Can anyone shed any light on the algorithm used for Phoenix.Token.encrypt/decrypt?

pauly · July 24, 2024, 10:58pm

Hi, we’re looking to create the output from Phoenix.Token.encrypt and .decrypt in another language for testing purposes. My guess it’s a combination of HEX(HMAC()) and concatenation with . of some of the context/key/salt.

Not sure if anyone can help out with whats going on under the hood beyond the docs Phoenix.Token — Phoenix v1.7.14?

al2o3cr · July 24, 2024, 11:13pm

Phoenix.Token mostly delegates the work to Plug.Crypto.

For instance, Phoenix.Token.encrypt leads here:

github.com

elixir-plug/plug_crypto/blob/8217d4da89ce288b69533970dc4f48606a9a6fcd/lib/plug/crypto.ex#L204-L216


      
          def encrypt(key_base, secret, data, opts \\ [])
              when is_binary(key_base) and is_binary(secret) do
            data
            |> encode(opts)
            |> MessageEncryptor.encrypt(get_secret(key_base, secret, opts), "")
          end
          
          defp encode(data, opts) do
            signed_at_seconds = Keyword.get(opts, :signed_at)
            signed_at_ms = if signed_at_seconds, do: trunc(signed_at_seconds * 1000), else: now_ms()
            max_age_in_seconds = Keyword.get(opts, :max_age, 86400)
            :erlang.term_to_binary({data, signed_at_ms, max_age_in_seconds})
          end

and then to MessageEncryptor:

github.com

elixir-plug/plug_crypto/blob/8217d4da89ce288b69533970dc4f48606a9a6fcd/lib/plug/crypto/message_encryptor.ex#L36-L46


      
          def encrypt(message, aad \\ "A128GCM", secret, sign_secret)
              when is_binary(message) and (is_binary(aad) or is_list(aad)) and
                     bit_size(secret) == 256 and
                     is_binary(sign_secret) do
            iv = :crypto.strong_rand_bytes(24)
            {subkey, nonce} = xchacha20_subkey_and_nonce(secret, iv)
            {cipher_text, cipher_tag} = block_encrypt(:chacha20_poly1305, subkey, nonce, {aad, message})
            "XCP." <> Base.url_encode64(iv <> cipher_tag <> cipher_text, padding: false)
          rescue
            e -> reraise e, Plug.Crypto.prune_args_from_stacktrace(__STACKTRACE__)
          end

Also note that encode in Plug.Crypto uses :erlang.term_to_binary, so you’ll need an implementation of External Term Format as well as all the ChaCha20 juggling.

pauly · July 25, 2024, 6:06pm

thank you @al2o3cr for the detailed reply and pointing out the ETF and ChaCha20. It’s interesting taking a peek under the hood - thanks for sharing

For us, I think we’ll be moving to something more standard given we have that option at this point