messagesodium 0.3.0 → 1.0.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +8 -4
- data/lib/messagesodium/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: bb122db1e8005db897c3aa57a712ca9ab3915444
|
|
4
|
+
data.tar.gz: c997dd81ecea262cf40483f92bd48f3d088687a4
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 7fe3030e7e1438c131e2b67819e26802469eda4a89a69e8e570e69f722378926a793d46d7be5e7cf3c6c011e45d66f35b9c4562e3beccfe64772e86855b57ab9
|
|
7
|
+
data.tar.gz: 36c078a41aa312d2c1918b3c1a92d28b3aed97964386ac2a8785799b54a4b3639bb54784e3921e720f512db67886cb6b821d33b9dc50adb55f29d136ec8a7fa7
|
data/README.md
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
# Messagesodium
|
|
2
2
|
|
|
3
|
-
Project status:
|
|
3
|
+
Project status: Stable
|
|
4
4
|
|
|
5
5
|
Patches Cookiestore to use libsodium for encryption and verification.
|
|
6
6
|
[](https://travis-ci.org/technion/messagesodium)
|
|
@@ -11,6 +11,10 @@ Rails [Cookiestore](https://www.justinweiss.com/articles/how-rails-sessions-work
|
|
|
11
11
|
|
|
12
12
|
This gem brings an alternative backend to CookieStore.
|
|
13
13
|
|
|
14
|
+
## Reason
|
|
15
|
+
|
|
16
|
+
There are a series of benefits described below. None of these are highly compelling on their own, but I recommend considering the way these features add up.
|
|
17
|
+
|
|
14
18
|
# Use
|
|
15
19
|
|
|
16
20
|
Just insert this gem into your Gemfile like any other:
|
|
@@ -18,7 +22,7 @@ Just insert this gem into your Gemfile like any other:
|
|
|
18
22
|
gem 'messagesodium'
|
|
19
23
|
|
|
20
24
|
And run your usual bundle installation. Any existing sessions will be invalidated, much like if you changed your secret key.
|
|
21
|
-
You can test it is active by looking at any session cookie. The absence of the "--"
|
|
25
|
+
You can test it is active by looking at any session cookie. The absence of the "--" delimiter will confirm you are using this gem.
|
|
22
26
|
|
|
23
27
|
# Demonstration
|
|
24
28
|
|
|
@@ -52,7 +56,7 @@ Smaller cookies are a good thing. It's less data on the wire for every single pa
|
|
|
52
56
|
|
|
53
57
|
## More performant
|
|
54
58
|
|
|
55
|
-
The above benchmark shows our approach as much more performant. Some of that is just crypto, which can be hardware
|
|
59
|
+
The above benchmark shows our approach as much more performant. Some of that is just crypto, which can be hardware dependent.
|
|
56
60
|
|
|
57
61
|
But some of this is down to the message packing. Dipping into Base64 functions three separate times to open one cookie is ineffecient. When the IV is known to be of BLOCKSIZE length, choosing to cut it by using split() and a delimiter is the long way around. In the end, performance is great.
|
|
58
62
|
|
|
@@ -60,7 +64,7 @@ But some of this is down to the message packing. Dipping into Base64 functions t
|
|
|
60
64
|
|
|
61
65
|
Let's be clear about the fact that I have no known issue with the current CookieStore implementation. However, it's worth having a read of the view of [Google's Adam Langley](https://www.imperialviolet.org/2013/10/07/chacha20.html) when describing "a strong motivation to replace it" when describing CBC mode.
|
|
62
66
|
|
|
63
|
-
Indeed, the are several comments in the original Rails source code to the effect of "this dance is done in the hope we don't introduce a vulnerability".
|
|
67
|
+
Indeed, the are several comments in the original Rails source code to the effect of "this dance is done in the hope we don't introduce a vulnerability". In general, it would be argued that a thin layer of code on libsodium presents a higher quality product than a library over OpenSSL.
|
|
64
68
|
|
|
65
69
|
What you'll find in this gem is a much smaller, more easily audited codebase without any hoops to jump through.
|
|
66
70
|
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: messagesodium
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 1.0.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Technion
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2017-09-
|
|
11
|
+
date: 2017-09-12 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rbnacl-libsodium
|