Encrypt data with secret key

[va-an]

Implements encryption and decryption functions for arbitrary textual data, as discussed in #477.

• Added functions encrypt and decrypt to SecretKey.
• AAD is not used since we don't have metadata like cookie names.
• Functions for encryption/decryption are based on implementations from cookie-rs.
• Added example with suggested usage.

[the10thWiz]

@SergioBenitez can weigh in, but I think this is pretty close to being ready for merge. There are a few specific points in the API I noted.

[the10thWiz]

I'm almost ready to approve these changes. @SergioBenitez should take a look, I think the implementation is solid.

[SergioBenitez]

This stores the key on the stack, which shouldn't be necessary. Furthermore, it reuses the encryption() key for a different operation, which we shouldn't do. Instead we should use a KDF (say HKDF) to generate a new key for this purpose using a unique info string.

[va-an]

I have added encryption key generation using HKDF, so the original key is no longer stored on the stack.
I'm not sure I understand about enсryption() - do we need to use a different method to obtain the secret key for KDF?

[SergioBenitez]

I think we likely want to use a more a nonce-resistant algorithm here, either AES-GCM-SIV or XChaCha20Poly1305.

[va-an]

Great point! Should we do the same for cookie-rs?

[va-an]

I am going to use XChaCha20Poly1305 because the crate chacha20poly1305 has received a security audit, and the crate aes_gcm_siv has not been audited yet.

[SergioBenitez]

That sounds good. cookie-rs has slightly different requirements. It may be worthwhile to change our algorithm there too, at least to aes-gcm-siv but the trade-off is different there. It's something I'm considering, but it's orthogonal to this PR.

[SergioBenitez]

Note that you can use the generate_nonce() method to generate a properly sized nonce.

[va-an]

Done!

[SergioBenitez]

A return type of Vec<u8> is not particularly useful. It would be nice to return something that encapsulates the Vec<u8> with convenient methods, like blake3::Hash. For example, something lIke:

struct Cipher(Vec<u8>);

impl Cipher {
    fn from_bytes(&[u8]) -> Result<Self>;
    fn from_vec(Vec<u8>) -> Result<Self>;
    fn from_hex(&str) -> Result<Self>;
    fn from_base64(&str) -> Result<Self>;

    fn as_bytes(&self) -> &[u8];
    fn into_vec(self) -> Vec<u8>;
    fn to_hex(&self) -> String;
    fn to_base64(&self) -> String;
}

[SergioBenitez]

It would be nice to provide a variant that allows the caller to provide associated data.

[va-an]

We can implement it in different ways.

• change the current method by adding an optional argument for AAD:

pub fn encrypt<T: AsRef<[u8]>, A: AsRef<[u8]>>(
    &self,
    value: T,
    aad: Option<A>
) -> Result<Cipher, Error> {

• or add separate method with additional argument (and accordingly a similar method
  for decrypt):

pub fn encrypt_with_aad<T: AsRef<[u8]>, A: AsRef<[u8]>>(
    &self,
    value: T,
    aad: A
) -> Result<Cipher, Error> {

I prefer the second way. Despite requiring more code, it might be clearer for the user.
Which one do you like more?

[SergioBenitez]

This would then take a Cipher, which is pre-validated.

[SergioBenitez]

I don't think we need this anymore. There's NonceSize.

[SergioBenitez]

Same with this. We should be able to get it from the Key and ConstArrayLen.

[SergioBenitez]

That sounds good. cookie-rs has slightly different requirements. It may be worthwhile to change our algorithm there too, at least to aes-gcm-siv but the trade-off is different there. It's something I'm considering, but it's orthogonal to this PR.

[va-an]

Rebased on master.

[the10thWiz]

There has been an issue with CI on Windows, so you will need to merge the latest commit from master before CI will pass.

[va-an]

There has been an issue with CI on Windows, so you will need to merge the latest commit from master before CI will pass.

Understood, I will do it after I finish making changes based on the comments.
Thanks!

[the10thWiz]

I think is getting closer to a complete PR, but there are still a number of changes that need to be made.

[the10thWiz]

All of these should probably be feature-gated behind the secrets feature.

[the10thWiz]

This should not need to be checked here. Rather, it should be checked when Cipher is constructed.

[the10thWiz]

All of these methods should validate that the length is longer than the Nonce, and that the length (minus the Nonce) is a multiple of the block size. Ideally, the only error that should be caught when decrypting the value is that the value was not created by encrypting with the same secret key.

[the10thWiz]

Many of these doc-tests fail. Use cargo test --doc to run them locally.

[the10thWiz]

To make Cipher more useful, it could implement FromForm, FromParam, FromSegment, and FromData. They should either check the format (which may not be possible, since hex could be re-interpreted as base-64), or always use one specific encoding (and provide a method like encode that encodes it using the same encoding).

[the10thWiz]

Similarly, we could implement Serialize and Deserialize if the serde feature is enabled.

[va-an]

@the10thWiz Thanks for the thorough review!
I merged the changes from master that you mentioned and moved the dependencies to the "secrets" feature.
I will address the remaining comments a bit later.

[SergioBenitez]

@va-an Checking in. Any update?