Code improvement and security, from good to great!

After the last big update, we have decided to go into maintenance mode and made some code cleanup and rework. Minor change for you, but big update for us.

First of all, we have rewritten our Session Management. It’s really interesting that "Session Encryption" does not use a "standard" nor PHP a session option that encrypt into memory...

So we start to work on our own side. But, what encryption mechanism and what PHP module?

Some sites help us with an interesting benchmark between Mcrypt module and Openssl Module. Lubos Dzurik and Jeff Minard website where good start.

Here are some sample benchmark gather from Lubos Dzurik.

Mcrypt vs. openSSL - Short string 1-4 bytes (multiply factor 1) in secs:

{{}} 1000 LOOPS 5000 LOOPS
TEST 1 - MCRYPT - encrypt only 0,268s 1,296s
TEST 2 - MCRYPT - encrypt + decrypt 0,511s 2,540s
TEST 3 - AES 256 - encrypt only 0,006s 0,029s
TEST 4 - AES 256 - encrypt + decrypt 0,013s 0,059s

Mcrypt vs. openSSL - Longer string 1-4 kB (multiply factor 1000) in secs:

{{}} 1000 LOOPS 5000 LOOPS
TEST 1 - MCRYPT - encrypt only 0,504s 2,883s
TEST 2 - MCRYPT - encrypt + decrypt 1,004s 5,785s
TEST 3 - AES 256 - encrypt only 0,033s 0,207s
TEST 4 - AES 256 - encrypt + decrypt 0,086s 0,547s

As you can see, and to be short, OpenSSL is significantly better and faster than Mcrypt module on 256 bit key.

So, now, we encrypt Users Session and some key-value in the cache. It’s Fast, Secure, and Reliable. We could do better, we think it’s enough at this time.

We also improved our Cache management to be able to serve more information at the same time without overload our server. Of course we already use Cache management, but only for some specific data. We have made big improvements and everything is faster now and data refresh when needed.

And at last, we have rewritten a lot of code, and yes, some were old (2006), and sometimes "dirty". Some ok, but need a cleanup to be faster. Next steps, PSR...

With all of theses change, we hope think we could deliver better and faster content.

The Security-Database Team


Related Articles