

Note that I didn't look at this very carefully. My main advice is to wait until we have nonce-misuse-resistant encryption in ring before doing this.

In particular, I recommend using AES-GCM-SIV instead of either ChaCha20-Poly1305 and HMAC, once it's available.

[briansmith]

It would be better to return (aead::SIVSealingKey, hmac::SigningKey). Then you could use aead::seal_in_place()/hmac::sign() and open_in_place_with_own_key()/verify_with_own_key() for the verification.

[briansmith]

1. ChaCha20-Poly1305 isn't an encryption algorithm, it is an AEAD algorithm. In particular, it does encryption AND authentication.

2. ChaCha20-Poly1305 isn't the best choice for this application because 96-bit random nonces aren't a good choice. It would be better to use the upcoming SIV mode AEADs in ring or XChaCha20 (if we decide to add that). The SIV stuff isn't open source in ring yet, but AES-GCM-SIV probably will become open source "soon."

[briansmith]

1. SHA-1 Isn't a signing/authentication algorithm. HMAC-SHA1 is.

2. It is not necessary to use HMAC for the authentication-without-encryption case. You can use the AEAD for authentication without encryption by passing [] as the plaintext/ciphertext and passing the data to be signed/authenticated in the ad parameter. For ChaCha20-Poly1305, this would result in authentication using Poly1305, for example.

[briansmith]

It took me a bit to realize that "design" means "de-sign." The English word for what this does is "authenticate." Also, "open" == "authenticate and decrypt" and "seal" == "encrypt and sign."

[briansmith]

You could use ENCRYPTION_ALGORITHM.key_len() for this.

[briansmith]

If secret is a random value already then HKDF (ring::hkdf) should be used to derive the two keys if you insist on still using HMAC for the authentication-only case.

If secret is a password then something like PBKDF2 needs to be used to stretch the key material once. Then use HKDF to derive the two keys.

[alexcrichton]

@dreid oh nah I'm not worried about backcompat here, just the crypto!

@sfackler yeah I'm all for moving to ring as the OpenSSL dependency is a bummer.

My main concern here is that I'm not a cryptographer by any means and I'm hesitant to change from the "accepted practice" of what Rails does which presumably has been tried, true, and vetted for quite awhile. That being said, though, the crypto here is relatively simple IIRC and I'd be open to changing of course!

Thanks for the review help @sfackler and @briansmith!

[mjc-gh]

Hello, I just wanted to pipe in let everyone here know that I wrote a crate called message_verifier which providers two main structs, Verifier and Encryptor, which aim to be compatible with ActiveSupport::MessageVerifier and ActiveSupport::MessageEncryptor.

My next step was to build a small crate for parsing Rails' session cookies. I plan on writing some blog posts about building Rust micro web services that work with Rails applications. Perhaps message_verifier can be integrated with this crate to provide both signed and/or encrypted cookies? By default, Rails' session cookies are both signed and encrypted.

EDIT: Here is a link to the message_verifier repo: https://github.com/mikeycgto/message_verifier

[frewsxcv]

Thank you everyone for your feedback ❤️

I'm a bit busy for a few days, but I'll try to get around to addressing all the comments this weekend

[briansmith]

My main advice is to wait until we have nonce-misuse-resistant encryption in ring before doing this.

See in particular briansmith/ring#411, briansmith/ring#412, and briansmith/ring#413.

[alexcrichton]

Thanks @briansmith!

[frewsxcv]

My main advice is to wait until we have nonce-misuse-resistant encryption in ring before doing this.

See in particular briansmith/ring#411, briansmith/ring#412, and briansmith/ring#413.

I'm still interested in seeing the ring migration happen, but considering these comments and my lack of free time right now, I'm not planning on making any changes to this PR for the foreseeable future.